ryuk | 55bd3c757e26a7da1cf4a8b4387c2a4d9c322b8ef9239b0056156f34c639817a | Triage

Submit
Reports

Overview

overview

Static

static

3

EIMnwkN.exe

windows10-2004-x64

EIMnwkN.exe

windows11-21h2-x64

Sharing

General

Target

201105-k5mbfykn9j_pw_infected.zip
Size

75KB
Sample

250128-x3jqrayng1
MD5

ec7272efa9a0993df632125ac6198836
SHA1

405ed20d05b9dbc3be427d69b54d86752a4dd07d
SHA256

55bd3c757e26a7da1cf4a8b4387c2a4d9c322b8ef9239b0056156f34c639817a
SHA512

713ee65707bbbad03b1705d2155f3bab9f7fcc82863ac485a09a85ac774d88cfa51e4329a30be70822006b53eb2efb9af3da12edd5c5df79794e25794ffbd27a
SSDEEP

1536:6zyr4m2fbW97TqrbD9GD754IKXphYrzkWVZWpzoZkVA5QFToE0XuZH:2yr4ZbOHqrbw7QMzkWTEcaEQFTz

Score

10^/10

ryuk credential_access discovery persistence ransomware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

EIMnwkN.exe

Resource

win10v2004-20241007-es

ryuk credential_access discovery persistence ransomware stealer

windows10-2004-x64

25 signatures

300 seconds

Behavioral task

behavioral2

Sample

EIMnwkN.exe

Resource

win11-20241007-es

ryuk credential_access discovery persistence ransomware stealer

windows11-21h2-x64

20 signatures

300 seconds

Malware Config

Targets

- Target
  
  EIMnwkN.bin
- Size
  
  196KB
- MD5
  
  484a2bcb1335ac97ee91194f4c0964bc
- SHA1
  
  ad11ed52ab33ad05eb9b1e9ade134ca1348acc81
- SHA256
  
  40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1
- SHA512
  
  6e61612bd29425c5ab9b648fa83bc2d8616071247f8659aa316ab9d4adde0a9ceb9301737bb4216db223dfdd371106da75463f6d7e3a88e1c4cdd6c821f3935f
- SSDEEP
  
  3072:08CBJvnmQ4VZQY83XS/cIVVEn+GNi4qRGE95jq:RWJOzT+K5Vc+oujq
Score

10^/10

ryuk credential_access discovery persistence ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (2941) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Credentials from Password Stores

Windows Credential Manager

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ryukcredential_accessdiscoverypersistenceransomwarestealer

behavioral2

ryukcredential_accessdiscoverypersistenceransomwarestealer

© 2018-2025

Terms | Privacy