Extracted

• • Target

    2024-04-11_b70b4f1a3b72fa2c76814d97b4dae493_ryuk

  • Size

    170KB

  • MD5

    b70b4f1a3b72fa2c76814d97b4dae493

  • SHA1

    6ea045b469eea3eabfed96263ff4bb97e1a6b2c3

  • SHA256

    dc8074b3b2a22876150975c7abf68296f232246cbbcae06d2bddc114d3a77905

  • SHA512

    f0906f7de8517cc0ff658ba4395d7085d16026043fa4d48482e18b16bdba4a958740e769bacbc89f4ec2aab2c7fc3e31ab0fe5002cb6ae8e7eac5e40baa751ff

  • SSDEEP

    3072:2HeriftL/WSo1vDb53j/8WGUzaqVh4LI8zQpn3:2+rA/WSo1rl3ALrlHQpn3

  Score

  10^/10

  ryukpersistenceransomware

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Detects command variations typically used by ransomware

  • Detects executables containing many references to VEEAM. Observed in ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence
  behavioral1behavioral2