ryuk | 9d2bcfa82facbaff874c61534ef4bc647ee072b218c4903e87012e1683e30bec | Triage

Submit
Reports

Overview

overview

Static

static

1

5e2c9d80fa...11.exe

windows7-x64

5e2c9d80fa...11.exe

windows10-2004-x64

Sharing

General

Target

5e2c9d80fa4528fe9777738a9cba9ede08cdae353fd4cb2d9caf0c9801fd5711
Size

134KB
Sample

250312-2383vswwav
MD5

b6b531d5477d737cb153ec5201c5baed
SHA1

fe228587cb8ff1565fbc0e825f45fac0726c4ec5
SHA256

9d2bcfa82facbaff874c61534ef4bc647ee072b218c4903e87012e1683e30bec
SHA512

c4d84ba0e25d0e8a4d694a9924183cc65168c010e18d539d2003b02ec13d43c6a2f3594266ab4dbbce7de5f769f86192e9320cd2ddee332ac0ad161de27f1426
SSDEEP

3072:4MQVQQA/chSW4wL2uY5Mfz/qfsbkPnwaT3T8uZoCKq:XQVQQAKSW4wax5MfasWobq

Score

10^/10

ryuk credential_access discovery ransomware stealer

Static task

static1

Behavioral task

behavioral1

Sample

5e2c9d80fa4528fe9777738a9cba9ede08cdae353fd4cb2d9caf0c9801fd5711.exe

Resource

win7-20240903-en

ryuk credential_access discovery ransomware stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

5e2c9d80fa4528fe9777738a9cba9ede08cdae353fd4cb2d9caf0c9801fd5711.exe

Resource

win10v2004-20250217-en

ryuk credential_access discovery ransomware stealer

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  5e2c9d80fa4528fe9777738a9cba9ede08cdae353fd4cb2d9caf0c9801fd5711
- Size
  
  134KB
- MD5
  
  b6b531d5477d737cb153ec5201c5baed
- SHA1
  
  fe228587cb8ff1565fbc0e825f45fac0726c4ec5
- SHA256
  
  9d2bcfa82facbaff874c61534ef4bc647ee072b218c4903e87012e1683e30bec
- SHA512
  
  c4d84ba0e25d0e8a4d694a9924183cc65168c010e18d539d2003b02ec13d43c6a2f3594266ab4dbbce7de5f769f86192e9320cd2ddee332ac0ad161de27f1426
- SSDEEP
  
  3072:4MQVQQA/chSW4wL2uY5Mfz/qfsbkPnwaT3T8uZoCKq:XQVQQAKSW4wax5MfasWobq
Score

10^/10

ryuk credential_access discovery ransomware stealer
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Ryuk family
  ryuk
- Renames multiple (2967) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Credentials from Password Stores

Windows Credential Manager

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ryukcredential_accessdiscoveryransomwarestealer

behavioral2

ryukcredential_accessdiscoveryransomwarestealer

© 2018-2025

Terms | Privacy