Home / os / winme

Trojan.Ransom.Ryuk.A MVID-2022-0640 Code Execution

Posted on 20 September 2022

Trojan.Ransom.Ryuk.A ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. Once loaded the exploit dll will check if the current directory is "C:WindowsSystem32" and if not, we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.

 

TOP