Resubmissions

30-01-2025 16:42

250130-t73smsynhn 10

28-01-2025 18:40

250128-xbd17a1kej 10

General

  • Target

    240911-aseygssepl_pw_infected.zip

  • Size

    65KB

  • Sample

    250128-xbd17a1kej

  • MD5

    8f8be5dfe62044cea1d3f7418b5224c8

  • SHA1

    28644e5303d01e42f80ffdf3a762423c9592b95b

  • SHA256

    7bac5c10d02534007f1efb371885ae3918d21d394371f92d4e6455b58b4e16ad

  • SHA512

    4521f937f81fb0ee82673de4c79e09d50056378f4c00c9b6ce5d68f1a542f20ec527120671d79db65d409829185336262bc7cf8f2ccd2557a4226782c1566fe0

  • SSDEEP

    1536:UP2JsUHlicNKEcYYCE7m/USt/njDG5ixh4Qy26DCkK/0QoUciT30:Q0CNYYCHpG6NcDQ/0Qtlk

Malware Config

Targets

    • Target

      2024-09-11_13f929e2cc03dbe1780cce33b7dce110_ryuk

    • Size

      436KB

    • MD5

      13f929e2cc03dbe1780cce33b7dce110

    • SHA1

      80c4da8863796f0e1cdbb1e72e8678e679526a4d

    • SHA256

      dcb9ec0cc6bdce89df3df0c0ca4170829f6897decd78c5365ea6e7802f3c0941

    • SHA512

      91b0f91be9376884041efcc1aac5eaf5e62c516a48ed7d48c4d2dac5cd23681faba24e088c9131ebfcc1ee60090ba0097dd276a5e235f07cce6c4bf4afa2fd92

    • SSDEEP

      1536:N9QXhvCxVUzRTco+TlNXKldmmYp3d7Ye58zFFg2fahT5wXwtQyHsWSJcdH4JNMwm:IUDYoGyp3dEe+kIamQIYH4/M

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Ryuk family

    • Renames multiple (8318) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

    • Drops startup file

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks