General
Target

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

Filesize

384KB

Completed

05-04-2022 12:20

Task

behavioral1

Score
10/10
MD5

5ac0f050f93f86e69026faea1fbb4450

SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571

SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

SHA256

b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at WayneEvenson@protonmail.com or WayneEvenson@tutanota.com BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Emails

WayneEvenson@protonmail.com

WayneEvenson@tutanota.com

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures 18

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Impact
Persistence
  • Ryuk

    Description

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE
    smrHY.exe

    Reported IOCs

    pidprocess
    1908smrHY.exe
  • Modifies extensions of user files
    smrHY.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\CopyConnect.tiffsmrHY.exe
  • Deletes itself
    smrHY.exe

    Reported IOCs

    pidprocess
    1908smrHY.exe
  • Loads dropped DLL
    23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

    Reported IOCs

    pidprocess
    107623f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    reg.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\smrHY.exe"reg.exe
    Key created\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg.exe
  • Enumerates connected drives
    vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
  • Drops file in Program Files directory
    smrHY.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xmlsmrHY.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mosmrHY.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\PREVIEW.GIFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\LightSpirit.csssmrHY.exe
    File opened for modificationC:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xmlsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jarsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.csssmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jarsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jarsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-HsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\RyukReadMe.txtsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\MonterreysmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR17F.GIFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB8.BDRsmrHY.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Europe\ViennasmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xmlsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\RyukReadMe.txtsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Document Themes 14\Paper.thmxsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC.HXSsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2F.GIFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignright.gifsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SFsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jarsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\RyukReadMe.txtsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00011_.WMFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.DPVsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsdsmrHY.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\classlistsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01660_.WMFsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jarsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\RyukReadMe.txtsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107134.WMFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\RyukReadMe.txtsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.XMLsmrHY.exe
    File opened for modificationC:\Program Files\Microsoft Games\Solitaire\es-ES\RyukReadMe.txtsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200611.WMFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR7B.GIFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152626.WMFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXCsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMAIL.CFGsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.ICOsmrHY.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\HovdsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFBsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00524_.WMFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXKsmrHY.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Asia\UrumqismrHY.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Real.mppsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIFsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.srcsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.UNTsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01293_.GIFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XMLsmrHY.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\Heart_ButtonGraphic.pngsmrHY.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-overlay.pngsmrHY.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.pngsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMFsmrHY.exe
    File opened for modificationC:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.datsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jarsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xmlsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199661.WMFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIFsmrHY.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\background.gifsmrHY.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jarsmrHY.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exeWerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    17681140WerFault.exetaskhost.exe
    12361200WerFault.exeDwm.exe
  • Interacts with shadow copies
    vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    71512vssadmin.exe
    71580vssadmin.exe
    71048vssadmin.exe
    71180vssadmin.exe
    71448vssadmin.exe
    71416vssadmin.exe
    71480vssadmin.exe
    71644vssadmin.exe
    71012vssadmin.exe
    71544vssadmin.exe
    71612vssadmin.exe
    1716vssadmin.exe
    71384vssadmin.exe
    71676vssadmin.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    71172NOTEPAD.EXE
  • Suspicious behavior: EnumeratesProcesses
    smrHY.exe

    Reported IOCs

    pidprocess
    1908smrHY.exe
  • Suspicious use of AdjustPrivilegeToken
    smrHY.exeAUDIODG.EXEvssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1908smrHY.exe
    Token: 3329660AUDIODG.EXE
    Token: SeIncBasePriorityPrivilege29660AUDIODG.EXE
    Token: 3329660AUDIODG.EXE
    Token: SeIncBasePriorityPrivilege29660AUDIODG.EXE
    Token: SeBackupPrivilege71208vssvc.exe
    Token: SeRestorePrivilege71208vssvc.exe
    Token: SeAuditPrivilege71208vssvc.exe
  • Suspicious use of FindShellTrayWindow
    NOTEPAD.EXE

