41ff2f980f989002c9ea852fb1f85e13ca49511f4f9ec60e648d0cba3af121a5 | Triage

Sharing

General

Target

2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk
Size

2.4MB
Sample

230516-nqqh4aae97
MD5

eb6fb42514e024e77236476da457c1d2
SHA1

c4321fadc4a7f634f278fef8b7b362ba906469da
SHA256

41ff2f980f989002c9ea852fb1f85e13ca49511f4f9ec60e648d0cba3af121a5
SHA512

558b5b855d81e08da0747a43fb04ddb88b509614f8d6c338f5b63a64596e0d56c76b6b0f7fa6b83e23529b7604278181dd3f62087893360c14c0695c7f9b31ce
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCQ:eEtl9mRda12sX7hKB8NIyXbacAfX

Score

10^/10

persistence

Malware Config

Targets

- Target
  
  2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk
- Size
  
  2.4MB
- MD5
  
  eb6fb42514e024e77236476da457c1d2
- SHA1
  
  c4321fadc4a7f634f278fef8b7b362ba906469da
- SHA256
  
  41ff2f980f989002c9ea852fb1f85e13ca49511f4f9ec60e648d0cba3af121a5
- SHA512
  
  558b5b855d81e08da0747a43fb04ddb88b509614f8d6c338f5b63a64596e0d56c76b6b0f7fa6b83e23529b7604278181dd3f62087893360c14c0695c7f9b31ce
- SSDEEP
  
  12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCQ:eEtl9mRda12sX7hKB8NIyXbacAfX
Score

10^/10

persistence
- Modifies WinLogon for persistence
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2