ryuk | 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Analysis

max time kernel
601s
max time network
415s
platform
windows7_x64
resource
win7-20220331-en
submitted
05-04-2022 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Size

384KB
MD5

5ac0f050f93f86e69026faea1fbb4450
SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571
SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
SHA512

b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
1908	smrHY.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CopyConnect.tiff	smrHY.exe

Deletes itself 1 IoCs

pid	Process
1908	smrHY.exe

Loads dropped DLL 1 IoCs

pid	Process
1076	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\smrHY.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml	smrHY.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo	smrHY.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\PREVIEW.GIF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\LightSpirit.css	smrHY.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar	smrHY.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H	smrHY.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\RyukReadMe.txt	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR17F.GIF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB8.BDR	smrHY.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Vienna	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\RyukReadMe.txt	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Paper.thmx	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC.HXS	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2F.GIF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignright.gif	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\RyukReadMe.txt	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.DPV	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd	smrHY.exe
File opened for modification	C:\Program Files\Java\jre7\lib\classlist	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01660_.WMF	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar	smrHY.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RyukReadMe.txt	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107134.WMF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\RyukReadMe.txt	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.XML	smrHY.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\es-ES\RyukReadMe.txt	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200611.WMF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR7B.GIF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152626.WMF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXC	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMAIL.CFG	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.ICO	smrHY.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd	smrHY.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00524_.WMF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK	smrHY.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi	smrHY.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mpp	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src	smrHY.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.UNT	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01293_.GIF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML	smrHY.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.png	smrHY.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.png	smrHY.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF	smrHY.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199661.WMF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF	smrHY.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\background.gif	smrHY.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar	smrHY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1768	1140	WerFault.exe	9
1236	1200	WerFault.exe	17

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
71512	vssadmin.exe
71580	vssadmin.exe
71048	vssadmin.exe
71180	vssadmin.exe
71448	vssadmin.exe
71416	vssadmin.exe
71480	vssadmin.exe
71644	vssadmin.exe
71012	vssadmin.exe
71544	vssadmin.exe
71612	vssadmin.exe
1716	vssadmin.exe
71384	vssadmin.exe
71676	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
71172	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1908	smrHY.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	smrHY.exe
Token: 33	29660	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	29660	AUDIODG.EXE
Token: 33	29660	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	29660	AUDIODG.EXE
Token: SeBackupPrivilege	71208	vssvc.exe
Token: SeRestorePrivilege	71208	vssvc.exe
Token: SeAuditPrivilege	71208	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
71172	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1908	1076	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	28
PID 1076 wrote to memory of 1908	1076	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	28
PID 1076 wrote to memory of 1908	1076	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	28
PID 1076 wrote to memory of 1908	1076	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	28
PID 1908 wrote to memory of 964	1908	smrHY.exe	29
PID 1908 wrote to memory of 964	1908	smrHY.exe	29
PID 1908 wrote to memory of 964	1908	smrHY.exe	29
PID 1908 wrote to memory of 1140	1908	smrHY.exe	9
PID 1140 wrote to memory of 1768	1140	taskhost.exe	31
PID 1140 wrote to memory of 1768	1140	taskhost.exe	31
PID 1140 wrote to memory of 1768	1140	taskhost.exe	31
PID 964 wrote to memory of 852	964	cmd.exe	32
PID 964 wrote to memory of 852	964	cmd.exe	32
PID 964 wrote to memory of 852	964	cmd.exe	32
PID 1908 wrote to memory of 1200	1908	smrHY.exe	17
PID 1200 wrote to memory of 1236	1200	Dwm.exe	33
PID 1200 wrote to memory of 1236	1200	Dwm.exe	33
PID 1200 wrote to memory of 1236	1200	Dwm.exe	33
PID 1908 wrote to memory of 71136	1908	smrHY.exe	41
PID 1908 wrote to memory of 71136	1908	smrHY.exe	41
PID 1908 wrote to memory of 71136	1908	smrHY.exe	41
PID 71136 wrote to memory of 71180	71136	cmd.exe	43
PID 71136 wrote to memory of 71180	71136	cmd.exe	43
PID 71136 wrote to memory of 71180	71136	cmd.exe	43
PID 71136 wrote to memory of 71384	71136	cmd.exe	46
PID 71136 wrote to memory of 71384	71136	cmd.exe	46
PID 71136 wrote to memory of 71384	71136	cmd.exe	46
PID 71136 wrote to memory of 71416	71136	cmd.exe	47
PID 71136 wrote to memory of 71416	71136	cmd.exe	47
PID 71136 wrote to memory of 71416	71136	cmd.exe	47
PID 71136 wrote to memory of 71448	71136	cmd.exe	48
PID 71136 wrote to memory of 71448	71136	cmd.exe	48
PID 71136 wrote to memory of 71448	71136	cmd.exe	48
PID 71136 wrote to memory of 71480	71136	cmd.exe	49
PID 71136 wrote to memory of 71480	71136	cmd.exe	49
PID 71136 wrote to memory of 71480	71136	cmd.exe	49
PID 71136 wrote to memory of 71512	71136	cmd.exe	50
PID 71136 wrote to memory of 71512	71136	cmd.exe	50
PID 71136 wrote to memory of 71512	71136	cmd.exe	50
PID 71136 wrote to memory of 71544	71136	cmd.exe	51
PID 71136 wrote to memory of 71544	71136	cmd.exe	51
PID 71136 wrote to memory of 71544	71136	cmd.exe	51
PID 71136 wrote to memory of 71580	71136	cmd.exe	52
PID 71136 wrote to memory of 71580	71136	cmd.exe	52
PID 71136 wrote to memory of 71580	71136	cmd.exe	52
PID 71136 wrote to memory of 71612	71136	cmd.exe	53
PID 71136 wrote to memory of 71612	71136	cmd.exe	53
PID 71136 wrote to memory of 71612	71136	cmd.exe	53
PID 71136 wrote to memory of 71644	71136	cmd.exe	54
PID 71136 wrote to memory of 71644	71136	cmd.exe	54
PID 71136 wrote to memory of 71644	71136	cmd.exe	54
PID 71136 wrote to memory of 71676	71136	cmd.exe	55
PID 71136 wrote to memory of 71676	71136	cmd.exe	55
PID 71136 wrote to memory of 71676	71136	cmd.exe	55
PID 71136 wrote to memory of 71012	71136	cmd.exe	56
PID 71136 wrote to memory of 71012	71136	cmd.exe	56
PID 71136 wrote to memory of 71012	71136	cmd.exe	56
PID 71136 wrote to memory of 71048	71136	cmd.exe	57
PID 71136 wrote to memory of 71048	71136	cmd.exe	57
PID 71136 wrote to memory of 71048	71136	cmd.exe	57
PID 71136 wrote to memory of 1716	71136	cmd.exe	58
PID 71136 wrote to memory of 1716	71136	cmd.exe	58
PID 71136 wrote to memory of 1716	71136	cmd.exe	58

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1140 -s 232
  2⤵
  - Program crash
  PID:1768

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1200 -s 312
  2⤵
  - Program crash
  PID:1236

C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
"C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076
- C:\users\Public\smrHY.exe
  "C:\users\Public\smrHY.exe" C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Deletes itself
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\smrHY.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\smrHY.exe" /f
      4⤵
      Adds Run key to start application
      PID:852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:71136
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:71180
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
      4⤵
      Interacts with shadow copies
      PID:71384
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
      4⤵
      Interacts with shadow copies
      PID:71416
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:71448
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:71480
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:71512
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:71544
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:71580
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:71612
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:71644
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:71676
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:71012
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:71048
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1716

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1776

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:15748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:29660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:71208

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\RyukReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:71172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Users\Public\smrHY.exe

Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

Filesize
12KB

MD5
c3784f5d42347b9e3e0411ae32267cf1

SHA1
e3b1ab39bba4f18c09132a877362b0e6fae82920

SHA256
2780e78a4c7ae016704bd088f21fb60decf3bf0115488cabfcaa920c43f225e2

SHA512
e46e42fb05ce593a119025bd7e3341a68daf47f38b2e963b1c1ea8e7e3cb0db8ee6ca7628efcb10894682b761d3e3fd8a0583f5be116b4b0dea779822291a35c

Download Submit
\Users\Public\smrHY.exe

Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
memory/1076-54-0x00000000755F1000-0x00000000755F3000-memory.dmp

Filesize
8KB

Download
memory/1140-60-0x000000013F1E0000-0x000000013F56E000-memory.dmp

Filesize
3.6MB

Download
memory/1908-58-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download