Overview

overview

10

Static

static

7

JaffaCakes...48.zip

windows7-x64

1

JaffaCakes...48.zip

windows10-2004-x64

1

0323b4326b...02.exe

windows7-x64

10

0323b4326b...02.exe

windows10-2004-x64

10

0898a80dc2...92.exe

windows7-x64

10

0898a80dc2...92.exe

windows10-2004-x64

10

0aaecf7f77...91.exe

windows7-x64

10

0aaecf7f77...91.exe

windows10-2004-x64

10

150e8ef3f1...02.exe

windows7-x64

7

150e8ef3f1...02.exe

windows10-2004-x64

7

23e95ba676...7f.exe

windows7-x64

10

23e95ba676...7f.exe

windows10-2004-x64

10

28e7dc4aeb...33.exe

windows7-x64

10

28e7dc4aeb...33.exe

windows10-2004-x64

350b0d6ae2...d7.exe

windows7-x64

1

350b0d6ae2...d7.exe

windows10-2004-x64

3

3a6ebac4f8...ca.exe

windows7-x64

10

3a6ebac4f8...ca.exe

windows10-2004-x64

10

3fe801df14...4f.exe

windows7-x64

10

3fe801df14...4f.exe

windows10-2004-x64

10

41367ad447...00.exe

windows7-x64

10

41367ad447...00.exe

windows10-2004-x64

10

48f4749f13...77.exe

windows7-x64

1

48f4749f13...77.exe

windows10-2004-x64

3

499d936c22...82.exe

windows7-x64

10

499d936c22...82.exe

windows10-2004-x64

10

4b5a6926ab...d1.exe

windows7-x64

3

4b5a6926ab...d1.exe

windows10-2004-x64

3

4bb0d8eb6b...81.exe

windows7-x64

10

4bb0d8eb6b...81.exe

windows10-2004-x64

5de3d5a337...ed.exe

windows7-x64

10

5de3d5a337...ed.exe

windows10-2004-x64

10

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

  • Size

    7.8MB

  • Sample

    241225-d6fzgswqbw

  • MD5

    4a9819c2f6c56a1275165c507a00c6e5

  • SHA1

    5f1ef638e5d1d90c77d00f7a2e10757d90667e98

  • SHA256

    59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

  • SHA512

    e8e0a2eee2e4ad464687717a2aa67b2dcd3708da7307f8ed4382f9a72502ad5c98dc329aa1aa60ca6232bb35e9ba2245ea53de280488fe87829d84b7ca83bf5a

  • SSDEEP

    196608:tk0ZvI6FNtoYRmqKSAEu8Dmf/aUR8BeOmR1RzfYmIxDa6yaDZu:tk2w66YIqTd4sDjE

Score
10/10
ryukcredential_accessdavedefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerupxvmprotect

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'RCCF8gd'; $torlink = 'http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rdmnobnbtxh5sm3iiczazaregkpyyub3gktwneeehx62tyot5bc4qhad.onion

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'nO49CJnf9vO'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'oqsuyezb'; $torlink = 'http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'TyorjXA0'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'NJ5BUX47E'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'JZwuk732'; $torlink = 'http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://ylohxrulsdb4ex6hmartra3g63khdb4ku7qkh4qcal2n3nm33vokiiyd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = '5PcRSFW'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'CRAny5Nq'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'J5U8YdUCr'; $torlink = 'http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion

Targets

    • Target

      JaffaCakes118_59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

    • Size

      7.8MB

    • MD5

      4a9819c2f6c56a1275165c507a00c6e5

    • SHA1

      5f1ef638e5d1d90c77d00f7a2e10757d90667e98

    • SHA256

      59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

    • SHA512

      e8e0a2eee2e4ad464687717a2aa67b2dcd3708da7307f8ed4382f9a72502ad5c98dc329aa1aa60ca6232bb35e9ba2245ea53de280488fe87829d84b7ca83bf5a

    • SSDEEP

      196608:tk0ZvI6FNtoYRmqKSAEu8Dmf/aUR8BeOmR1RzfYmIxDa6yaDZu:tk2w66YIqTd4sDjE

    Score
    1/10
    behavioral1behavioral2

    • Target

      0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

    • Size

      208KB

    • MD5

      aa5abadf25aa3f30c1c83c5d43a7ee8f

    • SHA1

      ff50650068de776d2c0a8962cbccd7ffc431327a

    • SHA256

      0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702

    • SHA512

      033139017097fc0b5f296f9a861ee0ebc2faacb0a9ce172898a5765906010cce4bb30d7436afaeafe131b25ff2c51362825e25c60b2ab9d858672a555b28d7fb

    • SSDEEP

      3072:PKNg7ImkKWV/B6LXWhL7UHwT5aOff+2l7Fpxt9PJ30YoV4MQQbz4kB:SN8WBB6LXWhLLT5tf+2PpZo2m4q

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (7428) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral3behavioral4

    • Target

      0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

    • Size

      124KB

    • MD5

      b16db2ad22dfe39c289f9ebd9ef4c493

    • SHA1

      23ccb60927905eb9be2a9ee4230ebac0836b611c

    • SHA256

      0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892

    • SHA512

      5a95bda6dd3761e1a7967562c8dd1b5bf68ce7ac5e7a0c345465c012f9baa7f668080f9998cb29d8e45ba43adb3fd104ef62380818d2eab5ecf2a1e19e5b95e1

    • SSDEEP

      1536:Oe3QTh4VRf+T+c/7pFqkogzZ+QKfLzP1QLorq3caR09dA77hQHfsWdSLcdc/Zwi6:Q9yjSzZ+QKfLztQLomsktUlcx

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (3778) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral5behavioral6

    • Target

      0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

    • Size

      468KB

    • MD5

      9296a9b81bfe119bd786a6f5a8ad43ad

    • SHA1

      581cf7c453358cd94ceed70088470c32a7307c8e

    • SHA256

      0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

    • SHA512

      64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

    • SSDEEP

      6144:TDsDjEwQj9kQGxBOfJWgqimbqMS4oXVqhTA4G2PGYWAl/uSp:cDEj9kQG6JNfmMJqWDIl//p

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealerspyware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (2551) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral7behavioral8

    • Target

      150e8ef3f1b0d5b5b2af2ffc8d540cb0e36ecdcaf5001bab2f318e36a3c25302

    • Size

      261KB

    • MD5

      4de76198ea4488eae192d0ca4e4bd66b

    • SHA1

      5ac5585b13ea356969b168b86df12053a6de4ee2

    • SHA256

      150e8ef3f1b0d5b5b2af2ffc8d540cb0e36ecdcaf5001bab2f318e36a3c25302

    • SHA512

      db6c2ebbd9d01ebf8af3e68ef8e938c7b6da2c0eef5fc22f63fe69665c56ec19c2d241558984e03afb116b98a4e7dc2b0f4aa8dadd90f44caf3f72ae5f2ee52f

    • SSDEEP

      6144:+yNu/ItUREJ/KKNbS8wf7wmphBgl3gMT6nRx1ASqm:+WlJC6Csm5gRTD

    Score
    7/10

    • Drops startup file

    behavioral10behavioral9

    • Target

      23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

    • Size

      121KB

    • MD5

      7364f6222ac58896e8920f32e4d30aac

    • SHA1

      915fd6fb4e20909025f876f3bb453ec52e21b7be

    • SHA256

      23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f

    • SHA512

      f5e2b5a17ed04c7edb904e867cec2f66a59b887176bd3e25803e82a390fc36fc47002df747099ca4e6960f020afe1137f4ba24b28613423b5de0b09ff7048026

    • SSDEEP

      3072:BXJu7BIjMhO2mKWmHgeBsVEu2w9+RXdd:BX6B7WmHdp

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealerspyware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (8050) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral11behavioral12

    • Target

      28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33

    • Size

      321KB

    • MD5

      04ba14a9828b000add142d0bcb42ac2d

    • SHA1

      928a705a481384dee3aa9985bb2a9e1e6827902f

    • SHA256

      28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33

    • SHA512

      2fc56d6fdf360c0435f76822f3d99288c3b31462931eb128c7ed895bf93d88b00663801c1a5394b1ae5bb081ac76b004deaf46fdf2b0b9c027b2945a7c030909

    • SSDEEP

      6144:ba4FsUiep6JzvI74kZO/+SJtwOW8HFBwK3SBDmhYfFQ:ba4Fs/7IfO/+SJFW8HF+KCIG

    Score
    10/10
    ryukdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealervmprotect

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral13behavioral14

    • Target

      350b0d6ae25e81c8394b119f4d569c083df8d17e6241d8efed0858cf91c745d7

    • Size

      353KB

    • MD5

      2d438f5ca86f9813dd17346c8865bd4d

    • SHA1

      65b2e9be5770e294bed07fa9b5ecfdadb94203c3

    • SHA256

      350b0d6ae25e81c8394b119f4d569c083df8d17e6241d8efed0858cf91c745d7

    • SHA512

      dd979e28370fbb5606cdcd14c0ded0be1a8e6cbd98d8ae57d4e1c97ef47e0b2387462b66914cf600d3a93dfdb794addc4b29d7ff40948a761a968d3527e4db3c

    • SSDEEP

      6144:OxN7NO77pzXFZ2m9TqbwWMIyBkq+OF3B:ON7U777Zwb7MIyW4j

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca

    • Size

      200KB

    • MD5

      ad3a5956dc4e8fd6a62671a6204d11b9

    • SHA1

      aac34bd5c2f8e63dca20034f24384c2ce1d641b5

    • SHA256

      3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca

    • SHA512

      23edec2ddc72277efca922dc7c66fef2220d0ad3709b277c236bd883214e423143a947ff48ec2a8b57b1835b715a06b39b7d1c2a423e62dc4166ad5097742f13

    • SSDEEP

      3072:URQTlkAsGqrezGACPTPr74tOGOq+z3M1EgimoiY6RRerR5GyK231/Bdz:JTlEG9SAWTPr5zgimoiPRRe9HH

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (3477) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral17behavioral18

    • Target

      3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f

    • Size

      279KB

    • MD5

      5df4ac6e94ae7e9f9eb28d8f7f464946

    • SHA1

      79f222f94fa265896c5e4578b91ed4ebc100058d

    • SHA256

      3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f

    • SHA512

      18826a1cb94e73402c279607d1348ba532966fe3223cbeec9cfb534ab425966fadeb001bc80518411b2f8c8d884b2936779950fbc0c5f48dfc01d33e766f749a

    • SSDEEP

      6144:IS1cGDFCQuthKvzggi4quAM8QRofVjjdQxpBkAI5rZ/OuHqxwbmmjO8Sw6Z/rqS8:71cGlutwSuAM8QRC6pBAZmo9sZ/rhgt

    Score
    10/10
    ryukcredential_accessdavediscoveryransomwarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (1531) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Dave packer

      Detects executable using a packer named 'Dave' by the community, based on a string at the end.

      dave

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery
    behavioral19behavioral20

    • Target

      41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

    • Size

      544KB

    • MD5

      526fa2ecb5f8fee6aec4b5d7713d909a

    • SHA1

      51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

    • SHA256

      41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

    • SHA512

      f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

    • SSDEEP

      6144:0foeu9rlMfTOC5TGdQJEMpc35IA0dOYiUeinhn6:0fdsUCiYQJxc3YiUeinhn6

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealerspyware

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (8207) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    behavioral21behavioral22

    • Target

      48f4749f13582fea3e9bcc6775cce82c3c6391d2d58acd98b99d1e6acc810277

    • Size

      353KB

    • MD5

      c1da8e9bc9dcf68ed2e281049e11740d

    • SHA1

      25e8fe884ca927e91142dacaaf92fcb544da0058

    • SHA256

      48f4749f13582fea3e9bcc6775cce82c3c6391d2d58acd98b99d1e6acc810277

    • SHA512

      68ed339320ae064f4245e68f14bc16275766d730c780392150755db474344582d405dd58ba5f5fde18b3057bc61f453fad6df78996934de48873c0ca2d4481af

    • SSDEEP

      6144:fxN7Na77pLQFP2D97RrwWMIMq2Bt8GuSeBt:JN7w77yPcr7MIlcJuD

    Score
    3/10
    discovery
    behavioral23behavioral24

    • Target

      499d936c223743c3d2a40c3b7b1f974cedb98951f846b163d0f17d2d38ffc282

    • Size

      116KB

    • MD5

      be0626010b7f7f47f7416dcac841edb5

    • SHA1

      d377e8211ae7a5249758402a170362164f1d8498

    • SHA256

      499d936c223743c3d2a40c3b7b1f974cedb98951f846b163d0f17d2d38ffc282

    • SHA512

      fe9091bc9fbe089ca541213ce6f33167832d4c18aa5713da8ff77266245ad3741d4cd3341b87156949f2b2e9c344090eb6f5ea36149a23ed4989467766c0b50a

