General

  • Target

    0cf36731f5b8651d53fc651607c3fccac24b631c08dca4493d8e07d2fbff1db3.zip

  • Size

    66KB

  • Sample

    230317-nhbd7shh9w

  • MD5

    cb3303dd1a4616b0b63e352aa1b15b8b

  • SHA1

    6958ee2a38f70ab36cc7178d019d85ffc90761e1

  • SHA256

    c37587ff49bdaa6f13cddab42cc9799b21ef27265c7cf60fdca97e68fbb1a542

  • SHA512

    ad2b13045a1f51e2b67a30f6ff520da3a5615019b37ad7bb17c1287e70102df78983ddd660eb54ce7cc034b656a913aca2eabbc05e03802453a178bc49be0966

  • SSDEEP

    1536:cPdYiEO1nNiO68xVNlJ5zkufsA4YKjKxoqFF0QwzTpFzpm:clYx0NiOhwVnYBUtLzpm

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a EzanaDevit91@protonmail.com or MckenizePerelman96@protonmail.com You will receive btc address for payment in the reply letter Ryuk No system is safe
Emails

EzanaDevit91@protonmail.com

MckenizePerelman96@protonmail.com

Targets

    • Target

      0cf36731f5b8651d53fc651607c3fccac24b631c08dca4493d8e07d2fbff1db3.exe

    • Size

      167KB

    • MD5

      2209710b3ba686e5cbd8716df05c5174

    • SHA1

      31675cb6cd22911f1e343b046f7b27219e55dadc

    • SHA256

      0cf36731f5b8651d53fc651607c3fccac24b631c08dca4493d8e07d2fbff1db3

    • SHA512

      0abfe5bc5fc7ce050658fb007361994d7df53844c1bbb7f176ee06de1f5fda8d87a93f46800ac33092763d181dd97fa89a987b350d9aa372550b67ca10413e27

    • SSDEEP

      3072:yzWPZc7KwohIG/Qe1F7VIP60hiEOX3Sli:0WumVhIGoe/Aq

    Score
    10/10
    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Drops desktop.ini file(s)

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks