ryuk | 2ec5256a7edb90b1c05c92f79e8a48c205b29e1ac910a535aa83c30b8dbbeff8 | Triage

Sharing

General

Target

2ec5256a7edb90b1c05c92f79e8a48c205b29e1ac910a535aa83c30b8dbbeff8
Size

134KB
Sample

250312-1hzs1stycz
MD5

a5c70086b3bc4fe64f4e7a0aa452e620
SHA1

2ab44cf5338ef5ed118365b4e8452b906c0dab4b
SHA256

2ec5256a7edb90b1c05c92f79e8a48c205b29e1ac910a535aa83c30b8dbbeff8
SHA512

0280164c258afb169b59863c65266626ff1b2cc5a736702a49c2229dfd4d9f5213f6346cd4ec5316a19d5b0b55102c393ce255b999b061c04cc8574495e8e7e7
SSDEEP

3072:oZkmuVEvfzS9ljrZU/bH0ffOkObkPnSh6/5b:OkmQIW9ljrqbH0cwhb

Score

10^/10

ryuk credential_access discovery ransomware stealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  2ec5256a7edb90b1c05c92f79e8a48c205b29e1ac910a535aa83c30b8dbbeff8
- Size
  
  134KB
- MD5
  
  a5c70086b3bc4fe64f4e7a0aa452e620
- SHA1
  
  2ab44cf5338ef5ed118365b4e8452b906c0dab4b
- SHA256
  
  2ec5256a7edb90b1c05c92f79e8a48c205b29e1ac910a535aa83c30b8dbbeff8
- SHA512
  
  0280164c258afb169b59863c65266626ff1b2cc5a736702a49c2229dfd4d9f5213f6346cd4ec5316a19d5b0b55102c393ce255b999b061c04cc8574495e8e7e7
- SSDEEP
  
  3072:oZkmuVEvfzS9ljrZU/bH0ffOkObkPnSh6/5b:OkmQIW9ljrqbH0cwhb
Score

10^/10

ryuk credential_access discovery ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (6760) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Credentials from Password Stores

Windows Credential Manager

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ryukcredential_accessdiscoveryransomwarestealer