Extracted

• • Target

    ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

  • Size

    134KB

  • MD5

    0a0b0ac20e9fe72753e74def1e37724f

  • SHA1

    fd683b33ee10ba92e485f76fbad9b48a2e697358

  • SHA256

    ec3da4ac9ec917e66ab943ab149119807922f64f2e4960ebadc36fe7520b300f

  • SHA512

    3f5d8b747955fc5926767c04be7c7d414205d01e8a2e586d3e94f2a4da756b56b15a795ec5847894b21b39fba7d595d18898df60375c126998e6b638cf78a759

  • SSDEEP

    3072:lZkmuVEvfzS9ljrZU/bH0ffOkObkPnSh6/P:LkmQIW9ljrqbH0cwH

  Score

  10^/10

  ryukcredential_accessdiscoveryransomwarestealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (4688) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops desktop.ini file(s)

  behavioral1behavioral2