Overview

overview

10

Static

static

3

2024-12-10...uk.exe

windows7-x64

10

2024-12-10...uk.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    241210-b3gqhaypes_pw_infected.zip.zip

  • Size

    192KB

  • Sample

    250102-mrjw9syjfv

  • MD5

    4d24489d3c6a2ea490bdcccb7d850694

  • SHA1

    4fdafc6eedf5695371c5ffe97c450221b83d8d70

  • SHA256

    3b21b98d92725cfd4d253b0022bd2cc1bba910e0ce928a94fa970cc9bca5a992

  • SHA512

    e295d0537870d789961ac907b412577517ba457438a6bfc379b60650259f535317bed2323fcbbd95f2502e89204524a6df8e485c35a1ed34c9ec311520b0a670

  • SSDEEP

    6144:59FVWtna4njqbF6jQgxMmoAYRMV7no9wa:51Wt5+VgoHuha

Score
10/10
ryukdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Gentlemen! Your business is at serious risk. There is a significant hole in the security system of your company. We've easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5 BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future + we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. contact emails [email protected] or [email protected] BTC wallet: 1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz Ryuk No system is safe
Wallets

1NQ42zc51stA4WAVkUK8uqFAjo1DbWv4Kz

Targets

    • Target

      2024-12-10_7bcbd03a264f616bcbf64dd973c9e120_luca-stealer_ryuk

    • Size

      378KB

    • MD5

      7bcbd03a264f616bcbf64dd973c9e120

    • SHA1

      5d2b6c04f634672ba0a11063dd1bc225446af2c2

    • SHA256

      8f6bddd131f27472a4b974c3a141f8eba3a2c110b4b19d755408f67aed212b68

    • SHA512

      f5b1dc62441d9bfdb57a7ae6ef41c46106e510ba73cea8372cc0a2765c192d27dc3f41c1dfadadcaaa39ff4fd87b0c84b81ecd3b14c8315edeca3dd0a8789242

    • SSDEEP

      6144:sMfwnT2W/Pw5qjylH1/7QXMWibyJp/qQ:snTzPqHkiuX

    Score
    10/10
    ryukdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Ryuk family

      ryuk

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Network Share Discovery

1
T1135

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Tasks