Malware sandboxing report by Hatching Triage

Sharing

Copy URL

Twitter E-mail

General

Target

d2e194259106bca3b42dc8690d340b59.bin
Size

335KB
Sample

230311-b8r4esgb43
MD5

dd26f40520194b6fc55eedac38461763
SHA1

ad4fe1d10fdac8c1b67172fdd65e79a08fa4d21f
SHA256

e895436da58025d7c077ab276708ee996125c811eb8d45f24e14d3facd9db10b
SHA512

9d4d9d69883393d664fe793f472dafb08bc105ccd0357aa7cbd0b2c53104f433cffb4124344a82b1383af26cd842732f5fbed2bfbcb7437d46c46f31d26ef5d2
SSDEEP

6144:9avNkLjUUg3BAXZsdy+RWTohDY8x83SNU9sA4C1Y8ZTahZzfPCl2:AVk/UUgxIZlshDY8x8CO9DTY8ZuhdT

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at Vulcanteam@CYBERFEAR.COM or vulcanteam@inboxhub.net You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

Vulcanteam@CYBERFEAR.COM

vulcanteam@inboxhub.net

Targets

- Target
  
  788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
- Size
  
  767KB
- MD5
  
  d2e194259106bca3b42dc8690d340b59
- SHA1
  
  edcd63a3125854ed72cb5811f08644a87e265e3b
- SHA256
  
  788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
- SHA512
  
  4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13
- SSDEEP
  
  12288:RnBkozA9lzIeVJ+OeO+OeNhBBhhBBUA9CGkIDIP6J9kgnDC3TbqUttRrvCsZ+nt2:jkozAjK95DIP4DCDbq8tRrvB
Score

10^/10

ryuk discovery evasion ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Disables taskbar notifications via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Drops startup file
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

Hidden Files and Directories

T1158

File Permissions Modification

T1222

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Execution

Exfiltration

Impact

Inhibit System Recovery

T1490

Initial Access

Lateral Movement

Persistence

Scheduled Task

T1053

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Targets

Ryuk

Clears Windows event logs

Deletes shadow copies

Disables Task Manager via registry modification

Disables taskbar notifications via registry modification

Disables use of System Restore points

Drops startup file

Modifies file permissions

Enumerates connected drives

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2