Extracted

Extracted

Extracted

Extracted

Extracted

• • Target

    09472e7d9209b7cfc3bbc2e815a2aa843133395b

  • Size

    125KB

  • MD5

    66970cb2a5663b9ee15595096bb7d269

  • SHA1

    09472e7d9209b7cfc3bbc2e815a2aa843133395b

  • SHA256

    dcc3d3684420b9d998f854e68755246eda0d1b5a5d3f0b3e28ea1e82f32b16d6

  • SHA512

    2bba4be7e6e7f7959e7298387d0841643cb75904d7fd74032ccfca70fac5bf6b6d43feb6617f4e6d090ec5e671613fd4ad14ac6869ea3ff819d12fa9a96b58cf

  • SSDEEP

    3072:Sekw/Vd+ERa90yEJewpM7EXvAWW4bkPn2VO:Nkw/VdhRauyEJed7EXvbR

  Score

  10^/10

  discoveryryukransomware

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (104) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Modifies file permissions

    discovery
  behavioral1behavioral2

• • Target

    1dd4a0983a6884dddc3edf27eb5fdfc87664ed63

  • Size

    274KB

  • MD5

    4d74af75deddc969fef5fd89e65fa251

  • SHA1

    1dd4a0983a6884dddc3edf27eb5fdfc87664ed63

  • SHA256

    8879a8d1508c3297200c608f3a93da5387521767c050f17aed78dde8a0cbfe12

  • SHA512

    56cbd165259045e262b064bc1d5dd242304ef30f34b9b899b9295f79aabba02cb09438ab0c429c3828b5c13e8ebcb8f5dbae85eb4c9490f65cec9807a24d062c

  • SSDEEP

    3072:LAunuYnzIGM2LH38BgyJik0OLXrCwafxSm2F9yf/pVc58/XV/l3PV1I57PF7IdlP:LVnPzIGM2LsWO1LXmw42Upm5zcP

  Score

  10^/10

  ryukcredential_accessdiscoveryransomwarestealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (1258) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4

• • Target

    2b10ad4890c4d6e2861533cc7260a9fdc7871ea2

  • Size

    157KB

  • MD5

    c1da496d8ab64225db031361a3f265a3

  • SHA1

    2b10ad4890c4d6e2861533cc7260a9fdc7871ea2

  • SHA256

    c4bd712a7f7185a2224806b85f3c6ac48de067e38d554608b3ee92422d902b28

  • SHA512

    8ead9423e31cdee8388704d7b38a9c6d4b33a9d09e729b73c70c69d5e4e09ad0fcb192dd866a1cf0a9283e099bd7d44ecb75607b63e5e5dcffc087cd60b5a047

  • SSDEEP

    3072:VBQgbs1Hl660/2bWxA3N3Fb/yKcJciovQzc5B2JYtoUa:ds1FP02bWujcJcDvQQ6eha

  Score

  10^/10

  ryukdiscoveryransomwareupx

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Modifies file permissions

    discovery

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral5behavioral6

• • Target

    352b1f3533ded8c575246d4466f68c49

  • Size

    545KB

  • MD5

    352b1f3533ded8c575246d4466f68c49

  • SHA1

    e430730620feec3673b9c38d87482c9294421b19

  • SHA256

    b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da

  • SHA512

    db9ab4315417679f6d1003e97067e87aae7f1c2b9f5a8358e32004d8322a997fc5f1627c3535517ca515e9493e9edb7292f1d1c6080e19d8ea71419fd4c6e9c9

  • SSDEEP

    6144:GVnPzIGM2LsWO1LXmw42Upm5zc8VnPzIGM2LsWO1LXmw42Upm5zcZ:GVPzIGhAXBXLZgeVPzIGhAXBXLZgf

  Score

  10^/10

  ryukdiscoveryransomwarecredential_accessstealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (701) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral7behavioral8

• • Target

    45295780f2ba837be42ccf50710bd2b5

  • Size

    136KB

  • MD5

    45295780f2ba837be42ccf50710bd2b5

  • SHA1

    f937b1b7b3593a38702f870077658a891974edda

  • SHA256

    60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

  • SHA512

    588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

  • SSDEEP

    3072:PN0KtMUwOWEHezRpl4vOA19oNL6YcPa8839v:PN01uWE+f2vOMOwQv

  Score

  10^/10

  ryukdiscoveryransomwarecredential_accessstealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (4273) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral10behavioral9

• • Target

    4d74af75deddc969fef5fd89e65fa251

  • Size

    274KB

  • MD5

    4d74af75deddc969fef5fd89e65fa251

  • SHA1

    1dd4a0983a6884dddc3edf27eb5fdfc87664ed63

  • SHA256

    8879a8d1508c3297200c608f3a93da5387521767c050f17aed78dde8a0cbfe12

  • SHA512

    56cbd165259045e262b064bc1d5dd242304ef30f34b9b899b9295f79aabba02cb09438ab0c429c3828b5c13e8ebcb8f5dbae85eb4c9490f65cec9807a24d062c

