General
-
Target
Ryuk86.bin.exe
-
Size
767KB
-
Sample
230309-w52hxabc8y
-
MD5
d2e194259106bca3b42dc8690d340b59
-
SHA1
edcd63a3125854ed72cb5811f08644a87e265e3b
-
SHA256
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
-
SHA512
4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13
-
SSDEEP
12288:RnBkozA9lzIeVJ+OeO+OeNhBBhhBBUA9CGkIDIP6J9kgnDC3TbqUttRrvCsZ+nt2:jkozAjK95DIP4DCDbq8tRrvB
Malware Config
Extracted
C:\ProgramData\RyukReadMe.txt
Vulcanteam@CYBERFEAR.COM
vulcanteam@inboxhub.net
Targets
-
-
Target
Ryuk86.bin.exe
-
Size
767KB
-
MD5
d2e194259106bca3b42dc8690d340b59
-
SHA1
edcd63a3125854ed72cb5811f08644a87e265e3b
-
SHA256
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
-
SHA512
4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13
-
SSDEEP
12288:RnBkozA9lzIeVJ+OeO+OeNhBBhhBBUA9CGkIDIP6J9kgnDC3TbqUttRrvCsZ+nt2:jkozAjK95DIP4DCDbq8tRrvB
Score10/10-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Modifies file permissions
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
File Deletion
1Hidden Files and Directories
1File Permissions Modification
1Discovery
Query Registry
2System Information Discovery
3Peripheral Device Discovery
1Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Scheduled Task
1Privilege Escalation