General

  • Target

    ecd9d8ef99eb98exe_JC.exe

  • Size

    889KB

  • Sample

    230719-rdladshb8x

  • MD5

    ecd9d8ef99eb9813fa4eced549ea4d88

  • SHA1

    7db7bff4ca9e94bbfe026c2282f3ce36e423f183

  • SHA256

    fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6

  • SHA512

    2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

  • SSDEEP

    12288:GFGYwyCMcRzRjWYgeWYg955/155/KQurE+HG8dSyjCtRronBeSrBa:GFGYtSNBQKEmG8HjCXrUVa

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Targets

    • Target

      ecd9d8ef99eb98exe_JC.exe

    • Size

      889KB

    • MD5

      ecd9d8ef99eb9813fa4eced549ea4d88

    • SHA1

      7db7bff4ca9e94bbfe026c2282f3ce36e423f183

    • SHA256

      fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6

    • SHA512

      2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

    • SSDEEP

      12288:GFGYwyCMcRzRjWYgeWYg955/155/KQurE+HG8dSyjCtRronBeSrBa:GFGYtSNBQKEmG8HjCXrUVa

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Renames multiple (5399) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (60) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (7863) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Disables Task Manager via registry modification

    • Drops startup file

    • Modifies file permissions

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v6

Tasks