  • SSDEEP

    3072:LAunuYnzIGM2LH38BgyJik0OLXrCwafxSm2F9yf/pVc58/XV/l3PV1I57PF7IdlP:LVnPzIGM2LsWO1LXmw42Upm5zcP

  Score

  10^/10

  ryukdiscoveryransomware

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery
  behavioral11behavioral12

• • Target

    60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

  • Size

    136KB

  • MD5

    45295780f2ba837be42ccf50710bd2b5

  • SHA1

    f937b1b7b3593a38702f870077658a891974edda

  • SHA256

    60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

  • SHA512

    588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

  • SSDEEP

    3072:PN0KtMUwOWEHezRpl4vOA19oNL6YcPa8839v:PN01uWE+f2vOMOwQv

  Score

  10^/10

  ryukcredential_accessdiscoveryransomwarestealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (1031) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral13behavioral14

• • Target

    75a3cf8ced873ee7bc415e27e108496b

  • Size

    140KB

  • MD5

    75a3cf8ced873ee7bc415e27e108496b

  • SHA1

    ac94165d63c75f4adf1728aa2ecb776ac7c1c18e

  • SHA256

    5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed

  • SHA512

    7c3e166ff75ad32f70bfb355167333be4f9bc5b5740a231b4a1fb5c391bd8e137ebea6a3ba5370797f016cbdb83631bb5e459e0bc64beb3246ed9605b3bdb903

  • SSDEEP

    1536:HhwpMRUR8gpO3fM/CvmHWvW7l4y0RPG4UnmPqAibDe7bvjk/J0LcJQ6f8EPhQmGD:ZZi++b0Hb6bDIbvjkmwRPhuHmrOB

  Score

  10^/10

  ryukdiscoveryransomwarecredential_accessstealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (6703) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral15behavioral16

• • Target

    7dee29fbeb5af549cb8a68dc47adf9721eb2b726

  • Size

    139KB

  • MD5

    f65e92fae0793bc18568f743ba0df697

  • SHA1

    7dee29fbeb5af549cb8a68dc47adf9721eb2b726

  • SHA256

    aaec6ae400b38b95ae414481d8d45f0281cf26f59f8592567dfe2223f66024ad

  • SHA512

    879ca2f058755079341d42d496f6c6b79469bdb537a2dbeb758d0d7bc5726e56515e889f620f8bdfdafe52a4cc1f83d1c335fa75f05ac7339acf6c3cde46cafe

  • SSDEEP

    1536:wlCpTtdIagWF2o9EWPXFse6sqnL0cm5xfs+j13zWzxXfz3SXY2RcJByp8TPhQmG2:/MolPXkdmXNCzxvz32uPPhuH0LtpQ

  Score

  10^/10

  ryukcredential_accessdiscoveryransomwarestealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (1157) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral17behavioral18

• • Target

    8879a8d1508c3297200c608f3a93da5387521767c050f17aed78dde8a0cbfe12

  • Size

    274KB

  • MD5

    4d74af75deddc969fef5fd89e65fa251

  • SHA1

    1dd4a0983a6884dddc3edf27eb5fdfc87664ed63

  • SHA256

    8879a8d1508c3297200c608f3a93da5387521767c050f17aed78dde8a0cbfe12

  • SHA512

    56cbd165259045e262b064bc1d5dd242304ef30f34b9b899b9295f79aabba02cb09438ab0c429c3828b5c13e8ebcb8f5dbae85eb4c9490f65cec9807a24d062c

  • SSDEEP

    3072:LAunuYnzIGM2LH38BgyJik0OLXrCwafxSm2F9yf/pVc58/XV/l3PV1I57PF7IdlP:LVnPzIGM2LsWO1LXmw42Upm5zcP

  Score

  10^/10

  ryukdiscoveryransomwarecredential_accessstealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (686) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral19behavioral20

• • Target

    9b40b0d3b228d9e958c8d45fb8cec64c6851d113

  • Size

    272KB

  • MD5

    975f776f11c6d36621ba5a9da6151aa2

  • SHA1

    9b40b0d3b228d9e958c8d45fb8cec64c6851d113

  • SHA256

    ea67e662ba55629b40d0eddbaaafc824e5809f31c9e35222104637a67615c51d

  • SHA512

    6d0bae9d7b4147010542ac28ba36b151d22e2a30a63ec6ac37fa112230cd575a830b23ac389a394ad3bf9cb8293869c30be8cc92614e9bab31b366155bf6edc4

  • SSDEEP

    3072:GAunuYnzIGM2LH38BgyJik0OLXrCwafxSm2F9yf/pVc58/XV/l3PV1I57PF7IdlZ:GVnPzIGM2LsWO1LXmw42Upm5zc

  Score

  10^/10

  ryukdiscoveryransomwarecredential_accessstealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (315) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral21behavioral22

