ryuk | 59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Analysis

max time kernel
19s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 03:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
Size

321KB
MD5

04ba14a9828b000add142d0bcb42ac2d
SHA1

928a705a481384dee3aa9985bb2a9e1e6827902f
SHA256

28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33
SHA512

2fc56d6fdf360c0435f76822f3d99288c3b31462931eb128c7ed895bf93d88b00663801c1a5394b1ae5bb081ac76b004deaf46fdf2b0b9c027b2945a7c030909
SSDEEP

6144:ba4FsUiep6JzvI74kZO/+SJtwOW8HFBwK3SBDmhYfFQ:ba4Fs/7IfO/+SJFW8HF+KCIG

Score

10^/10

ryuk discovery persistence ransomware vmprotect

Malware Config

Extracted

Path

F:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral14/memory/5088-0-0x0000000030000000-0x00000000303DF000-memory.dmp	vmprotect
behavioral14/memory/5088-1-0x0000000030000000-0x00000000303DF000-memory.dmp	vmprotect
behavioral14/memory/5088-3-0x0000000030000000-0x00000000303DF000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunjce_provider.jar	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Keywords.HxK	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\cmm\LINEAR_RGB.pf	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ARCTIC.INF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp32.msi	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordcnvpxy.cnv	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.tree.dat	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Google\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\PowerPointCapabilities.json	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellModel.bin	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4784	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	82
PID 5088 wrote to memory of 4784	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	82
PID 5088 wrote to memory of 4784	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	82
PID 5088 wrote to memory of 2768	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	49
PID 4784 wrote to memory of 3292	4784	cmd.exe	84
PID 4784 wrote to memory of 3292	4784	cmd.exe	84
PID 4784 wrote to memory of 3292	4784	cmd.exe	84
PID 5088 wrote to memory of 2824	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	50
PID 5088 wrote to memory of 2972	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	51
PID 5088 wrote to memory of 3592	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	57
PID 5088 wrote to memory of 3764	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	58
PID 5088 wrote to memory of 3852	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	59
PID 5088 wrote to memory of 3920	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	60
PID 5088 wrote to memory of 4004	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	61
PID 5088 wrote to memory of 4124	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	62
PID 5088 wrote to memory of 4392	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	64
PID 5088 wrote to memory of 3132	5088	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	75

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2824

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4124

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4392

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
"C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe" /f /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
2.6MB

MD5
dc8a9e5dce3cefeb1709b0569c5a501b

SHA1
da99feeec2e6b159d820cd34544e95c7b6aadd4b

SHA256
967e72aa544da99541655716d4f0b1094dd968b9782906d9a6207e66cd845031

SHA512
4f705be400a4a0640dec36af6a5678257e6f12f7dcc34698dc6dd2efd909efcaf89a37f1f8c697df9714bc4712826381e290edd3502da2b5dd4d6b215f48776f

Download Submit
F:\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
memory/5088-0-0x0000000030000000-0x00000000303DF000-memory.dmp

Filesize
3.9MB

Download
memory/5088-1-0x0000000030000000-0x00000000303DF000-memory.dmp

Filesize
3.9MB

Download
memory/5088-3-0x0000000030000000-0x00000000303DF000-memory.dmp

Filesize
3.9MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads