Extracted

• • Target

    2024-12-05_6d7d0a07024e8e61ed94a14b96490f81_rook

  • Size

    79KB

  • MD5

    6d7d0a07024e8e61ed94a14b96490f81

  • SHA1

    a81ebdcfd566066d32d582a299fbbee946e4c310

  • SHA256

    bf690b438268c48bfe5c73fad5c4acfe786c68eddeceecd3ac452d4e1832922c

  • SHA512

    781328a9fd68ed362c5fd538e9e99dd1db8d800cb01b36fb7f1c57b865f747b55b1ae6fb45107d5a5306e8926ad9f08abfbfd9eefb116ee0ad27f711efeac177

  • SSDEEP

    1536:uBzyvLtPO7Pr90tG3yEJ0gJVlp8swKDsGULa5UUc6ahF98aaTpflFTTJovD:uB2+90tiV0EdJNaZ9wpfltTJ

  Score

  10^/10

  ryukdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerupx

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Share Discovery

    Attempt to gather information on host network.

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2