General

  • Target

    ryuk.bin.zip

  • Size

    361KB

  • Sample

    230602-yq4qtseb79

  • MD5

    f39378c08ea1eb2d22f41b06fb191a19

  • SHA1

    151c1edf19895849ac175ceae1d92ec777d3fd97

  • SHA256

    d107f2cbd1a749f79abe402eef3f71d3c0fceca69f4692908be091f044220842

  • SHA512

    55d1d92b9c3a51c290184e4b79dd8e34bc7c7b0c208114d4867ce2419f1ef310416020d70d7e3571e4db30380a652f1d4f06e8428458b59702f90a0cd935760f

  • SSDEEP

    6144:oLY3zeNb46fWWAodiOO8UkPzri0/Uap80vTCvzQE8SyMx7OemVdzSv8Es0lBXhhv:o8jzeDUyG07IvzQfxe5v8EZly+

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RyukReadMe.html

Family

ryuk

Ransom Note
[email protected] balance of shadow universe Ryuk

Targets

    • Target

      ryuk.bin

    • Size

      548KB

    • MD5

      987336d00fdbec3bcdb95b078f7de46f

    • SHA1

      8bbded5710280f055bf53f9e4f6c5abb596f7899

    • SHA256

      a9643eb83d509ad4eac20a2a89d8571f8d781979ad078e89f5b75b4bcb16f65e

    • SHA512

      39edeaa6ec301af43886748b588dd554c5f06d9dabbaf9aa6595a216111fe2923ba8c48e177f0a9ff2b865923d1051005299946765fc303c409419d7eca6e2a3

    • SSDEEP

      12288:bma40rTiKNAIRhOnloZq7St7uIUr086ah2I/0xI8QTPCXOY1LEfVUF:bH4URP0lVEO0xI8CIOIIfK

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (5421) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks