6639da68b98ddbbbbe33bd5c8594b5a92ba6d77e9240b95d14e7bbede5132aef | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2023-05-14_c7b5a46dcf887e1aba9115f1efc728be_ryuk
Size

3.2MB
Sample

230515-sp4rjsgb32
MD5

c7b5a46dcf887e1aba9115f1efc728be
SHA1

ea16c158662a6906f4f95335a3afed2c64736a47
SHA256

6639da68b98ddbbbbe33bd5c8594b5a92ba6d77e9240b95d14e7bbede5132aef
SHA512

a4ce34b08016b059f5e7ee14aa2644aecf86dacde97e5bdb57242d56552b3c0f89db26318a6e00f6cf6e1bf808175606a65380c9576923128ded89ce747ae3f4
SSDEEP

98304:9E2R1IMpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMl:9nzIA

Score

10^/10

persistence

Malware Config

Targets

- Target
  
  2023-05-14_c7b5a46dcf887e1aba9115f1efc728be_ryuk
- Size
  
  3.2MB
- MD5
  
  c7b5a46dcf887e1aba9115f1efc728be
- SHA1
  
  ea16c158662a6906f4f95335a3afed2c64736a47
- SHA256
  
  6639da68b98ddbbbbe33bd5c8594b5a92ba6d77e9240b95d14e7bbede5132aef
- SHA512
  
  a4ce34b08016b059f5e7ee14aa2644aecf86dacde97e5bdb57242d56552b3c0f89db26318a6e00f6cf6e1bf808175606a65380c9576923128ded89ce747ae3f4
- SSDEEP
  
  98304:9E2R1IMpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMl:9nzIA
Score

10^/10

persistence
- Modifies WinLogon for persistence
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2