• • Target

    aaec6ae400b38b95ae414481d8d45f0281cf26f59f8592567dfe2223f66024ad

  • Size

    139KB

  • MD5

    f65e92fae0793bc18568f743ba0df697

  • SHA1

    7dee29fbeb5af549cb8a68dc47adf9721eb2b726

  • SHA256

    aaec6ae400b38b95ae414481d8d45f0281cf26f59f8592567dfe2223f66024ad

  • SHA512

    879ca2f058755079341d42d496f6c6b79469bdb537a2dbeb758d0d7bc5726e56515e889f620f8bdfdafe52a4cc1f83d1c335fa75f05ac7339acf6c3cde46cafe

  • SSDEEP

    1536:wlCpTtdIagWF2o9EWPXFse6sqnL0cm5xfs+j13zWzxXfz3SXY2RcJByp8TPhQmG2:/MolPXkdmXNCzxvz32uPPhuH0LtpQ

  Score

  10^/10

  ryukdiscoveryransomwarecredential_accessstealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (6079) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral23behavioral24

• • Target

    aaf3abc4054f800aaa429c4f2e4b20af

  • Size

    274KB

  • MD5

    aaf3abc4054f800aaa429c4f2e4b20af

  • SHA1

    16e859c1222b7f4dba2361480ce33a0564e4cabf

  • SHA256

    de2b5aa6de6f7ff053308084217f7a9b977489027fb103729d6a7d94298c6a6b

  • SHA512

    650e515d0ec199efa74ed4bb2e0f622da609b9559d2663c990bb5310997f44785408f0ed2c35405445962abe33ba74266bc7f3c8b5afa0b8035856364f4e2de6

  • SSDEEP

    3072:NAunuYnzIGM2LH38BgyJik0OLXrCwafxSm2F9yf/pVc58/XV/l3PV1I57PF7IdlL:NVnPzIGM2LsWO1LXmw42Upm5zcL

  Score

  10^/10

  ryukdiscoveryransomwarecredential_accessstealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (3183) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral25behavioral26

• • Target

    ac94165d63c75f4adf1728aa2ecb776ac7c1c18e

  • Size

    140KB

  • MD5

    75a3cf8ced873ee7bc415e27e108496b

  • SHA1

    ac94165d63c75f4adf1728aa2ecb776ac7c1c18e

  • SHA256

    5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed

  • SHA512

    7c3e166ff75ad32f70bfb355167333be4f9bc5b5740a231b4a1fb5c391bd8e137ebea6a3ba5370797f016cbdb83631bb5e459e0bc64beb3246ed9605b3bdb903

  • SSDEEP

    1536:HhwpMRUR8gpO3fM/CvmHWvW7l4y0RPG4UnmPqAibDe7bvjk/J0LcJQ6f8EPhQmGD:ZZi++b0Hb6bDIbvjkmwRPhuHmrOB

  Score

  10^/10

  ryukdiscoveryransomwarecredential_accessstealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (130) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral27behavioral28

• • Target

    b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da

  • Size

    545KB

  • MD5

    352b1f3533ded8c575246d4466f68c49

  • SHA1

    e430730620feec3673b9c38d87482c9294421b19

  • SHA256

    b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da

  • SHA512

    db9ab4315417679f6d1003e97067e87aae7f1c2b9f5a8358e32004d8322a997fc5f1627c3535517ca515e9493e9edb7292f1d1c6080e19d8ea71419fd4c6e9c9

  • SSDEEP

    6144:GVnPzIGM2LsWO1LXmw42Upm5zc8VnPzIGM2LsWO1LXmw42Upm5zcZ:GVPzIGhAXBXLZgeVPzIGhAXBXLZgf

  Score

  10^/10

  ryukdiscoveryransomware

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery
  behavioral29behavioral30

• • Target

    c4bd712a7f7185a2224806b85f3c6ac48de067e38d554608b3ee92422d902b28

  • Size

    157KB

  • MD5

    c1da496d8ab64225db031361a3f265a3

  • SHA1

    2b10ad4890c4d6e2861533cc7260a9fdc7871ea2

  • SHA256

    c4bd712a7f7185a2224806b85f3c6ac48de067e38d554608b3ee92422d902b28

  • SHA512

    8ead9423e31cdee8388704d7b38a9c6d4b33a9d09e729b73c70c69d5e4e09ad0fcb192dd866a1cf0a9283e099bd7d44ecb75607b63e5e5dcffc087cd60b5a047

  • SSDEEP

    3072:VBQgbs1Hl660/2bWxA3N3Fb/yKcJciovQzc5B2JYtoUa:ds1FP02bWujcJcDvQQ6eha

  Score

  10^/10

  ryukdiscoveryransomwareupxcredential_accessstealer

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (6700) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Executes dropped EXE

  • Modifies file permissions

    discovery

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral31behavioral32