Extracted

• • Target

    9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

  • Size

    119KB

  • MD5

    c68395e474088d5339972e2bf5a30f3c

  • SHA1

    502e42240969399c09337ecc7b5ca8fc1ba4baf3

  • SHA256

    9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

  • SHA512

    5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

  • SSDEEP

    1536:j/t3fhrg5rw0lQa2+T37us7RidSkPq9IiJ/EXrAyPca7m94nqHBmQSsWZcdH2kB/:lG55XP0Vq9IiKXrxkKNqHBmEHNVKA

  Score

  10^/10

  ryukcredential_accessdiscoveryransomwarestealerspyware

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk

  • Ryuk family

    ryuk

  • Renames multiple (2060) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Drops desktop.ini file(s)

  behavioral1behavioral2