ryuk | 6cbc05acf871c106f7804069fffef908472a31ea1a782add45a100d14c8f5ea0 | Triage

Submit
Reports

Overview

overview

Static

static

3

2023-05-08...uk.exe

windows7-x64

2023-05-08...uk.exe

windows10-2004-x64

Sharing

General

Target

2023-05-08_5661aec52fcc80ccd4c5d263e113c115_ryuk
Size

190KB
Sample

230509-dh9lwsea47
MD5

5661aec52fcc80ccd4c5d263e113c115
SHA1

b09fb5cfbfbadd6afdd536aa89ccab405ef8c5b2
SHA256

6cbc05acf871c106f7804069fffef908472a31ea1a782add45a100d14c8f5ea0
SHA512

15e2a11d1d0b614cc1181a787a3208d011447ce68f6be93df227bc1b1b95400151251cf0bf9013900876b1d8e9c93b05ab0af0f1112b2e50176879a94a19d30a
SSDEEP

3072:wbYRYDEnRuxvB5oveeGiKhvFB1JWxEc2C+mZbD+o4Xd/x+j8TYQWuni/qpe:fYDcsTFbF75xCxk/dTB9pe

Score

10^/10

ryuk ransomware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2023-05-08_5661aec52fcc80ccd4c5d263e113c115_ryuk.exe

Resource

win7-20230220-en

ryuk ransomware

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

2023-05-08_5661aec52fcc80ccd4c5d263e113c115_ryuk.exe

Resource

win10v2004-20230220-en

ryuk ransomware

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  2023-05-08_5661aec52fcc80ccd4c5d263e113c115_ryuk
- Size
  
  190KB
- MD5
  
  5661aec52fcc80ccd4c5d263e113c115
- SHA1
  
  b09fb5cfbfbadd6afdd536aa89ccab405ef8c5b2
- SHA256
  
  6cbc05acf871c106f7804069fffef908472a31ea1a782add45a100d14c8f5ea0
- SHA512
  
  15e2a11d1d0b614cc1181a787a3208d011447ce68f6be93df227bc1b1b95400151251cf0bf9013900876b1d8e9c93b05ab0af0f1112b2e50176879a94a19d30a
- SSDEEP
  
  3072:wbYRYDEnRuxvB5oveeGiKhvFB1JWxEc2C+mZbD+o4Xd/x+j8TYQWuni/qpe:fYDcsTFbF75xCxk/dTB9pe
Score

10^/10

ryuk ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2024

Terms | Privacy