ryuk | c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a | Triage

Sharing

General

Target

2024-08-22_0d1ef0e9b611dcc79ad1d134990811d3_ryuk
Size

144KB
Sample

240823-abma8sxbnp
MD5

0d1ef0e9b611dcc79ad1d134990811d3
SHA1

95cd22a171745294e6e13843c274a427cc6acdda
SHA256

c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a
SHA512

90a9bf17aa09d01607b090566050459ccafc7dff7a1cc0515e5f1fa1ef82f795d918198704388a1b29eec1b959d1164df090e3243136807fa975097e32e05bb0
SSDEEP

3072:eOFqYZEtiRjB+OpBmUHkRCBMmn3T/znyS4:eO8xwjBx8UHkt2DJ4

Score

10^/10

ryuk credential_access discovery ransomware stealer

Malware Config

Targets

- Target
  
  2024-08-22_0d1ef0e9b611dcc79ad1d134990811d3_ryuk
- Size
  
  144KB
- MD5
  
  0d1ef0e9b611dcc79ad1d134990811d3
- SHA1
  
  95cd22a171745294e6e13843c274a427cc6acdda
- SHA256
  
  c682ee4f31bf55339dc6e34c5f6242015888729465c0335e3eb60af05847633a
- SHA512
  
  90a9bf17aa09d01607b090566050459ccafc7dff7a1cc0515e5f1fa1ef82f795d918198704388a1b29eec1b959d1164df090e3243136807fa975097e32e05bb0
- SSDEEP
  
  3072:eOFqYZEtiRjB+OpBmUHkRCBMmn3T/znyS4:eO8xwjBx8UHkt2DJ4
Score

10^/10

ryuk credential_access discovery ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Renames multiple (5649) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ryukcredential_accessdiscoveryransomwarestealer

behavioral2

ryukcredential_accessdiscoveryransomwarestealer