ryuk | 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030

Analysis

max time kernel
184s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
20-02-2022 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
Size

189KB
MD5

090826c3c34fb53a639f1d2919e1b44c
SHA1

ab355fed7323cb1dfaf1e32833acd77ffa23c287
SHA256

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
SHA512

d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

PqdfzJO.exe

pid process

1148 PqdfzJO.exe

pid	process
1148	PqdfzJO.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exePqdfzJO.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	PqdfzJO.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

4512 icacls.exe
4756 icacls.exe
4752 icacls.exe
2372 icacls.exe

pid	process
4512	icacls.exe
4756	icacls.exe
4752	icacls.exe
2372	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PqdfzJO.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exePqdfzJO.exe

pid	process
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1148	PqdfzJO.exe
1148	PqdfzJO.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1148	PqdfzJO.exe
1148	PqdfzJO.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exePqdfzJO.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
Token: SeBackupPrivilege	1148	PqdfzJO.exe
Token: SeBackupPrivilege	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
Token: SeIncreaseQuotaPrivilege	3568	WMIC.exe
Token: SeSecurityPrivilege	3568	WMIC.exe
Token: SeTakeOwnershipPrivilege	3568	WMIC.exe
Token: SeLoadDriverPrivilege	3568	WMIC.exe
Token: SeSystemProfilePrivilege	3568	WMIC.exe
Token: SeSystemtimePrivilege	3568	WMIC.exe
Token: SeProfSingleProcessPrivilege	3568	WMIC.exe
Token: SeIncBasePriorityPrivilege	3568	WMIC.exe
Token: SeCreatePagefilePrivilege	3568	WMIC.exe
Token: SeBackupPrivilege	3568	WMIC.exe
Token: SeRestorePrivilege	3568	WMIC.exe
Token: SeShutdownPrivilege	3568	WMIC.exe
Token: SeDebugPrivilege	3568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3568	WMIC.exe
Token: SeRemoteShutdownPrivilege	3568	WMIC.exe
Token: SeUndockPrivilege	3568	WMIC.exe
Token: SeManageVolumePrivilege	3568	WMIC.exe
Token: 33	3568	WMIC.exe
Token: 34	3568	WMIC.exe
Token: 35	3568	WMIC.exe
Token: 36	3568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3720	WMIC.exe
Token: SeSecurityPrivilege	3720	WMIC.exe
Token: SeTakeOwnershipPrivilege	3720	WMIC.exe
Token: SeLoadDriverPrivilege	3720	WMIC.exe
Token: SeSystemProfilePrivilege	3720	WMIC.exe
Token: SeSystemtimePrivilege	3720	WMIC.exe
Token: SeProfSingleProcessPrivilege	3720	WMIC.exe
Token: SeIncBasePriorityPrivilege	3720	WMIC.exe
Token: SeCreatePagefilePrivilege	3720	WMIC.exe
Token: SeBackupPrivilege	3720	WMIC.exe
Token: SeRestorePrivilege	3720	WMIC.exe
Token: SeShutdownPrivilege	3720	WMIC.exe
Token: SeDebugPrivilege	3720	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3720	WMIC.exe
Token: SeRemoteShutdownPrivilege	3720	WMIC.exe
Token: SeUndockPrivilege	3720	WMIC.exe
Token: SeManageVolumePrivilege	3720	WMIC.exe
Token: 33	3720	WMIC.exe
Token: 34	3720	WMIC.exe
Token: 35	3720	WMIC.exe
Token: 36	3720	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3568	WMIC.exe
Token: SeSecurityPrivilege	3568	WMIC.exe
Token: SeTakeOwnershipPrivilege	3568	WMIC.exe
Token: SeLoadDriverPrivilege	3568	WMIC.exe
Token: SeSystemProfilePrivilege	3568	WMIC.exe
Token: SeSystemtimePrivilege	3568	WMIC.exe
Token: SeProfSingleProcessPrivilege	3568	WMIC.exe
Token: SeIncBasePriorityPrivilege	3568	WMIC.exe
Token: SeCreatePagefilePrivilege	3568	WMIC.exe
Token: SeBackupPrivilege	3568	WMIC.exe
Token: SeRestorePrivilege	3568	WMIC.exe
Token: SeShutdownPrivilege	3568	WMIC.exe
Token: SeDebugPrivilege	3568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3568	WMIC.exe
Token: SeRemoteShutdownPrivilege	3568	WMIC.exe
Token: SeUndockPrivilege	3568	WMIC.exe
Token: SeManageVolumePrivilege	3568	WMIC.exe
Token: 33	3568	WMIC.exe
Token: 34	3568	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exenet.exenet.exePqdfzJO.execmd.exenet.exenet.exe