    Reported IOCs

    pidprocess
    71172NOTEPAD.EXE
  • Suspicious use of WriteProcessMemory
    23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exesmrHY.exetaskhost.execmd.exeDwm.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1076 wrote to memory of 1908107623f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exesmrHY.exe
    PID 1076 wrote to memory of 1908107623f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exesmrHY.exe
    PID 1076 wrote to memory of 1908107623f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exesmrHY.exe
    PID 1076 wrote to memory of 1908107623f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exesmrHY.exe
    PID 1908 wrote to memory of 9641908smrHY.execmd.exe
    PID 1908 wrote to memory of 9641908smrHY.execmd.exe
    PID 1908 wrote to memory of 9641908smrHY.execmd.exe
    PID 1908 wrote to memory of 11401908smrHY.exetaskhost.exe
    PID 1140 wrote to memory of 17681140taskhost.exeWerFault.exe
    PID 1140 wrote to memory of 17681140taskhost.exeWerFault.exe
    PID 1140 wrote to memory of 17681140taskhost.exeWerFault.exe
    PID 964 wrote to memory of 852964cmd.exereg.exe
    PID 964 wrote to memory of 852964cmd.exereg.exe
    PID 964 wrote to memory of 852964cmd.exereg.exe
    PID 1908 wrote to memory of 12001908smrHY.exeDwm.exe
    PID 1200 wrote to memory of 12361200Dwm.exeWerFault.exe
    PID 1200 wrote to memory of 12361200Dwm.exeWerFault.exe
    PID 1200 wrote to memory of 12361200Dwm.exeWerFault.exe
    PID 1908 wrote to memory of 711361908smrHY.execmd.exe
    PID 1908 wrote to memory of 711361908smrHY.execmd.exe
    PID 1908 wrote to memory of 711361908smrHY.execmd.exe
    PID 71136 wrote to memory of 7118071136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7118071136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7118071136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7138471136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7138471136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7138471136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7141671136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7141671136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7141671136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7144871136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7144871136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7144871136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7148071136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7148071136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7148071136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7151271136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7151271136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7151271136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7154471136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7154471136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7154471136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7158071136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7158071136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7158071136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7161271136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7161271136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7161271136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7164471136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7164471136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7164471136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7167671136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7167671136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7167671136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7101271136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7101271136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7101271136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7104871136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7104871136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 7104871136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 171671136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 171671136cmd.exevssadmin.exe
    PID 71136 wrote to memory of 171671136cmd.exevssadmin.exe
Processes 28
  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1140 -s 232
      Program crash
      PID:1768
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1200 -s 312
      Program crash
      PID:1236
  • C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
    "C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"
    Loads dropped DLL
    Suspicious use of WriteProcessMemory
    PID:1076
    • C:\users\Public\smrHY.exe
      "C:\users\Public\smrHY.exe" C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
      Executes dropped EXE
      Modifies extensions of user files
      Deletes itself
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\smrHY.exe" /f
        Suspicious use of WriteProcessMemory
        PID:964
        • C:\Windows\system32\reg.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\smrHY.exe" /f
          Adds Run key to start application
          PID:852
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
        Suspicious use of WriteProcessMemory
        PID:71136
        • C:\Windows\system32\vssadmin.exe
          vssadmin Delete Shadows /all /quiet
          Interacts with shadow copies
          PID:71180
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
          Interacts with shadow copies
          PID:71384
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
          Interacts with shadow copies
          PID:71416
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
          Enumerates connected drives
          Interacts with shadow copies
          PID:71448
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
          Enumerates connected drives
          Interacts with shadow copies
          PID:71480
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
          Enumerates connected drives
          Interacts with shadow copies
          PID:71512
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
          Enumerates connected drives
          Interacts with shadow copies
          PID:71544
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
          Enumerates connected drives
          Interacts with shadow copies
          PID:71580
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
          Enumerates connected drives
          Interacts with shadow copies
          PID:71612
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
          Enumerates connected drives
          Interacts with shadow copies
          PID:71644
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
          Enumerates connected drives
          Interacts with shadow copies
          PID:71676
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
          Enumerates connected drives
          Interacts with shadow copies
          PID:71012
        • C:\Windows\system32\vssadmin.exe
          vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
          Enumerates connected drives
          Interacts with shadow copies
          PID:71048
        • C:\Windows\system32\vssadmin.exe
          vssadmin Delete Shadows /all /quiet
          Interacts with shadow copies
          PID:1716
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    PID:1776
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    PID:15748
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0xc4
    Suspicious use of AdjustPrivilegeToken
    PID:29660
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:71208
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\RyukReadMe.txt
    Opens file in notepad (likely ransom note)
    Suspicious use of FindShellTrayWindow
    PID:71172
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Users\Public\smrHY.exe

                MD5

                31bd0f224e7e74eee2847f43aae23974

                SHA1

                92e331e1e8ad30538f38dd7ba31386afafa14a58

                SHA256

                8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

                SHA512

                a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

              • C:\users\Public\window.bat

                MD5

                d2aba3e1af80edd77e206cd43cfd3129

                SHA1

                3116da65d097708fad63a3b73d1c39bffa94cb01

                SHA256

                8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

                SHA512

                0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

              • \??\c:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

                MD5

                c3784f5d42347b9e3e0411ae32267cf1

                SHA1

                e3b1ab39bba4f18c09132a877362b0e6fae82920

                SHA256

                2780e78a4c7ae016704bd088f21fb60decf3bf0115488cabfcaa920c43f225e2

                SHA512

                e46e42fb05ce593a119025bd7e3341a68daf47f38b2e963b1c1ea8e7e3cb0db8ee6ca7628efcb10894682b761d3e3fd8a0583f5be116b4b0dea779822291a35c

              • \Users\Public\smrHY.exe

                MD5

                31bd0f224e7e74eee2847f43aae23974

                SHA1

                92e331e1e8ad30538f38dd7ba31386afafa14a58

                SHA256

                8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

                SHA512

                a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

              • memory/852-63-0x0000000000000000-mapping.dmp

              • memory/964-59-0x0000000000000000-mapping.dmp

              • memory/1076-54-0x00000000755F1000-0x00000000755F3000-memory.dmp

              • memory/1140-60-0x000000013F1E0000-0x000000013F56E000-memory.dmp

              • memory/1236-66-0x0000000000000000-mapping.dmp

              • memory/1716-83-0x0000000000000000-mapping.dmp

              • memory/1768-62-0x0000000000000000-mapping.dmp

              • memory/1908-58-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

              • memory/1908-56-0x0000000000000000-mapping.dmp

              • memory/71012-81-0x0000000000000000-mapping.dmp

              • memory/71048-82-0x0000000000000000-mapping.dmp

              • memory/71136-68-0x0000000000000000-mapping.dmp

              • memory/71180-70-0x0000000000000000-mapping.dmp

              • memory/71384-71-0x0000000000000000-mapping.dmp

              • memory/71416-72-0x0000000000000000-mapping.dmp

              • memory/71448-73-0x0000000000000000-mapping.dmp

              • memory/71480-74-0x0000000000000000-mapping.dmp

              • memory/71512-75-0x0000000000000000-mapping.dmp

              • memory/71544-76-0x0000000000000000-mapping.dmp

              • memory/71580-77-0x0000000000000000-mapping.dmp

              • memory/71612-78-0x0000000000000000-mapping.dmp

              • memory/71644-79-0x0000000000000000-mapping.dmp

              • memory/71676-80-0x0000000000000000-mapping.dmp