ryuk | b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

Analysis

max time kernel
111s
max time network
117s
platform
windows10_x64
resource
win10v20210410
submitted
10-07-2021 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
Size

147KB
MD5

6c0bb20e1158593211a7cbcbacb3dd83
SHA1

3a74a3aafde31b4f129e515baabe9833bf359f8e
SHA256

b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9
SHA512

7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '2cvCR2CMQ1qi'; $torlink = 'http://hqcqsw6et744hz7tx7rudmerk6fjyifovm6upec4ceqjndbmu34vs6yd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://hqcqsw6et744hz7tx7rudmerk6fjyifovm6upec4ceqjndbmu34vs6yd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

1073r.exeSnwZsutJClan.exekXVfjqNeblan.exe

pid process

1112 1073r.exe
804 SnwZsutJClan.exe
2164 kXVfjqNeblan.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1528 icacls.exe
1656 icacls.exe

pid	process
1112	1073r.exe
804	SnwZsutJClan.exe
2164	kXVfjqNeblan.exe

pid	process
1528	icacls.exe
1656	icacls.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

description	ioc	process
File opened (read-only)	\??\K:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\H:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\M:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\O:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\N:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\L:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\F:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\T:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\Y:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\U:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\S:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\R:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\I:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\G:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\E:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\Z:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\W:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\V:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\Q:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\P:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\J:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened (read-only)	\??\X:	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

Drops file in Program Files directory 64 IoCs

Processes:

b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\AddUninstall.js	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\Services\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.html	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

pid	process
3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe

description	pid	process	target process
PID 3788 wrote to memory of 1112	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	1073r.exe
PID 3788 wrote to memory of 1112	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	1073r.exe
PID 3788 wrote to memory of 1112	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	1073r.exe
PID 3788 wrote to memory of 804	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	SnwZsutJClan.exe
PID 3788 wrote to memory of 804	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	SnwZsutJClan.exe
PID 3788 wrote to memory of 804	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	SnwZsutJClan.exe
PID 3788 wrote to memory of 2164	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	kXVfjqNeblan.exe
PID 3788 wrote to memory of 2164	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	kXVfjqNeblan.exe
PID 3788 wrote to memory of 2164	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	kXVfjqNeblan.exe
PID 3788 wrote to memory of 1528	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	icacls.exe
PID 3788 wrote to memory of 1528	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	icacls.exe
PID 3788 wrote to memory of 1528	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	icacls.exe
PID 3788 wrote to memory of 1656	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	icacls.exe
PID 3788 wrote to memory of 1656	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	icacls.exe
PID 3788 wrote to memory of 1656	3788	b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe
"C:\Users\Admin\AppData\Local\Temp\b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\Temp\1073r.exe
"C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1112

C:\Users\Admin\AppData\Local\Temp\SnwZsutJClan.exe
"C:\Users\Admin\AppData\Local\Temp\SnwZsutJClan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:804

C:\Users\Admin\AppData\Local\Temp\kXVfjqNeblan.exe
"C:\Users\Admin\AppData\Local\Temp\kXVfjqNeblan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1528

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:4520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:4588

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1108

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5004

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
5a4a329d7f65448ea0755e462ddd218d

SHA1
fac326074433e0dcc2b684f1cab9e8b674f9b0cf

SHA256
1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

SHA512
63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

Download Submit
C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\RyukReadMe.html

MD5
5a4a329d7f65448ea0755e462ddd218d

SHA1
fac326074433e0dcc2b684f1cab9e8b674f9b0cf

SHA256
1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

SHA512
63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

Download Submit
C:\BOOTSECT.BAK.RYK

MD5
649ca1bc4bb02c6e15c34c1361b2f417

SHA1
764f90bf5edcb6042288557ac0bcdf755063282b

SHA256
651fe411eb23d012ea07629665c3b3f0431f231ccda36327d9f70150df7b070c

SHA512
6c4635a4b9e6eaf1a4646e40924980fc65b9ce52fd16657182957f2158e893a32ac32a00a2971b84d325e3b410433f2b370bb4d09ea4774a449db65aa913ae40

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK

MD5
83c922e0143433395b29410e0abcc29d

SHA1
be50a99328cfaaa5b17ed2c3d812696d0f60b0c8

SHA256
c25f68714c88eaf9d0c68df486e69ffc184d8ddd1f2847cfb1a97a214571206e

SHA512
b0e84d26244a8b43fb70a11bc893fcc2878fa8fbe6a527507efde4412f9155ae373a871a591d404a881305e23cad148dfe7728ebc1f494a3de729e906e05c70e

Download Submit
C:\PerfLogs\RyukReadMe.html

MD5
5a4a329d7f65448ea0755e462ddd218d

SHA1
fac326074433e0dcc2b684f1cab9e8b674f9b0cf

SHA256
1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

SHA512
63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

Download Submit
C:\RyukReadMe.html

MD5
5a4a329d7f65448ea0755e462ddd218d

SHA1
fac326074433e0dcc2b684f1cab9e8b674f9b0cf

SHA256
1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

SHA512
63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073r.exe

MD5
6c0bb20e1158593211a7cbcbacb3dd83

SHA1
3a74a3aafde31b4f129e515baabe9833bf359f8e

SHA256
b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

SHA512
7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073r.exe

MD5
6c0bb20e1158593211a7cbcbacb3dd83

SHA1
3a74a3aafde31b4f129e515baabe9833bf359f8e

SHA256
b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

SHA512
7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SnwZsutJClan.exe

MD5
6c0bb20e1158593211a7cbcbacb3dd83

SHA1
3a74a3aafde31b4f129e515baabe9833bf359f8e

SHA256
b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

SHA512
7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SnwZsutJClan.exe

MD5
6c0bb20e1158593211a7cbcbacb3dd83

SHA1
3a74a3aafde31b4f129e515baabe9833bf359f8e

SHA256
b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

SHA512
7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kXVfjqNeblan.exe

MD5
6c0bb20e1158593211a7cbcbacb3dd83

SHA1
3a74a3aafde31b4f129e515baabe9833bf359f8e

SHA256
b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

SHA512
7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kXVfjqNeblan.exe

MD5
6c0bb20e1158593211a7cbcbacb3dd83

SHA1
3a74a3aafde31b4f129e515baabe9833bf359f8e

SHA256
b42d07f0b72879bf21e99f39a21edae1a38c3fd62393bd4e88f1032f561855f9

SHA512
7b882a2141435d71bc6602e1622dfb4d0b1734cf3444554e247a75700924a8dafee79c7f0153390bd800b9733ec3106f0864f83126231c268ce2a39087388a8d

Download Submit
C:\Users\RyukReadMe.html

MD5
5a4a329d7f65448ea0755e462ddd218d

SHA1
fac326074433e0dcc2b684f1cab9e8b674f9b0cf

SHA256
1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

SHA512
63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

Download Submit
C:\odt\RyukReadMe.html

MD5
5a4a329d7f65448ea0755e462ddd218d

SHA1
fac326074433e0dcc2b684f1cab9e8b674f9b0cf

SHA256
1f9c72169b27646c471b940e7864290e0016c7f19b539a7df616b7400c2060e6

SHA512
63d320ab771cbf73db07efa575273e1c3e25d483494e26f2482bdfa52495c50dc687385842d170003ca558a0e68f555a45dfd819ef50c2c442d9140d5a8bf0a7

Download Submit
C:\odt\config.xml.RYK

MD5
3cf5fb153f995486e8388ed71d1d9fa8

SHA1
5781584813c2a99e72e68f1c2ccdf8a8068904c8

SHA256
71f5c5644df6f49f416d6d5342ffcdb297a6d23d901ad1a3826134bf9f3bc9a3

SHA512
398a79ecce9d2435bed31bde7c6710a62b2fdb24139a78730e5fd3269a9f03bf4983049cc52b6c0b91302ae8ead1c5ad506540cd9c70bfd36cbcd16514601a20

Download Submit
memory/708-131-0x0000000000000000-mapping.dmp

Download
memory/804-117-0x0000000000000000-mapping.dmp

Download
memory/1108-137-0x0000000000000000-mapping.dmp

Download
memory/1112-114-0x0000000000000000-mapping.dmp

Download
memory/1528-123-0x0000000000000000-mapping.dmp

Download
memory/1656-124-0x0000000000000000-mapping.dmp

Download
memory/2164-120-0x0000000000000000-mapping.dmp

Download
memory/2312-132-0x0000000000000000-mapping.dmp

Download
memory/2892-138-0x0000000000000000-mapping.dmp

Download
memory/4520-130-0x0000000000000000-mapping.dmp

Download
memory/4588-135-0x0000000000000000-mapping.dmp

Download
memory/5004-136-0x0000000000000000-mapping.dmp

Download
memory/5064-133-0x0000000000000000-mapping.dmp

Download