ryuk | c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

c682ee4f31...3a.exe

windows7-x64

c682ee4f31...3a.exe

windows10-2004-x64

Sharing

General

Target

c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a
Size

144KB
Sample

240810-q22fvasakr
MD5

0d1ef0e9b611dcc79ad1d134990811d3
SHA1

95cd22a171745294e6e13843c274a427cc6acdda
SHA256

c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a
SHA512

90a9bf17aa09d01607b090566050459ccafc7dff7a1cc0515e5f1fa1ef82f795d918198704388a1b29eec1b959d1164df090e3243136807fa975097e32e05bb0
SSDEEP

3072:eOFqYZEtiRjB+OpBmUHkRCBMmn3T/znyS4:eO8xwjBx8UHkt2DJ4

Score

10^/10

ryuk credential_access discovery ransomware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a.exe

Resource

win7-20240708-en

ryuk credential_access discovery ransomware stealer

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a.exe

Resource

win10v2004-20240802-en

ryuk credential_access discovery ransomware stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a
- Size
  
  144KB
- MD5
  
  0d1ef0e9b611dcc79ad1d134990811d3
- SHA1
  
  95cd22a171745294e6e13843c274a427cc6acdda
- SHA256
  
  c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a
- SHA512
  
  90a9bf17aa09d01607b090566050459ccafc7dff7a1cc0515e5f1fa1ef82f795d918198704388a1b29eec1b959d1164df090e3243136807fa975097e32e05bb0
- SSDEEP
  
  3072:eOFqYZEtiRjB+OpBmUHkRCBMmn3T/znyS4:eO8xwjBx8UHkt2DJ4
Score

10^/10

ryuk credential_access discovery ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Renames multiple (8013) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ryukcredential_accessdiscoveryransomwarestealer

behavioral2

ryukcredential_accessdiscoveryransomwarestealer

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.