General
-
Target
2024-06-03_5496313b83ccce9a11fd94c70da68ace_ryuk
-
Size
127KB
-
Sample
240603-nn7dtsec62
-
MD5
5496313b83ccce9a11fd94c70da68ace
-
SHA1
62a643f171d81511912f60197f062f6b1e79bab9
-
SHA256
8862b060db997bc9077e3bece06529c1c116af379985f6138a07ab5fde61b54c
-
SHA512
0015d7342d3ae7c247bab7e7a3489b5887562c6f93e36f7483f9f2910e060680cfbd84c51df94d1bb4ba62b4d86d1382023f19e0fd1308f56bea050bcb086732
-
SSDEEP
3072:3jdVRK8n0oJ6RlWPSuIZuQqEbkPnZCX/VvCN:zdVw80oJ6RGSuIZP1EN
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
Targets
-
-
Target
2024-06-03_5496313b83ccce9a11fd94c70da68ace_ryuk
-
Size
127KB
-
MD5
5496313b83ccce9a11fd94c70da68ace
-
SHA1
62a643f171d81511912f60197f062f6b1e79bab9
-
SHA256
8862b060db997bc9077e3bece06529c1c116af379985f6138a07ab5fde61b54c
-
SHA512
0015d7342d3ae7c247bab7e7a3489b5887562c6f93e36f7483f9f2910e060680cfbd84c51df94d1bb4ba62b4d86d1382023f19e0fd1308f56bea050bcb086732
-
SSDEEP
3072:3jdVRK8n0oJ6RlWPSuIZuQqEbkPnZCX/VvCN:zdVw80oJ6RGSuIZP1EN
Score10/10-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Renames multiple (4781) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Drops desktop.ini file(s)
-