ryuk | dcb9ec0cc6bdce89df3df0c0ca4170829f6897decd78c5365ea6e7802f3c0941 | Triage

Sharing

General

Target

dcb9ec0cc6bdce89df3df0c0ca4170829f6897decd78c5365ea6e7802f3c0941
Size

436KB
Sample

240909-s1zlzawamq
MD5

13f929e2cc03dbe1780cce33b7dce110
SHA1

80c4da8863796f0e1cdbb1e72e8678e679526a4d
SHA256

dcb9ec0cc6bdce89df3df0c0ca4170829f6897decd78c5365ea6e7802f3c0941
SHA512

91b0f91be9376884041efcc1aac5eaf5e62c516a48ed7d48c4d2dac5cd23681faba24e088c9131ebfcc1ee60090ba0097dd276a5e235f07cce6c4bf4afa2fd92
SSDEEP

1536:N9QXhvCxVUzRTco+TlNXKldmmYp3d7Ye58zFFg2fahT5wXwtQyHsWSJcdH4JNMwm:IUDYoGyp3dEe+kIamQIYH4/M

Score

10^/10

ryuk credential_access discovery ransomware stealer

Malware Config

Targets

- Target
  
  dcb9ec0cc6bdce89df3df0c0ca4170829f6897decd78c5365ea6e7802f3c0941
- Size
  
  436KB
- MD5
  
  13f929e2cc03dbe1780cce33b7dce110
- SHA1
  
  80c4da8863796f0e1cdbb1e72e8678e679526a4d
- SHA256
  
  dcb9ec0cc6bdce89df3df0c0ca4170829f6897decd78c5365ea6e7802f3c0941
- SHA512
  
  91b0f91be9376884041efcc1aac5eaf5e62c516a48ed7d48c4d2dac5cd23681faba24e088c9131ebfcc1ee60090ba0097dd276a5e235f07cce6c4bf4afa2fd92
- SSDEEP
  
  1536:N9QXhvCxVUzRTco+TlNXKldmmYp3d7Ye58zFFg2fahT5wXwtQyHsWSJcdH4JNMwm:IUDYoGyp3dEe+kIamQIYH4/M
Score

10^/10

ryuk credential_access discovery ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Renames multiple (8192) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ryukcredential_accessdiscoveryransomwarestealer

behavioral2

ryukcredential_accessdiscoveryransomwarestealer