Overview

overview

10

Static

static

1

788ad5c53b...bc.exe

windows7-x64

10

788ad5c53b...bc.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    d2e194259106bca3b42dc8690d340b59.bin

  • Size

    335KB

  • Sample

    230311-b8r4esgb43

  • MD5

    dd26f40520194b6fc55eedac38461763

  • SHA1

    ad4fe1d10fdac8c1b67172fdd65e79a08fa4d21f

  • SHA256

    e895436da58025d7c077ab276708ee996125c811eb8d45f24e14d3facd9db10b

  • SHA512

    9d4d9d69883393d664fe793f472dafb08bc105ccd0357aa7cbd0b2c53104f433cffb4124344a82b1383af26cd842732f5fbed2bfbcb7437d46c46f31d26ef5d2

  • SSDEEP

    6144:9avNkLjUUg3BAXZsdy+RWTohDY8x83SNU9sA4C1Y8ZTahZzfPCl2:AVk/UUgxIZlshDY8x8CO9DTY8ZuhdT

Score
10/10
ryukdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Targets

    • Target

      788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe

    • Size

      767KB

    • MD5

      d2e194259106bca3b42dc8690d340b59

    • SHA1

      edcd63a3125854ed72cb5811f08644a87e265e3b

    • SHA256

      788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

    • SHA512

      4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

    • SSDEEP

      12288:RnBkozA9lzIeVJ+OeO+OeNhBBhhBBUA9CGkIDIP6J9kgnDC3TbqUttRrvCsZ+nt2:jkozAjK95DIP4DCDbq8tRrvB

    Score
    10/10
    ryukdiscoveryevasionransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Disables taskbar notifications via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Drops startup file

    • Modifies file permissions

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks