{
	"id": "096f9c42-c320-450c-90af-bcc7d3019647",
	"created_at": "2026-04-06T00:10:02.179881Z",
	"updated_at": "2026-04-10T13:12:43.003818Z",
	"deleted_at": null,
	"sha1_hash": "7ae0a3826a2672444eaf06af5a301b4c6478f65a",
	"title": "Ryuk in 5 Hours - The DFIR Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 785543,
	"plain_text": "Ryuk in 5 Hours - The DFIR Report\r\nBy editor\r\nPublished: 2020-10-18 · Archived: 2026-04-05 18:51:56 UTC\r\nIntro\r\nThe Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using\r\nZerologon (CVE-2020-1472), less than 2 hours after the initial phish. They used tools such as Cobalt Strike, AdFind, WMI,\r\nand PowerShell to accomplish their objective.\r\nRyuk has been one of the most proficient ransomware gangs in the past few years, with the FBI claiming $61 million USD\r\nhaving been paid to the group as of February 2020. Earlier in the year, the group grew a little quiet, but that seems to have\r\nchanged in the past few weeks, with incidents like what occurred at UHS hospitals.\r\nCase Summary\r\nIn our previous Ryuk case, we saw the threat actors leverage access to an environment via the Bazar Loader malware. This\r\ntime around, we saw them accomplish their objective faster, but the general tactics and techniques stayed similar between\r\nincidents.\r\nBazar was introduced to the environment again with the delivery via phishing emails. For an in depth breakdown on this\r\nloader, see this analysis by  Roman Marshanski \u0026 Vitali Kremez. Bazar, once running, was seen again injecting into\r\nexplorer.exe, svchost.exe, and spawning command shell processes.\r\nFrom this loader we saw initial mapping of the domain, using built-in windows utilities such as Nltest. However, unlike the\r\nlast case, the threat actors started at a lower privileged user and rather than proceed slowly or cautiously, they exploited the\r\nrecently disclosed Zerologon vulnerability (CVE-2020-1472) to reset the machine password of the primary domain\r\ncontroller.\r\nLateral movement was initiated via SMB file transfers and WMI executions of Cobalt Strike Beacons. The network\r\nindicators align similarly to the prior campaign and were noted by Kyle Ehmke in response to our last post pivoting off the\r\nprior report’s intel. From memory analysis, we were also able to conclude the actors were using a trial version of Cobalt\r\nStrike with the EICAR string present in the network configuration for the beacon. Both portable executable and DLL\r\nbeacons were used.\r\nAfter moving laterally to the secondary domain controller, the threat actor started on more domain discovery via Net and the\r\nPowerShell Active Directory module. From there, the threat actors appeared to use the default named pipe privilege\r\nescalation module on the server. At this point, the threat actors used RDP to connect from the secondary domain controller,\r\nto the first domain controller, using the built in Administrator account.\r\nOnce on the main domain controller, another Cobalt Strike beacon was dropped and executed. Then more domain\r\nreconnaissance was performed using AdFind. Once this completed, at the four hour mark, the threat actors were ready for\r\ntheir final objective.\r\nFour hours and 10 minutes in, the threat actors used the pivot from the primary domain controller to RDP into the Backup\r\nserver. Backup servers were again targeted first for deployment of the ransomware executable, followed by servers and then\r\nworkstations.The threat actors finished their objective by executing the ransomware on the primary domain controller, and at\r\nthe 5 hour mark, the attack completed.\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 1 of 16\n\nWhile last time we commented on the lead time between the first and second day to aid detection and response activity, this\r\ncase goes to show that you can’t count on that kind of timescale. You need to be ready to act in less than an hour, to make\r\nsure you can effectively disrupt the threat actor.\r\nTimeline\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 2 of 16\n\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 3 of 16\n\nMITRE ATT\u0026CK\r\nInitial Access\r\nAccess was initiated by a phishing email leading to the Bazar Loader malware executable.\r\nExecution\r\nBazar relies on user execution of an executable to run. This user was a Domain User and did not have any other permissions.\r\nPrivilege Escalation\r\nCVE-2020-1472 was used to reset the credentials on one of the domain controllers in the environment. After resetting the\r\npassword, the threat actors then targeted a different domain controller, potentially due to breaking services by use of their\r\nexploit.\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 4 of 16\n\nPacket showing the zeroed out password.\r\nOn one of the domain controllers we saw use of the Cobalt Strike named pipe escalation.\r\nC:\\Windows\\system32\\cmd.exe /c echo 92d8cc45954 \u003e; \\\\.\\pipe\\446b3c\r\nDefense Evasion\r\nOn the first domain controller that the treat actors connected to after their initial connection, they dropped a DLL and\r\nexecuted it via rundll32.\r\nC:\\Windows\\system32\\cmd.exe /C rundll32 C:\\Windows\\system32\\SQL.dll, StartW\r\nDropped via RDP and executed via rundll32 on the second domain controller.\r\nrundll32 C:\\PerfLogs\\arti64.dll, rundll\r\nShortly after, the DLL was called again via regsrv32.\r\nregsvr32 C:\\PerfLogs\\arti64.dll\r\nThen a 2nd DLL was dropped and executed in a similar manner on the 2nd DC.\r\nrundll32 C:\\\\PerfLogs\\\\socks64.dll, rundll\r\nDiscovery\r\nRan on the beachhead.\r\nnltest /domain_trusts /all_trusts\r\nnltest /dclist:DOMAIN\r\nnet group \"Domain admins\" /DOMAIN\r\nRan on a domain controller.\r\nnet group \"enterprise admins\" /domain\r\nnltest /domain_trusts /all_trusts\r\nnltest /dclist:\"DOMAIN\"\r\nping DOMAINCONTROLLER\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 5 of 16\n\ncmd.exe /C time\r\nnet user administrator /domain\r\nThen they imported the PowerShell Active Directory module.\r\nThey then ran the following looking for host names, operating systems and last logon dates of all AD systems.\r\nC:\\Windows\\system32\\cmd.exe /C Get-ADComputer -Filter {enabled -eq $true} -properties *|select Name, DNSHostNa\r\nAfter already completing the above discovery work and having already pivoted to their 2nd domain controller, the threat\r\nactors moved on to AdFind for further domain reconnaissance.\r\nC:\\Windows\\Temp\\adf\\AdFind.exe\r\nC:\\Windows\\Temp\\adf\\adf.bat\r\nContents of the script ran the following with AdFind.\r\nadfind.exe -f \"(objectcategory=person)\"\r\nadfind.exe -f \"objectcategory=computer\"\r\nadfind.exe -f \"(objectcategory=organizationalUnit)\"\r\nadfind.exe -sc trustdmp\r\nadfind.exe -subnets -f (objectCategory=subnet)\r\nadfind.exe -f \"(objectcategory=group)\"\r\nadfind.exe -gcb -sc trustdmp\r\nThe threat actor then ran this command a few times.\r\nnltest /domain_trusts /all_trusts\r\nLateral Movement\r\nThe first lateral movement occurred to the domain controller not affected by the use of CVE-2020-1472. An executable was\r\ntransferred to it via SMB using a domain administrator account.\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 6 of 16\n\nAfter transferring the exe, the threat actors utilized WMI from the beachhead host to execute the file.\r\nC:\\Windows\\system32\\cmd.exe /C WMIC/node:\"DC.DOMAIN.local\" process call create \"cmd /c C:\\PerfLogs\\servisess.e\r\nThe presence of the EICAR strings point to the Cobalt Strike software being used as a trial version.\r\nThey accessed the GPO’s for the domain but none were modified or added.\r\nmmc.exe\" \"C:\\Windows\\System32\\gpedit.msc\"\r\nShortly there after we saw a Cobalt Strike DLL transferred via the RDP connection.\r\nRDP was used to pivot from the main domain controller and distribute the final ransomware payload enterprise wide.\r\nCommand and Control\r\nAfter our previous report, @kyleehmke pivoted off of our prior Ryuk report and used the network data to link several of\r\nthese domains which we saw in this case.\r\nBazar:\r\nReport_Print.exe\r\n3.137.182.114:443\r\ncstr3.com\r\nCobalt Strike:\r\nservisses.exe\r\n88.119.171.94:443\r\nIssuer Org lol\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 7 of 16\n\nSubject Org lol\r\nJA3: 57f3642b4e37e28f5cbe3020c9331b4c\r\nJA3s: e35df3e00ca4ef31d42b34bebaa2f86e\r\nSQL.dll\r\n5.2.64.174:443\r\nIssuer Org lol\r\nSubject Org lol\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nImpact\r\nStarting around 4.5 hours after the initial Bazar malware was executed, the Ryuk threat actors acted on their final objectives\r\nand initiated RDP connections from the domain controller previously exploited, to the rest of the environment. This time\r\nthey initiated the ransomware first on the secondary domain controller (their 1st pivot) and transferred the Ryuk executable\r\nover the RDP connection.\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 8 of 16\n\nEnjoy our report? Please consider donating $1 or more to the project using Patreon. Thank you for your support!\r\nWe also have pcaps, files, memory images, Kape and Redline packages available here.\r\nIOCs\r\nhttps://misppriv.circl.lu/events/view/80223 \u0026 https://otx.alienvault.com/pulse/5f8cce76f5614d9b220181b6\r\nNetwork\r\n3.137.182.114:443\r\ncstr3.com\r\n88.119.171.94:443\r\nhavemosts.com\r\n5.2.64.174:443\r\nquwasd.com\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 9 of 16\n\nFile\r\nservisses.exe\r\nd971827d974effedaeaf7d62b619b1dd\r\nc3a846eb04e2fe765e56fa15a0d5c1eb650ccba3\r\n1d8b7faf5f290465cc742e07abca78fac419135b191071cc77912263cd1dde1d\r\nsocks64.dll\r\n890206f0c506366d480e02fc9fed988a\r\nba1542d9b55fff21bda9495ed884404b0436cff2\r\nfeb8c2bcb71da02dbbeecb999869e053cf96af8cce6f9705cadca4338133d3b5\r\nSQL.dll\r\n3785d87f6995b4b95d9b55f8d2556237\r\n9b44a8f0bb2d65fb19e7ca7bbd85b36c176f3d60\r\nd67461ba45a4edf3b2a69b3e64303fda8130bd1fc7a1173f35c1fe67b40c9639\r\narti64.dll\r\n3785d87f6995b4b95d9b55f8d2556237\r\n9b44a8f0bb2d65fb19e7ca7bbd85b36c176f3d60\r\nd67461ba45a4edf3b2a69b3e64303fda8130bd1fc7a1173f35c1fe67b40c9639\r\nxxx.exe\r\n5b8b66ddbbf1fd67211e9a4bf78c1700\r\ncdb042dd8e9dc17f677c991b386f4cd242f2628d\r\nccde47a0d315dcd4740fccfe8e8110fbb1fd85bb305734fec409f52051790c98\r\nDetections\r\nNetwork\r\nGPL NETBIOS SMB-DS IPC$ share access\r\nET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nSigma\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/malware/win_mal_ryuk.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.y\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_trust_discovery.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_net_execution.yml\r\nDetects AdFind usage from a past case:\r\ntitle: AdFind Recon\r\ndescription: Threat Actor using AdFind for reconnaissance.\r\nauthor: The DFIR Report\r\ndate: 2019/8/2\r\nreferences:\r\n - https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/\r\ntags:\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 10 of 16\n\n- attack.remote_system_discovery\r\n - attack.T1018\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection_1:\r\n CommandLine|contains:\r\n - adfind -f objectcategory=computer\r\n selection_2:\r\n CommandLine|contains:\r\n - adfind -gcb -sc trustdmp\r\n condition: selection_1 or selection_2\r\nfalsepositives:\r\n - Legitimate Administrator using tool for Active Directory querying\r\nlevel: medium\r\nstatus: experimental\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2020-10-13\r\nIdentifier: Case 1006 Ryuk\r\nReference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule ryuk_1006_servisses_procdump {\r\nmeta:\r\ndescription = \"files - file servisses-procdump.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2020-10-13\"\r\nhash1 = \"387894a0b404c67e722799308b12ff2be31d2e8ce798aa53d971f0c13805d54d\"\r\nstrings:\r\n$s1 = \"c:/crossdev/src/winpthreads-svn6233/src/mutex.c\" fullword ascii\r\n$s2 = \"mutex_global_shmem\" fullword ascii\r\n$s3 = \"mutex_global_static_shmem\" fullword ascii\r\n$s4 = \"_pthread_key_dest_shmem\" fullword ascii\r\n$s5 = \"_pthread_key_sch_shmem\" fullword ascii\r\n$s6 = \"_pthread_key_max_shmem\" fullword ascii\r\n$s7 = \"_pthread_key_lock_shmem\" fullword ascii\r\n$s8 = \"cannot find name of executable\" fullword ascii\r\n$s9 = \"tiles32.png\" fullword ascii\r\n$s10 = \"GetModuleFileName: %s\" fullword ascii\r\n$s11 = \"IP_DEST_HOST_UNREACHABLE (11003)\" fullword ascii\r\n$s12 = \"This program requires Windows NT!\" fullword ascii\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 11 of 16\n\n$s13 = \"SNMP INVALID_SESSION\" fullword ascii\r\n$s14 = \"SNMP TRAP_ERRORS\" fullword ascii\r\n$s15 = \"SNMP SELECT_FDERRORS\" fullword ascii\r\n$s16 = \"Some different radices: %d %x %o %#x %#o \" fullword ascii\r\n$s17 = \"c:/crossdev/src/winpthreads-svn6233/src/rwlock.c\" fullword ascii\r\n$s18 = \"_pthread_tls_shmem\" fullword ascii\r\n$s19 = \"IP_DEST_PORT_UNREACHABLE (11005)\" fullword ascii\r\n$s20 = \"pthr_root_shmem\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"a90d500745a1ce2417c01fecefbc2851\" or 8 of them )\r\n}\r\nrule ryuk_1006_files_socks64 {\r\nmeta:\r\ndescription = \"files - file socks64.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2020-10-13\"\r\nhash1 = \"feb8c2bcb71da02dbbeecb999869e053cf96af8cce6f9705cadca4338133d3b5\"\r\nstrings:\r\n$x1 = \"C:\\\\Users\\\\Izidu\\\\Desktop\\\\2019\\\\WindowsSDK7-Samples-master\\\\WindowsSDK7-Samples-master\\\\winui\\\\picture\r\n$s2 = \"C:\\\\Users\\\\Izidu\\\\Desktop\\\\2019\\\\WindowsSDK7-Samples-master\\\\WindowsSDK7-Samples-master\\\\winui\\\\picture\r\n$s3 = \"PluginSample.dll\" fullword ascii\r\n$s4 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s5 = \"luginSample.pdb\" fullword ascii\r\n$s6 = \"rundll\" fullword ascii\r\n$s7 = \"AcquireSamplePlugin::DisplayConfigureDialog\" fullword wide\r\n$s8 = \"AppPolicyGetThreadInitializationType\" fullword ascii\r\n$s9 = \"`template-parameter-\" fullword ascii\r\n$s10 = \"operator\u003c=\u003e\" fullword ascii\r\n$s11 = \"operator co_await\" fullword ascii\r\n$s12 = \"AppPolicyGetWindowingModel\" fullword ascii\r\n$s13 = \"Transfer Completed Successfully!\" fullword wide\r\n$s14 = \"AppPolicyGetShowDeveloperDiagnostic\" fullword ascii\r\n$s15 = \"noexcept\" fullword ascii\r\n$s16 = \"Read-Only Photo Acquire Plugin\" fullword wide\r\n$s17 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n$s18 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Photo Acquisition\\\\Plugins\\\\%ws\" fullword wide\r\n$s19 = \".?AUIUserInputString@@\" fullword ascii\r\n$s20 = \"g0DVNrB\\\"Rtf#\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"0fd22f187f22ab4ec2eb55f91ccefa7a\" and ( pe.exports(\"SGeruIUrgVdfMaxMccIKRh\") and pe.exports\r\n}\r\nrule ryuk_1006_Report_Print {\r\nmeta:\r\ndescription = \"files - file Report_Print.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2020-10-13\"\r\nhash1 = \"23ac461f9b5128841cafabb4282432252ea7b57874595cf6fe8457fc1ac65007\"\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 12 of 16\n\nstrings:\r\n$s1 = \"kErNel32.Dll\" fullword wide\r\n$s2 = \"DOOKOL.exe\" fullword ascii\r\n$s3 = \"c:/crossdev/src/winpthreads-svn6233/src/mutex.c\" fullword ascii\r\n$s4 = \"hmutex\" fullword ascii\r\n$s5 = \"._FindPESectionExec\" fullword ascii\r\n$s6 = \"mutex_global_shmem\" fullword ascii\r\n$s7 = \"processthreadsapi.h\" fullword ascii\r\n$s8 = \"mutex_global_static_shmem\" fullword ascii\r\n$s9 = \"TargetIp\" fullword ascii\r\n$s10 = \"c:\\\\crossdev\\\\gccmaster\\\\build-tdm64\\\\gcc\\\\x86_64-w64-mingw32\\\\libgcc\" fullword ascii\r\n$s11 = \"h:\\\\crossdev\\\\gccmaster\\\\build-tdm64\\\\runtime\\\\mingw-w64-crt\" fullword ascii\r\n$s12 = \"J__mingw_winmain_lpCmdLine\" fullword ascii\r\n$s13 = \"GNU C 4.8.1 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector\" fullwo\r\n$s14 = \"GNU C 4.8.1 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector -fno-ex\r\n$s15 = \"GNU C 4.8.1 -m64 -mtune=generic -march=x86-64 -g -O2 -std=gnu99\" fullword ascii\r\n$s16 = \"GNU C 4.8.1 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector -fexcep\r\n$s17 = \"9lpszCommandLine\" fullword ascii\r\n$s18 = \"=__mingw_GetSectionForAddress\" fullword ascii\r\n$s19 = \"__mingw_winmain_lpCmdLine\" fullword ascii\r\n$s20 = \"%Target\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 3000KB and\r\n( pe.imphash() == \"8f0088451a1156246379abc67514cacf\" and pe.exports(\"CSBhvSWCvFRvfCfAoJdoFuAUmK\") or 8 of them\r\n}\r\nrule ryuk_1006_files_xxx {\r\nmeta:\r\ndescription = \"files - file xxx.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2020-10-13\"\r\nhash1 = \"ccde47a0d315dcd4740fccfe8e8110fbb1fd85bb305734fec409f52051790c98\"\r\nstrings:\r\n$s1 = \"DOOKOL.exe\" fullword ascii\r\n$s2 = \"c:/crossdev/src/winpthreads-svn6233/src/mutex.c\" fullword ascii\r\n$s3 = \"hmutex\" fullword ascii\r\n$s4 = \"mutex_global_shmem\" fullword ascii\r\n$s5 = \"processthreadsapi.h\" fullword ascii\r\n$s6 = \"mutex_global_static_shmem\" fullword ascii\r\n$s7 = \"fake_get_output_format\" fullword ascii\r\n$s8 = \"\u0026rvaTarget\" fullword ascii\r\n$s9 = \"h:\\\\crossdev\\\\gccmaster\\\\build-tdm64\\\\runtime\\\\mingw-w64-crt\" fullword ascii\r\n$s10 = \"c:\\\\crossdev\\\\gccmaster\\\\build-tdm64\\\\gcc\\\\x86_64-w64-mingw32\\\\32\\\\libgcc\" fullword ascii\r\n$s11 = \"E__mingw_winmain_lpCmdLine\" fullword ascii\r\n$s12 = \"GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector\" f\r\n$s13 = \"GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector -f\r\n$s14 = \"GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector -f\r\n$s15 = \"GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99\" fullword ascii\r\n$s16 = \"__mingw_winmain_lpCmdLine\" fullword ascii\r\n$s17 = \"Npthread_getspecific\" fullword ascii\r\n$s18 = \"__gthread_getspecific\" fullword ascii\r\n$s19 = \"=__mingw_GetSectionForAddress\" fullword ascii\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 13 of 16\n\n$s20 = \"4lpszCommandLine\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"00f3261b5b33a9b1e8b6003f4056a885\" and pe.exports(\"CSBhvSWCvFRvfCfAoJdoFuAUmK\") or 8 of them\r\n}\r\nrule ryuk_1006_servisses {\r\nmeta:\r\ndescription = \"files - file servisses.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2020-10-13\"\r\nhash1 = \"1d8b7faf5f290465cc742e07abca78fac419135b191071cc77912263cd1dde1d\"\r\nstrings:\r\n$s1 = \"DOOKOL.exe\" fullword ascii\r\n$s2 = \"c:/crossdev/src/winpthreads-svn6233/src/mutex.c\" fullword ascii\r\n$s3 = \"mutex_global_shmem\" fullword ascii\r\n$s4 = \"mutex_global_static_shmem\" fullword ascii\r\n$s5 = \"_pthread_key_dest_shmem\" fullword ascii\r\n$s6 = \"_pthread_key_max_shmem\" fullword ascii\r\n$s7 = \"_pthread_key_sch_shmem\" fullword ascii\r\n$s8 = \"_pthread_key_lock_shmem\" fullword ascii\r\n$s9 = \"cannot find name of executable\" fullword ascii\r\n$s10 = \"tiles32.png\" fullword ascii\r\n$s11 = \"GetModuleFileName: %s\" fullword ascii\r\n$s12 = \"IP_DEST_HOST_UNREACHABLE (11003)\" fullword ascii\r\n$s13 = \"This program requires Windows NT!\" fullword ascii\r\n$s14 = \"SNMP INVALID_SESSION\" fullword ascii\r\n$s15 = \"SNMP TRAP_ERRORS\" fullword ascii\r\n$s16 = \"SNMP SELECT_FDERRORS\" fullword ascii\r\n$s17 = \"Some different radices: %d %x %o %#x %#o \" fullword ascii\r\n$s18 = \"c:/crossdev/src/winpthreads-svn6233/src/rwlock.c\" fullword ascii\r\n$s19 = \"_pthread_tls_shmem\" fullword ascii\r\n$s20 = \"IP_DEST_PORT_UNREACHABLE (11005)\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"a90d500745a1ce2417c01fecefbc2851\" and pe.exports(\"KADWEGAFSTWUATQFFFFkxcEEF\") or 8 of them\r\n}\r\nrule ryuk_1006_files_SQL {\r\nmeta:\r\ndescription = \"files - file SQL.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2020-10-13\"\r\nhash1 = \"d67461ba45a4edf3b2a69b3e64303fda8130bd1fc7a1173f35c1fe67b40c9639\"\r\nstrings:\r\n$s1 = \".data$_ZN12_GLOBAL__N_110fake_mutexE\" fullword ascii\r\n$s2 = \".data$_ZZN12_GLOBAL__N_116get_static_mutexEvE4once\" fullword ascii\r\n$s3 = \"DOOKOL.dll\" fullword ascii\r\n$s4 = \"_ZN12_GLOBAL__N_110fake_mutexE\" fullword ascii\r\n$s5 = \"_ZZN12_GLOBAL__N_116get_static_mutexEvE4once\" fullword ascii\r\n$s6 = \".data$_ZN12_GLOBAL__N_115emergency_mutexE\" fullword ascii\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 14 of 16\n\n$s7 = \".data$_ZN12_GLOBAL__N_1L12static_mutexE\" fullword ascii\r\n$s8 = \"__shmem_winpthreads_grabber_mutex_global_shmem\" fullword ascii\r\n$s9 = \"__shmem_winpthreads_init_mutex_global_shmem\" fullword ascii\r\n$s10 = \"__shmem_winpthreads_ptr_mutex_global_shmem\" fullword ascii\r\n$s11 = \"c:/crossdev/src/winpthreads-svn6233/src/mutex.c\" fullword ascii\r\n$s12 = \"pthread_mutex_lock_intern\" fullword ascii\r\n$s13 = \"__shmem_winpthreads_init_mutex_global_static_shmem\" fullword ascii\r\n$s14 = \"__shmem_winpthreads_grabber_mutex_global_static_shmem\" fullword ascii\r\n$s15 = \"__shmem_winpthreads_ptr_mutex_global_static_shmem\" fullword ascii\r\n$s16 = \"_Z7ExecutePv\" fullword ascii\r\n$s17 = \"hmutex\" fullword ascii\r\n$s18 = \"._FindPESectionExec\" fullword ascii\r\n$s19 = \"_ZN9__gnu_cxx17__recursive_mutex6unlockEv\" fullword ascii\r\n$s20 = \".text$_ZN9__gnu_cxx17__recursive_mutex6unlockEv\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"d16819dafefb97404d0d0e42adb82e5c\" and ( pe.exports(\"CSBhvSWCvFRvfCfAoJdoFuAUmK\") and pe.exp\r\n}\r\nIf you have detections you would like to add to this section, please contact us and we will credit you.\r\nMITRE\r\nSpearphishing Link – T1192  \r\nRemote Desktop Protocol – T1076  \r\nRemote File Copy – T1105  \r\nWindows Management Instrumentation – T1047  \r\nCommand-Line Interface – T1059  \r\nDomain Trust Discovery – T1482  \r\nRemote System Discovery – T1018  \r\nSystem Time Discovery – T1124  \r\nData Encrypted for Impact – T1486  \r\nCommonly Used Port – T1043  \r\nStandard Application Layer Protocol – T1071  \r\nStandard Cryptographic Protocol – T1032  \r\nUser Execution – T1204  \r\nValid Accounts – T1078  \r\nExploitation for Privilege Escalation – T1068  \r\nSigned Binary Proxy Execution – T1218  \r\nRundll32 – T1085  \r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 15 of 16\n\nRegsvr32 – T1117  \r\n(internal case 1006)\r\nSource: https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/"
	],
	"report_names": [
		"ryuk-in-5-hours"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434202,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ae0a3826a2672444eaf06af5a301b4c6478f65a.pdf",
		"text": "https://archive.orkl.eu/7ae0a3826a2672444eaf06af5a301b4c6478f65a.txt",
		"img": "https://archive.orkl.eu/7ae0a3826a2672444eaf06af5a301b4c6478f65a.jpg"
	}
}