General

  • Target

    MTM4OWYz.exe

  • Size

    127KB

  • Sample

    230523-t84rbsgb99

  • MD5

    e8673c8a299d1647ead6f3da4565ac54

  • SHA1

    71015f9c281038d63bf7cd45894550c1a26c6b53

  • SHA256

    d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

  • SHA512

    90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

  • SSDEEP

    3072:W/SfjQAr839SVK+DM590tfXQpr8WbkPnkaT3Tb0b:ySfjQAY39SVK+DM0tfXQfqv0

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
izviawirto1982@protonmail.com balance of shadow universe Ryuk
Emails

izviawirto1982@protonmail.com

Targets

    • Target

      MTM4OWYz.exe

    • Size

      127KB

    • MD5

      e8673c8a299d1647ead6f3da4565ac54

    • SHA1

      71015f9c281038d63bf7cd45894550c1a26c6b53

    • SHA256

      d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

    • SHA512

      90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

    • SSDEEP

      3072:W/SfjQAr839SVK+DM590tfXQpr8WbkPnkaT3Tb0b:ySfjQAY39SVK+DM0tfXQfqv0

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Renames multiple (62) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Permissions Modification

1
T1222

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks