Overview

overview

10

Static

static

3

bf575ce1c9...00.exe

windows10-1703-x64

10

bf575ce1c9...00.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.zip

  • Size

    71KB

  • Sample

    230814-grcv3aaa68

  • MD5

    f90a39104ffc9d4d7a9bf8032fe530ff

  • SHA1

    41c1a095a520216e9ce0712ddd82ba9a11fb70a2

  • SHA256

    44961945bd5c37d15f427f4c75d66bc663c9de351c42f866db54e939864564e0

  • SHA512

    93366a7d4c80b593b810ec6ceb6136966923878a7880eb7ebabc411d4026e06983c08a677dade1954b6bd906e8a73f57df664420c72bedbd113a9e73ddcee360

  • SSDEEP

    1536:CKLuPPIjI8CBElCFRRk/nJ4CogyhQoQyhG9:CcM8dlCFsPoFhQoQyS

Score
10/10
ryukdiscoveryevasionransomware

Malware Config

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Family

ryuk

Ransom Note
restpoonitool1975@protonmail.com balance of shadow universe Ryuk
Emails

restpoonitool1975@protonmail.com

Targets

    • Target

      bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

    • Size

      138KB

    • MD5

      f62bb82db62dd6b80908dcd79ea51fb2

    • SHA1

      e635ba1b935adf31ffd055d71884098567b3dd4f

    • SHA256

      bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

    • SHA512

      869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

    • SSDEEP

      3072:dsFd0klDWOsja1mrT0CowNJ8s540uUf0WccH2hgcD:QWHrYNwNeQEBgc

    Score
    10/10
    ryukdiscoveryevasionransomware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Executes dropped EXE

    • Modifies file permissions

      discovery
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3
T1490

Resource Development

Reconnaissance

Tasks