General
-
Target
2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook
-
Size
79KB
-
Sample
241205-n15e1ayrhl
-
MD5
6d7d0a07024e8e61ed94a14b96490f81
-
SHA1
a81ebdcfd566066d32d582a299fbbee946e4c310
-
SHA256
bf690b438268c48bfe5c73fad5c4acfe786c68eddeceecd3ac452d4e1832922c
-
SHA512
781328a9fd68ed362c5fd538e9e99dd1db8d800cb01b36fb7f1c57b865f747b55b1ae6fb45107d5a5306e8926ad9f08abfbfd9eefb116ee0ad27f711efeac177
-
SSDEEP
1536:uBzyvLtPO7Pr90tG3yEJ0gJVlp8swKDsGULa5UUc6ahF98aaTpflFTTJovD:uB2+90tiV0EdJNaZ9wpfltTJ
Behavioral task
behavioral1
Sample
2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz
Targets
-
-
Target
2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook
-
Size
79KB
-
MD5
6d7d0a07024e8e61ed94a14b96490f81
-
SHA1
a81ebdcfd566066d32d582a299fbbee946e4c310
-
SHA256
bf690b438268c48bfe5c73fad5c4acfe786c68eddeceecd3ac452d4e1832922c
-
SHA512
781328a9fd68ed362c5fd538e9e99dd1db8d800cb01b36fb7f1c57b865f747b55b1ae6fb45107d5a5306e8926ad9f08abfbfd9eefb116ee0ad27f711efeac177
-
SSDEEP
1536:uBzyvLtPO7Pr90tG3yEJ0gJVlp8swKDsGULa5UUc6ahF98aaTpflFTTJovD:uB2+90tiV0EdJNaZ9wpfltTJ
-
Ryuk family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1