Extracted

• • Target

    Ryuk86.bin.exe

  • Size

    767KB

  • MD5

    d2e194259106bca3b42dc8690d340b59

  • SHA1

    edcd63a3125854ed72cb5811f08644a87e265e3b

  • SHA256

    788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

  • SHA512

    4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

  • SSDEEP

    12288:RnBkozA9lzIeVJ+OeO+OeNhBBhhBBUA9CGkIDIP6J9kgnDC3TbqUttRrvCsZ+nt2:jkozAjK95DIP4DCDbq8tRrvB

  Score

  10^/10

  ryukdiscoveryevasionransomware

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Disables Task Manager via registry modification

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Modifies file permissions

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral1behavioral2