description	pid	process	target process
PID 1392 wrote to memory of 1148	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	PqdfzJO.exe
PID 1392 wrote to memory of 1148	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	PqdfzJO.exe
PID 1392 wrote to memory of 1148	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	PqdfzJO.exe
PID 1392 wrote to memory of 2344	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	sihost.exe
PID 1392 wrote to memory of 4800	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1392 wrote to memory of 4800	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1392 wrote to memory of 4800	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1392 wrote to memory of 2380	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	svchost.exe
PID 1392 wrote to memory of 2440	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	taskhostw.exe
PID 1392 wrote to memory of 2992	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	svchost.exe
PID 1392 wrote to memory of 3284	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	DllHost.exe
PID 1392 wrote to memory of 3372	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	StartMenuExperienceHost.exe
PID 1392 wrote to memory of 3452	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	RuntimeBroker.exe
PID 1392 wrote to memory of 4820	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1392 wrote to memory of 4820	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1392 wrote to memory of 4820	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1392 wrote to memory of 3548	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	SearchApp.exe
PID 1392 wrote to memory of 3832	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	RuntimeBroker.exe
PID 1392 wrote to memory of 2032	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	RuntimeBroker.exe
PID 1392 wrote to memory of 3736	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	backgroundTaskHost.exe
PID 1392 wrote to memory of 3732	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	backgroundTaskHost.exe
PID 1392 wrote to memory of 1316	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	RuntimeBroker.exe
PID 4820 wrote to memory of 4452	4820	net.exe	net1.exe
PID 4820 wrote to memory of 4452	4820	net.exe	net1.exe
PID 4820 wrote to memory of 4452	4820	net.exe	net1.exe
PID 4800 wrote to memory of 804	4800	net.exe	net1.exe
PID 4800 wrote to memory of 804	4800	net.exe	net1.exe
PID 4800 wrote to memory of 804	4800	net.exe	net1.exe
PID 1148 wrote to memory of 4756	1148	PqdfzJO.exe	icacls.exe
PID 1148 wrote to memory of 4756	1148	PqdfzJO.exe	icacls.exe
PID 1148 wrote to memory of 4756	1148	PqdfzJO.exe	icacls.exe
PID 1148 wrote to memory of 4752	1148	PqdfzJO.exe	icacls.exe
PID 1148 wrote to memory of 4752	1148	PqdfzJO.exe	icacls.exe
PID 1148 wrote to memory of 4752	1148	PqdfzJO.exe	icacls.exe
PID 1148 wrote to memory of 4160	1148	PqdfzJO.exe	cmd.exe
PID 1148 wrote to memory of 4160	1148	PqdfzJO.exe	cmd.exe
PID 1148 wrote to memory of 4160	1148	PqdfzJO.exe	cmd.exe
PID 4160 wrote to memory of 3568	4160	cmd.exe	WMIC.exe
PID 4160 wrote to memory of 3568	4160	cmd.exe	WMIC.exe
PID 4160 wrote to memory of 3568	4160	cmd.exe	WMIC.exe
PID 1148 wrote to memory of 3580	1148	PqdfzJO.exe	net.exe
PID 1148 wrote to memory of 3580	1148	PqdfzJO.exe	net.exe
PID 1148 wrote to memory of 3580	1148	PqdfzJO.exe	net.exe
PID 3580 wrote to memory of 1236	3580	net.exe	net1.exe
PID 3580 wrote to memory of 1236	3580	net.exe	net1.exe
PID 3580 wrote to memory of 1236	3580	net.exe	net1.exe
PID 1148 wrote to memory of 4564	1148	PqdfzJO.exe	net.exe
PID 1148 wrote to memory of 4564	1148	PqdfzJO.exe	net.exe
PID 1148 wrote to memory of 4564	1148	PqdfzJO.exe	net.exe
PID 4564 wrote to memory of 4000	4564	net.exe	net1.exe
PID 4564 wrote to memory of 4000	4564	net.exe	net1.exe
PID 4564 wrote to memory of 4000	4564	net.exe	net1.exe
PID 1392 wrote to memory of 2372	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1392 wrote to memory of 2372	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1392 wrote to memory of 2372	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1392 wrote to memory of 4512	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1392 wrote to memory of 4512	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1392 wrote to memory of 4512	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	icacls.exe
PID 1392 wrote to memory of 4532	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	cmd.exe
PID 1392 wrote to memory of 4532	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	cmd.exe
PID 1392 wrote to memory of 4532	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	cmd.exe
PID 1392 wrote to memory of 3448	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1392 wrote to memory of 3448	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe
PID 1392 wrote to memory of 3448	1392	7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe	net.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1316

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3732

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3736

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2032

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3548

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2992

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe
"C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe
"C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" 8 LAN
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4756

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4752

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
4⤵
PID:1236

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" /f /reg:64
3⤵
PID:5212

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:5436

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:5224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:5420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:804

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4452

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
PID:4532

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4512

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:3448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64
2⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:548

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4972

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5428

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:5240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5408

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:11108

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:5156

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:11232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:11184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\3D Objects\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc
MD5
c9e68ed326520b4ad5ff9f00576e1b09

SHA1
4189465ad4d3563eebe685d01e87ca55e7e085dd

SHA256
d2d79fb3e3095eefd2a8c29f499157f80df66e2a9b61bf37285d4c6841c49eab

SHA512
3a97934055a60fc58259d26a272d33a43c374aacf5bd762521020bd1f97b4b0159dde594e15cbc4b3a16be8b4b0dddc5ef529630bc38a4e37c1d6a281d3d5c57

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe
MD5
090826c3c34fb53a639f1d2919e1b44c

SHA1
ab355fed7323cb1dfaf1e32833acd77ffa23c287

SHA256
7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030

SHA512
d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe
MD5
090826c3c34fb53a639f1d2919e1b44c

SHA1
ab355fed7323cb1dfaf1e32833acd77ffa23c287

SHA256
7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030

SHA512
d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit
C:\Users\RyukReadMe.html
MD5
8d23eb184e108fbd3fdd93df2cb2be6e

SHA1
6109f3336c87bac6488a193625ffd9019b209346

SHA256
055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957

SHA512
7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Download Submit