ryuk | be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

Resubmissions

07-11-2022 11:53

221107-n2tpwsedf5 10

07-11-2022 11:00

221107-m36keacfd7 10

Analysis

max time kernel
155s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
Size

885KB
MD5

622bc38dee08e70e91e2be32a58b6d1f
SHA1

7cfec4859fa7ca178095983b3f174f842a44b0c2
SHA256

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a
SHA512

176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d
SSDEEP

12288:BdJPiMwyM02Jl5YqWYgeWYg955/155/0QebUlAAszsK6Qo1Rn6X:BPiMtklagQKUKRzsK6QmN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at RyanRinse@mailfence.com or RyanRinse@firemail.de You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

RyanRinse@mailfence.com

RyanRinse@firemail.de

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1784 icacls.exe

pid	process
1784	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

description	ioc	process
File opened (read-only)	\??\F:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\G:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\O:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Z:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\U:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\V:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\X:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\J:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\L:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\M:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\B:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\T:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Y:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\W:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\E:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\H:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\N:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Q:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\S:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\I:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\K:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\A:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\P:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\R:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Drops file in Program Files directory 64 IoCs

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0211981.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01491_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightItalic.ttf.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Regular.otf	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152716.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00808_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01629_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.INF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cancun.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00021_.GIF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00423_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198712.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fakaofo.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-modules.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\PST8PDT.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00235_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00268_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00255_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01293_.GIF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00687_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01772_.WMF.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1868 schtasks.exe
1648 schtasks.exe
912 schtasks.exe
1768 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1680 taskkill.exe
1776 taskkill.exe

pid	process
1868	schtasks.exe
1648	schtasks.exe
912	schtasks.exe
1768	schtasks.exe

pid	process
1680	taskkill.exe
1776	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

pid	process
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1776 taskkill.exe
Token: SeDebugPrivilege 1680 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1516 wrote to memory of 1980	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1980	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1980	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1980 wrote to memory of 1868	1980	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 1868	1980	cmd.exe	schtasks.exe
PID 1980 wrote to memory of 1868	1980	cmd.exe	schtasks.exe
PID 1516 wrote to memory of 1632	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1632	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1632	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1500	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1500	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1500	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1100	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1100	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1100	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1100 wrote to memory of 1648	1100	cmd.exe	schtasks.exe
PID 1100 wrote to memory of 1648	1100	cmd.exe	schtasks.exe
PID 1100 wrote to memory of 1648	1100	cmd.exe	schtasks.exe
PID 1516 wrote to memory of 960	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 960	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 960	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 960 wrote to memory of 536	960	cmd.exe	attrib.exe
PID 960 wrote to memory of 536	960	cmd.exe	attrib.exe
PID 960 wrote to memory of 536	960	cmd.exe	attrib.exe
PID 1516 wrote to memory of 560	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 560	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 560	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 560 wrote to memory of 912	560	cmd.exe	schtasks.exe
PID 560 wrote to memory of 912	560	cmd.exe	schtasks.exe
PID 560 wrote to memory of 912	560	cmd.exe	schtasks.exe
PID 1516 wrote to memory of 1912	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1912	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1912	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1912 wrote to memory of 1768	1912	cmd.exe	schtasks.exe
PID 1912 wrote to memory of 1768	1912	cmd.exe	schtasks.exe
PID 1912 wrote to memory of 1768	1912	cmd.exe	schtasks.exe
PID 1516 wrote to memory of 1816	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1816	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1816	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1816 wrote to memory of 1800	1816	cmd.exe	attrib.exe
PID 1816 wrote to memory of 1800	1816	cmd.exe	attrib.exe
PID 1816 wrote to memory of 1800	1816	cmd.exe	attrib.exe
PID 1516 wrote to memory of 1156	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1156	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1156	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1156 wrote to memory of 1448	1156	cmd.exe	attrib.exe
PID 1156 wrote to memory of 1448	1156	cmd.exe	attrib.exe
PID 1156 wrote to memory of 1448	1156	cmd.exe	attrib.exe
PID 1516 wrote to memory of 1088	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1088	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1088	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1088 wrote to memory of 800	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 800	1088	cmd.exe	cmd.exe
PID 1088 wrote to memory of 800	1088	cmd.exe	cmd.exe
PID 1516 wrote to memory of 1508	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1508	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1508	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1508 wrote to memory of 1712	1508	cmd.exe	cmd.exe
PID 1508 wrote to memory of 1712	1508	cmd.exe	cmd.exe
PID 1508 wrote to memory of 1712	1508	cmd.exe	cmd.exe
PID 1516 wrote to memory of 1748	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1748	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1516 wrote to memory of 1748	1516	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1748 wrote to memory of 1732	1748	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

536 attrib.exe
1800 attrib.exe
1448 attrib.exe

pid	process
536	attrib.exe
1800	attrib.exe
1448	attrib.exe

C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
"C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F
3⤵
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
PID:800

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
PID:1712

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:1588

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1868

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1632

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1976

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID
Filesize
8B

MD5
21a792fdd72dd7ddf309bf7e3819ac8b

SHA1
54a61afa0a6bfd7e87588d1da5978dae8f7be290

SHA256
a62ba8e3eb83edbefc6a8051265a303b7a33e6b853616218c84a1ffa08441ab0

SHA512
6ff050424079b5ed78eb4771f7efa34665f9b81bc9c8c498bd5437dc95c84b0ce1f997566bf686fffd0a3b4ab9f83af0cd840abcd5d4b8384d17da1edac99f6a

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
fdb92b73b4370f248e57b5292cb4b507

SHA1
5d86a3818e4c38d4821372900f21f8ec62d97efc

SHA256
40f33de8d0fd8293c3d03b3b2a043c7e4e96393510e686b90acebf485bbf0477

SHA512
76b35870a8c7a29a0ce36e548531dc6b09abb51b52781835c87fb7e6c276b84948137aa9f001b717ca0b9ffb0b27f47bae5fbb1be483aa74dbd2542409c387a9

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
566e76c377c6cbde155b8dbc2d4c0532

SHA1
e616a181764f0dec13cf7d1cc37f0e35bd5adbec

SHA256
d39a3de6f634ab642dd770313096a6c2de4cbc9b17b9d43220205463bac29fa2

SHA512
63c0b14bb3791a0adfc9050a9f4b3ce2227a8511f12bd4043dad79b3887655da61ac42e4a4a65e1d5f139a794dd8bb31054697e435aee377887415a3148397ed

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
566e76c377c6cbde155b8dbc2d4c0532

SHA1
e616a181764f0dec13cf7d1cc37f0e35bd5adbec

SHA256
d39a3de6f634ab642dd770313096a6c2de4cbc9b17b9d43220205463bac29fa2

SHA512
63c0b14bb3791a0adfc9050a9f4b3ce2227a8511f12bd4043dad79b3887655da61ac42e4a4a65e1d5f139a794dd8bb31054697e435aee377887415a3148397ed

Download Submit
C:\ProgramData\hrmlog2
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
fb4f8969e391325a8b15c875e8a6f529

SHA1
8d2d1fee995be5da302f85c785d432cd290ebfe1

SHA256
5d4ac4057332a801f449ecab45c0ca7e6101891813106a29326f76b091b3e168

SHA512
57653dbf4a124c02d20ca981a2283b4f63d01ecc8c35048771a8275025cbaacd70000b5c7abec5d23802dfef92abb6c3aa203345c59f787b5034fe0fc0aea48a

Download Submit
C:\ProgramData\ryuk.exe
Filesize
885KB

MD5
622bc38dee08e70e91e2be32a58b6d1f

SHA1
7cfec4859fa7ca178095983b3f174f842a44b0c2

SHA256
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

SHA512
176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
21a792fdd72dd7ddf309bf7e3819ac8b

