ryuk | 59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Analysis

max time kernel
20s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 03:42

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
Size

321KB
MD5

04ba14a9828b000add142d0bcb42ac2d
SHA1

928a705a481384dee3aa9985bb2a9e1e6827902f
SHA256

28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33
SHA512

2fc56d6fdf360c0435f76822f3d99288c3b31462931eb128c7ed895bf93d88b00663801c1a5394b1ae5bb081ac76b004deaf46fdf2b0b9c027b2945a7c030909
SSDEEP

6144:ba4FsUiep6JzvI74kZO/+SJtwOW8HFBwK3SBDmhYfFQ:ba4Fs/7IfO/+SJFW8HF+KCIG

Score

10^/10

ryuk discovery persistence ransomware vmprotect

Malware Config

Extracted

Path

F:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4440-0-0x0000000030000000-0x00000000303DF000-memory.dmp	vmprotect
behavioral2/memory/4440-1-0x0000000030000000-0x00000000303DF000-memory.dmp	vmprotect
behavioral2/memory/4440-3-0x0000000030000000-0x00000000303DF000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.INF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_fr.dub	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\vlc.mo	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.ELM	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.dat	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.INF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1036\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ul-oob.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4328	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	82
PID 4440 wrote to memory of 4328	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	82
PID 4440 wrote to memory of 4328	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	82
PID 4440 wrote to memory of 2644	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	44
PID 4328 wrote to memory of 2640	4328	cmd.exe	84
PID 4328 wrote to memory of 2640	4328	cmd.exe	84
PID 4328 wrote to memory of 2640	4328	cmd.exe	84
PID 4440 wrote to memory of 2660	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	45
PID 4440 wrote to memory of 2784	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	48
PID 4440 wrote to memory of 3640	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	57
PID 4440 wrote to memory of 3824	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	58
PID 4440 wrote to memory of 3916	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	59
PID 4440 wrote to memory of 3984	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	60
PID 4440 wrote to memory of 4076	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	61
PID 4440 wrote to memory of 3656	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	62
PID 4440 wrote to memory of 3832	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	74
PID 4440 wrote to memory of 552	4440	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	76

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2660

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3824

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3916

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4076

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3656

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
"C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe" /f /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.3MB

MD5
47d08b51efe6cf1a2bffbbbea9c0de44

SHA1
fa160ab975cfb7783c6e27c03071c471610a8206

SHA256
50ad286605275f3ce245557532bd5f1ce73d3224b154c5b52811e5a8cac3df99

SHA512
ca7ff68d25a7d0c7c2aba2ea89a7815b30875011fad7102143ed1465bde941cec14d795003bf761019c3a14786a6cc49e2f6d84f50993abcb4732e37f14106a3

Download Submit
F:\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
memory/4440-0-0x0000000030000000-0x00000000303DF000-memory.dmp

Filesize
3.9MB

Download
memory/4440-1-0x0000000030000000-0x00000000303DF000-memory.dmp

Filesize
3.9MB

Download
memory/4440-3-0x0000000030000000-0x00000000303DF000-memory.dmp

Filesize
3.9MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads