General
-
Target
ec662c73279f4a3772e3e549b07bcd67803292981afae931df4b63d47f6ac2a9.exe.zip
-
Size
72KB
-
Sample
231201-spnekacb8y
-
MD5
30c8e8e7cdb38914ae203563d4e199f0
-
SHA1
31873e82c28a8eb96dd2388d9bb59e4ad3055046
-
SHA256
a0ddb10979667a20187730c348cea1d556ec4d493e50cb765ce2a019d8ebde2c
-
SHA512
aba87765ca06e3568944ee16af1c14419ce6d67ffbd7778f3e6a09c78dec03c3688d93677cb0a9b40505abea87493ee91de0f49cf93f98f19ea08825f6614499
-
SSDEEP
1536:+SGNMyzQE6CfQSm6ubfGCa9r55dThisIye7rDucxpOLLbQ05m:+S8aCfC6oGH5ntisoua0PbY
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
ryuk
Targets
-
-
Target
ec662c73279f4a3772e3e549b07bcd67803292981afae931df4b63d47f6ac2a9.exe
-
Size
76KB
-
MD5
1fff77fb1958e7f730bb4de627a24d57
-
SHA1
c3b071d324f095381bc604a46e1b8c5a89c68822
-
SHA256
ec662c73279f4a3772e3e549b07bcd67803292981afae931df4b63d47f6ac2a9
-
SHA512
53842ccf9a28f908f3e4ded42e5e925ce5c737c3b6458c6287f298cea948ecbac9ad18369f6b20665d6e0336e38b51d6aad43ec3bfbc155880b9361eef7acc61
-
SSDEEP
1536:+ukv6BlkOCJSlq3//M/NqKTmPCQASm/dKRYHQiY0aB6:yvqlkOCJSQ3XM4P4SaKRYwF0aB
Score10/10-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Renames multiple (5189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-