SHA1
54a61afa0a6bfd7e87588d1da5978dae8f7be290

SHA256
a62ba8e3eb83edbefc6a8051265a303b7a33e6b853616218c84a1ffa08441ab0

SHA512
6ff050424079b5ed78eb4771f7efa34665f9b81bc9c8c498bd5437dc95c84b0ce1f997566bf686fffd0a3b4ab9f83af0cd840abcd5d4b8384d17da1edac99f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
2KB

MD5
566e76c377c6cbde155b8dbc2d4c0532

SHA1
e616a181764f0dec13cf7d1cc37f0e35bd5adbec

SHA256
d39a3de6f634ab642dd770313096a6c2de4cbc9b17b9d43220205463bac29fa2

SHA512
63c0b14bb3791a0adfc9050a9f4b3ce2227a8511f12bd4043dad79b3887655da61ac42e4a4a65e1d5f139a794dd8bb31054697e435aee377887415a3148397ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
fb4f8969e391325a8b15c875e8a6f529

SHA1
8d2d1fee995be5da302f85c785d432cd290ebfe1

SHA256
5d4ac4057332a801f449ecab45c0ca7e6101891813106a29326f76b091b3e168

SHA512
57653dbf4a124c02d20ca981a2283b4f63d01ecc8c35048771a8275025cbaacd70000b5c7abec5d23802dfef92abb6c3aa203345c59f787b5034fe0fc0aea48a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
885KB

MD5
622bc38dee08e70e91e2be32a58b6d1f

SHA1
7cfec4859fa7ca178095983b3f174f842a44b0c2

SHA256
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

SHA512
176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d

Download Submit
memory/316-91-0x0000000000000000-mapping.dmp

Download
memory/536-62-0x0000000000000000-mapping.dmp

Download
memory/560-64-0x0000000000000000-mapping.dmp

Download
memory/596-83-0x0000000000000000-mapping.dmp

Download
memory/616-96-0x0000000000000000-mapping.dmp

Download
memory/800-73-0x0000000000000000-mapping.dmp

Download
memory/832-93-0x0000000000000000-mapping.dmp

Download
memory/912-65-0x0000000000000000-mapping.dmp

Download
memory/960-61-0x0000000000000000-mapping.dmp

Download
memory/1088-72-0x0000000000000000-mapping.dmp

Download
memory/1100-59-0x0000000000000000-mapping.dmp

Download
memory/1156-70-0x0000000000000000-mapping.dmp

Download
memory/1448-71-0x0000000000000000-mapping.dmp

Download
memory/1500-58-0x0000000000000000-mapping.dmp

Download
memory/1500-100-0x0000000000000000-mapping.dmp

Download
memory/1504-87-0x0000000000000000-mapping.dmp

Download
memory/1508-74-0x0000000000000000-mapping.dmp

Download
memory/1516-103-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/1588-95-0x0000000000000000-mapping.dmp

Download
memory/1632-99-0x0000000000000000-mapping.dmp

Download
memory/1632-56-0x0000000000000000-mapping.dmp

Download
memory/1648-102-0x0000000000000000-mapping.dmp

Download
memory/1648-60-0x0000000000000000-mapping.dmp

Download
memory/1680-79-0x0000000000000000-mapping.dmp

Download
memory/1712-75-0x0000000000000000-mapping.dmp

Download
memory/1732-77-0x0000000000000000-mapping.dmp

Download
memory/1748-76-0x0000000000000000-mapping.dmp

Download
memory/1760-85-0x0000000000000000-mapping.dmp

Download
memory/1768-67-0x0000000000000000-mapping.dmp

Download
memory/1776-78-0x0000000000000000-mapping.dmp

Download
memory/1784-80-0x0000000000000000-mapping.dmp

Download
memory/1800-69-0x0000000000000000-mapping.dmp

Download
memory/1816-68-0x0000000000000000-mapping.dmp

Download
memory/1844-98-0x0000000000000000-mapping.dmp

Download
memory/1868-97-0x0000000000000000-mapping.dmp

Download
memory/1868-55-0x0000000000000000-mapping.dmp

Download
memory/1912-66-0x0000000000000000-mapping.dmp

Download
memory/1976-101-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads