ryuk | 25cb9bd4cd6df480d638f415ff0fa631e8286cf125858ae230a91736e09c25de | Triage

Submit
Reports

Overview

overview

Static

static

3

15df3e84e3...a0.exe

windows7-x64

15df3e84e3...a0.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_25cb9bd4cd6df480d638f415ff0fa631e8286cf125858ae230a91736e09c25de
Size

208KB
Sample

241229-brfztsxrep
MD5

687e488066a138133c4f855bbba542b9
SHA1

fecc227879883444f13509db2e73614c27e2cc0b
SHA256

25cb9bd4cd6df480d638f415ff0fa631e8286cf125858ae230a91736e09c25de
SHA512

69f7ff40d1fe3ecfe302ec062a82be7046c7db8e05a7150618397ae1d4351cff2142684f5565f82a057ef776dd4224dda52925acc5a0c3208f7ea5df53f199ef
SSDEEP

6144:hdPiuZVciMpR8LoLLbcuSrUCGva7T2ffO:hdZaZQLoLLbcuSrAa7Kf2

Score

10^/10

ryuk credential_access defense_evasion discovery execution impact ransomware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe

Resource

win7-20240903-en

ryuk credential_access defense_evasion discovery execution impact ransomware stealer

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0.exe

Resource

win10v2004-20241007-en

ryuk credential_access discovery ransomware stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0
- Size
  
  365KB
- MD5
  
  5544362f8a060fb0fd9678a450ab1ada
- SHA1
  
  3267d35994b321c2011ee7e2f52ec69517320508
- SHA256
  
  15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0
- SHA512
  
  fc0b98a10792073a35a8bd4bdc0b0edf769025b31cf64ac3e64b20fd0e4f48c2f33b20e81101e83d44a90900f938bfd245f096cb2eb69f2c91a8662d61b8f6a0
- SSDEEP
  
  6144:Cqv7LSCyncJdsMUZUaV9RTx00sAzqZJjW4Azd2gmmNS:CgnSjncJdjUZUaV9M2zqZplAzd2+S
Score

10^/10

ryuk credential_access defense_evasion discovery execution impact ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (5222) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

File and Directory Permissions Modification

Indicator Removal

File Deletion

Credential Access

Credentials from Password Stores

Windows Credential Manager

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

ryukcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarestealer

behavioral2

ryukcredential_accessdiscoveryransomwarestealer

© 2018-2025

Terms | Privacy