Extracted

• • Target

    3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

  • Size

    397KB

  • MD5

    5af409fe584bed2f8b847bb9d2eca34f

  • SHA1

    b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

  • SHA256

    3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

  • SHA512

    f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

  • SSDEEP

    6144:g4LwKpY6JE5pdSv2RNUJsTGiQNZD0I7oIrrhynRiw1amXQ0YKG0RIb890BEaGTd:gEbEy2RKiQNJ0CrARRg0Y4RK89v1p

  Score

  10^/10

  ryukdavediscoveryransomware

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Dave packer

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Modifies file permissions

    discovery
  behavioral1behavioral2