General

  • Target

    2023-05-08_5661aec52fcc80ccd4c5d263e113c115_ryuk

  • Size

    190KB

  • Sample

    230509-dh9lwsea47

  • MD5

    5661aec52fcc80ccd4c5d263e113c115

  • SHA1

    b09fb5cfbfbadd6afdd536aa89ccab405ef8c5b2

  • SHA256

    6cbc05acf871c106f7804069fffef908472a31ea1a782add45a100d14c8f5ea0

  • SHA512

    15e2a11d1d0b614cc1181a787a3208d011447ce68f6be93df227bc1b1b95400151251cf0bf9013900876b1d8e9c93b05ab0af0f1112b2e50176879a94a19d30a

  • SSDEEP

    3072:wbYRYDEnRuxvB5oveeGiKhvFB1JWxEc2C+mZbD+o4Xd/x+j8TYQWuni/qpe:fYDcsTFbF75xCxk/dTB9pe

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
buricoume1976@protonmail.com balance of shadow universe Ryuk
Emails

buricoume1976@protonmail.com

Targets

    • Target

      2023-05-08_5661aec52fcc80ccd4c5d263e113c115_ryuk

    • Size

      190KB

    • MD5

      5661aec52fcc80ccd4c5d263e113c115

    • SHA1

      b09fb5cfbfbadd6afdd536aa89ccab405ef8c5b2

    • SHA256

      6cbc05acf871c106f7804069fffef908472a31ea1a782add45a100d14c8f5ea0

    • SHA512

      15e2a11d1d0b614cc1181a787a3208d011447ce68f6be93df227bc1b1b95400151251cf0bf9013900876b1d8e9c93b05ab0af0f1112b2e50176879a94a19d30a

    • SSDEEP

      3072:wbYRYDEnRuxvB5oveeGiKhvFB1JWxEc2C+mZbD+o4Xd/x+j8TYQWuni/qpe:fYDcsTFbF75xCxk/dTB9pe

    Score
    10/10
    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks