ryuk | c85fec6ed44bdfd54c5f37190ffad38919640064ce718045e228dca65f74ec7b | Triage

Submit
Reports

Overview

overview

Static

static

3

Sample_5d2...8c.exe

windows7-x64

Sample_5d2...8c.exe

windows10-2004-x64

7

Sharing

General

Target

Sample_5d283d656ea1e5165f2c7b8c.exe
Size

205KB
Sample

230925-mb4lqsec5v
MD5

881db1945686533f06f6626da444a7b5
SHA1

776fff17a531a374d13a9e267db764e3463a4cfc
SHA256

c85fec6ed44bdfd54c5f37190ffad38919640064ce718045e228dca65f74ec7b
SHA512

639d684ab5a15a23355577d0c0e6cab29fe66596af5c5644a4fb258c3f65324c94f4c5fc4f76c7b7ac2ff0f15ffc69e98c279f59e8897e3db4e3ffaee2e96af6
SSDEEP

3072:30imLeE+6Kiei4VrJo6lxPJUVjIMaNhUv:LE+6Kt53oExlNh

Score

10^/10

ryuk ransomware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Sample_5d283d656ea1e5165f2c7b8c.exe

Resource

win7-20230831-en

ryuk ransomware

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

Sample_5d283d656ea1e5165f2c7b8c.exe

Resource

win10v2004-20230915-en

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

[email protected]

Targets

- Target
  
  Sample_5d283d656ea1e5165f2c7b8c.exe
- Size
  
  205KB
- MD5
  
  881db1945686533f06f6626da444a7b5
- SHA1
  
  776fff17a531a374d13a9e267db764e3463a4cfc
- SHA256
  
  c85fec6ed44bdfd54c5f37190ffad38919640064ce718045e228dca65f74ec7b
- SHA512
  
  639d684ab5a15a23355577d0c0e6cab29fe66596af5c5644a4fb258c3f65324c94f4c5fc4f76c7b7ac2ff0f15ffc69e98c279f59e8897e3db4e3ffaee2e96af6
- SSDEEP
  
  3072:30imLeE+6Kiei4VrJo6lxPJUVjIMaNhUv:LE+6Kt53oExlNh
Score

10^/10

ryuk ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Renames multiple (7393) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2024

Terms | Privacy