    • SSDEEP

      1536:wI6gch0tsfgWTaPyWvSUgqyx4mYcX/jsLHcaPql4HqhBmQSsWZcdHC91/ISeCh:rbsROAeyx4m5PjI8GpqhBmEHMV5

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (8158) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    behavioral25behavioral26

    • Target

      4b5a6926ab9b487fca2d33ba00b4e25f731bc52a3222a6ef3141b8703c1e2cd1

    • Size

      253KB

    • MD5

      d57bb1c7e710dbae2444505a2127f6ac

    • SHA1

      26b98cf0f844ebf5ca0ff2d8f9c572a90c8e9c1a

    • SHA256

      4b5a6926ab9b487fca2d33ba00b4e25f731bc52a3222a6ef3141b8703c1e2cd1

    • SHA512

      ccf3520d9634755a9e270fde3267776f0fcfa0f73a26a951439f2e7ade52a73b5c20207bf270e18fdf9042033cf45cc3de1842fe3a4529232a36f1b665753766

    • SSDEEP

      3072:4b4qQtwbOfZ7QC2mCdDWHiGe42Ayn6R0tIawjLLFSjuqdAg0Fujo+sjmsOCPmGRD:4s5eOfy6yyv3jCAOa3dRUI

    Score
    3/10
    discovery
    behavioral27behavioral28

    • Target

      4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581

    • Size

      143KB

    • MD5

      b77cc8a1ede23a80a4a4c9d0a8b40735

    • SHA1

      254c97abab837687c779b57c7ef1bec4c1e2351a

    • SHA256

      4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581

    • SHA512

      f94546161808210ada027d03465f88336de4f2d24581801566f7ff17a9641b389c43946a98275ed637759a0205b8d09f9028d26bb75ab44e3f7038c5b4667ffd

    • SSDEEP

      3072:dgKsEF7Wf33SdvlRmhYHP+CPt1OOxkgQe:WBwK3SBDmhYfFQe

    Score
    10/10
    ryukdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral29behavioral30

    • Target

      5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed

    • Size

      140KB

    • MD5

      75a3cf8ced873ee7bc415e27e108496b

    • SHA1

      ac94165d63c75f4adf1728aa2ecb776ac7c1c18e

    • SHA256

      5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed

    • SHA512

      7c3e166ff75ad32f70bfb355167333be4f9bc5b5740a231b4a1fb5c391bd8e137ebea6a3ba5370797f016cbdb83631bb5e459e0bc64beb3246ed9605b3bdb903

    • SSDEEP

      1536:HhwpMRUR8gpO3fM/CvmHWvW7l4y0RPG4UnmPqAibDe7bvjk/J0LcJQ6f8EPhQmGD:ZZi++b0Hb6bDIbvjkmwRPhuHmrOB

    Score
    10/10
    ryukcredential_accessdiscoveryransomwarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Renames multiple (7038) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

File and Directory Permissions Modification

1
T1222

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks

static1

vmprotectupx
Score
7/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral4

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral5

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral6

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral7

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral8

ryukcredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral9

Score
7/10

behavioral10

Score
7/10

behavioral11

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral12

ryukcredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral13

ryukdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealervmprotect
Score
10/10

behavioral14

ryukdiscoverypersistenceransomwarevmprotect
Score
10/10

behavioral15

Score
1/10

behavioral16

discovery
Score
3/10

behavioral17

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral18

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral19

ryukcredential_accessdavediscoveryransomwarestealer
Score
10/10

behavioral20

ryukdavediscoveryransomware
Score
10/10

behavioral21

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral22

ryukcredential_accessdiscoveryransomwarespywarestealer
Score
10/10

behavioral23

Score
1/10

behavioral24

discovery
Score
3/10

behavioral25

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral26

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

ryukdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer
Score
10/10

behavioral30

ryukdiscoverypersistenceransomware
Score
10/10

behavioral31

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10

behavioral32

ryukcredential_accessdiscoveryransomwarestealer
Score
10/10