General
-
Target
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
-
Size
1.2MB
-
Sample
220508-t3wtjafdej
-
MD5
0ecf16ceba335bcdc023ab71472a247f
-
SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364
-
SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
-
SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
aragycred1983@protonmail.com
Targets
-
-
Target
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
-
Size
1.2MB
-
MD5
0ecf16ceba335bcdc023ab71472a247f
-
SHA1
60b08b42bc540491f978185c0a5e3a28dbda4364
-
SHA256
1d29ce101d32dbf6d590b9a1a8e5473f6d862d2ef1ea02b7754d8efe62b99f09
-
SHA512
0e49e63b4b07fff297dbb9b4508ddb7848712c90846f90b474827b45ae1a846f91349b81a1790a76eb8975232598f89432dcae4b5b0211485cbf360eeef3e8e1
Score10/10-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Dave packer
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-