General
-
Target
NEAS.2023-09-05_fa12972b8fd4e302e1791c4d080498a9_ryuk_JC.exe
-
Size
21.4MB
-
Sample
231031-z9efqadh91
-
MD5
fa12972b8fd4e302e1791c4d080498a9
-
SHA1
b0b7deea8d40217b6861f3bfd92cf6bb789a9824
-
SHA256
648e8149105b8091860f47d8d81ab0e66ebc1f477b5cc2ad0c606962ac0bd4eb
-
SHA512
4bcc74f33bc0853cb8e71a393460fdaa69e76a73c6bd28166eb56d12fba9c2cf3f914ef2f58628d1b9fcbd0dde0d13e6b61e5fc5a5bf3c273c5bb23219cccd74
-
SSDEEP
98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMk:9nwngnwnBRT
Malware Config
Targets
-
-
Target
NEAS.2023-09-05_fa12972b8fd4e302e1791c4d080498a9_ryuk_JC.exe
-
Size
21.4MB
-
MD5
fa12972b8fd4e302e1791c4d080498a9
-
SHA1
b0b7deea8d40217b6861f3bfd92cf6bb789a9824
-
SHA256
648e8149105b8091860f47d8d81ab0e66ebc1f477b5cc2ad0c606962ac0bd4eb
-
SHA512
4bcc74f33bc0853cb8e71a393460fdaa69e76a73c6bd28166eb56d12fba9c2cf3f914ef2f58628d1b9fcbd0dde0d13e6b61e5fc5a5bf3c273c5bb23219cccd74
-
SSDEEP
98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMk:9nwngnwnBRT
Score10/10-
Modifies WinLogon for persistence
-
Renames multiple (226) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-