ryuk | 6cbc05acf871c106f7804069fffef908472a31ea1a782add45a100d14c8f5ea0 | Triage

Submit
Reports

Overview

overview

Static

static

3

tmp.exe

windows7-x64

tmp.exe

windows10-2004-x64

Sharing

General

Target

tmp
Size

190KB
Sample

231110-qatxpafh4y
MD5

5661aec52fcc80ccd4c5d263e113c115
SHA1

b09fb5cfbfbadd6afdd536aa89ccab405ef8c5b2
SHA256

6cbc05acf871c106f7804069fffef908472a31ea1a782add45a100d14c8f5ea0
SHA512

15e2a11d1d0b614cc1181a787a3208d011447ce68f6be93df227bc1b1b95400151251cf0bf9013900876b1d8e9c93b05ab0af0f1112b2e50176879a94a19d30a
SSDEEP

3072:wbYRYDEnRuxvB5oveeGiKhvFB1JWxEc2C+mZbD+o4Xd/x+j8TYQWuni/qpe:fYDcsTFbF75xCxk/dTB9pe

Score

10^/10

ryuk ransomware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

tmp.exe

Resource

win7-20231020-en

ryuk ransomware

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

tmp.exe

Resource

win10v2004-20231020-en

ryuk ransomware

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  tmp
- Size
  
  190KB
- MD5
  
  5661aec52fcc80ccd4c5d263e113c115
- SHA1
  
  b09fb5cfbfbadd6afdd536aa89ccab405ef8c5b2
- SHA256
  
  6cbc05acf871c106f7804069fffef908472a31ea1a782add45a100d14c8f5ea0
- SHA512
  
  15e2a11d1d0b614cc1181a787a3208d011447ce68f6be93df227bc1b1b95400151251cf0bf9013900876b1d8e9c93b05ab0af0f1112b2e50176879a94a19d30a
- SSDEEP
  
  3072:wbYRYDEnRuxvB5oveeGiKhvFB1JWxEc2C+mZbD+o4Xd/x+j8TYQWuni/qpe:fYDcsTFbF75xCxk/dTB9pe
Score

10^/10

ryuk ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Renames multiple (5211) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2024

Terms | Privacy