ryuk | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe | Triage

Sharing

General

Target

91736.exe
Size

127KB
Sample

230523-vegv5shb4v
MD5

e8673c8a299d1647ead6f3da4565ac54
SHA1

71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256

d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512

90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc
SSDEEP

3072:W/SfjQAr839SVK+DM590tfXQpr8WbkPnkaT3Tb0b:ySfjQAY39SVK+DM0tfXQfqv0

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  91736.exe
- Size
  
  127KB
- MD5
  
  e8673c8a299d1647ead6f3da4565ac54
- SHA1
  
  71015f9c281038d63bf7cd45894550c1a26c6b53
- SHA256
  
  d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
- SHA512
  
  90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc
- SSDEEP
  
  3072:W/SfjQAr839SVK+DM590tfXQpr8WbkPnkaT3Tb0b:ySfjQAY39SVK+DM0tfXQfqv0
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ryukdiscoveryransomware

behavioral2

ryukdiscoveryransomware