ryuk | c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10

General

Target

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Size

192KB
MD5

ac4845378d6e9585c758efeffe713857
SHA1

4febb67955fa4743db70dad7481702bb46f60d69
SHA256

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10
SHA512

6edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 1 IoCs

Processes:

pziWeTX.exe

pid process

1600 pziWeTX.exe

pid	process
1600	pziWeTX.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exepziWeTX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	pziWeTX.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

1828 icacls.exe
3840 icacls.exe
1120 icacls.exe
628 icacls.exe

pid	process
1828	icacls.exe
3840	icacls.exe
1120	icacls.exe
628	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pziWeTX.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exepziWeTX.exe

pid	process
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
1600	pziWeTX.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
1600	pziWeTX.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exepziWeTX.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Token: SeBackupPrivilege	1600	pziWeTX.exe
Token: SeBackupPrivilege	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
Token: SeIncreaseQuotaPrivilege	1872	WMIC.exe
Token: SeSecurityPrivilege	1872	WMIC.exe
Token: SeTakeOwnershipPrivilege	1872	WMIC.exe
Token: SeLoadDriverPrivilege	1872	WMIC.exe
Token: SeSystemProfilePrivilege	1872	WMIC.exe
Token: SeSystemtimePrivilege	1872	WMIC.exe
Token: SeProfSingleProcessPrivilege	1872	WMIC.exe
Token: SeIncBasePriorityPrivilege	1872	WMIC.exe
Token: SeCreatePagefilePrivilege	1872	WMIC.exe
Token: SeBackupPrivilege	1872	WMIC.exe
Token: SeRestorePrivilege	1872	WMIC.exe
Token: SeShutdownPrivilege	1872	WMIC.exe
Token: SeDebugPrivilege	1872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1872	WMIC.exe
Token: SeRemoteShutdownPrivilege	1872	WMIC.exe
Token: SeUndockPrivilege	1872	WMIC.exe
Token: SeManageVolumePrivilege	1872	WMIC.exe
Token: 33	1872	WMIC.exe
Token: 34	1872	WMIC.exe
Token: 35	1872	WMIC.exe
Token: 36	1872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe
Token: SeSecurityPrivilege	5060	WMIC.exe
Token: SeTakeOwnershipPrivilege	5060	WMIC.exe
Token: SeLoadDriverPrivilege	5060	WMIC.exe
Token: SeSystemProfilePrivilege	5060	WMIC.exe
Token: SeSystemtimePrivilege	5060	WMIC.exe
Token: SeProfSingleProcessPrivilege	5060	WMIC.exe
Token: SeIncBasePriorityPrivilege	5060	WMIC.exe
Token: SeCreatePagefilePrivilege	5060	WMIC.exe
Token: SeBackupPrivilege	5060	WMIC.exe
Token: SeRestorePrivilege	5060	WMIC.exe
Token: SeShutdownPrivilege	5060	WMIC.exe
Token: SeDebugPrivilege	5060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5060	WMIC.exe
Token: SeRemoteShutdownPrivilege	5060	WMIC.exe
Token: SeUndockPrivilege	5060	WMIC.exe
Token: SeManageVolumePrivilege	5060	WMIC.exe
Token: 33	5060	WMIC.exe
Token: 34	5060	WMIC.exe
Token: 35	5060	WMIC.exe
Token: 36	5060	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exenet.exenet.exepziWeTX.exenet.exenet.execmd.execmd.exe

description	pid	process	target process
PID 4200 wrote to memory of 1600	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	pziWeTX.exe
PID 4200 wrote to memory of 1600	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	pziWeTX.exe
PID 4200 wrote to memory of 1600	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	pziWeTX.exe
PID 4200 wrote to memory of 2396	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	sihost.exe
PID 4200 wrote to memory of 1816	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 4200 wrote to memory of 1816	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 4200 wrote to memory of 1816	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 1816 wrote to memory of 2776	1816	net.exe	net1.exe
PID 1816 wrote to memory of 2776	1816	net.exe	net1.exe
PID 1816 wrote to memory of 2776	1816	net.exe	net1.exe
PID 4200 wrote to memory of 3452	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 4200 wrote to memory of 3452	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 4200 wrote to memory of 3452	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 3452 wrote to memory of 3360	3452	net.exe	net1.exe
PID 3452 wrote to memory of 3360	3452	net.exe	net1.exe
PID 3452 wrote to memory of 3360	3452	net.exe	net1.exe
PID 4200 wrote to memory of 2424	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	svchost.exe
PID 4200 wrote to memory of 2508	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	taskhostw.exe
PID 4200 wrote to memory of 3104	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	svchost.exe
PID 4200 wrote to memory of 3296	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	DllHost.exe
PID 4200 wrote to memory of 3396	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	StartMenuExperienceHost.exe
PID 4200 wrote to memory of 3460	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	RuntimeBroker.exe
PID 4200 wrote to memory of 3544	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	SearchApp.exe
PID 4200 wrote to memory of 3772	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	RuntimeBroker.exe
PID 4200 wrote to memory of 440	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	RuntimeBroker.exe
PID 4200 wrote to memory of 4344	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	backgroundTaskHost.exe
PID 4200 wrote to memory of 2724	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	RuntimeBroker.exe
PID 1600 wrote to memory of 1828	1600	pziWeTX.exe	icacls.exe
PID 1600 wrote to memory of 1828	1600	pziWeTX.exe	icacls.exe
PID 1600 wrote to memory of 1828	1600	pziWeTX.exe	icacls.exe
PID 4200 wrote to memory of 3840	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 4200 wrote to memory of 3840	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 4200 wrote to memory of 3840	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 4200 wrote to memory of 628	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 4200 wrote to memory of 628	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 4200 wrote to memory of 628	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	icacls.exe
PID 1600 wrote to memory of 1120	1600	pziWeTX.exe	icacls.exe
PID 1600 wrote to memory of 1120	1600	pziWeTX.exe	icacls.exe
PID 1600 wrote to memory of 1120	1600	pziWeTX.exe	icacls.exe
PID 4200 wrote to memory of 2380	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 4200 wrote to memory of 2380	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 4200 wrote to memory of 2380	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 1600 wrote to memory of 1108	1600	pziWeTX.exe	cmd.exe
PID 1600 wrote to memory of 1108	1600	pziWeTX.exe	cmd.exe
PID 1600 wrote to memory of 1108	1600	pziWeTX.exe	cmd.exe
PID 4200 wrote to memory of 2228	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 4200 wrote to memory of 2228	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 4200 wrote to memory of 2228	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	net.exe
PID 2228 wrote to memory of 4268	2228	net.exe	net1.exe
PID 2228 wrote to memory of 4268	2228	net.exe	net1.exe
PID 2228 wrote to memory of 4268	2228	net.exe	net1.exe
PID 4200 wrote to memory of 4300	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 4200 wrote to memory of 4300	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 4200 wrote to memory of 4300	4200	c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe	cmd.exe
PID 1600 wrote to memory of 848	1600	pziWeTX.exe	net.exe
PID 1600 wrote to memory of 848	1600	pziWeTX.exe	net.exe
PID 1600 wrote to memory of 848	1600	pziWeTX.exe	net.exe
PID 848 wrote to memory of 1164	848	net.exe	net1.exe
PID 848 wrote to memory of 1164	848	net.exe	net1.exe
PID 848 wrote to memory of 1164	848	net.exe	net1.exe
PID 4300 wrote to memory of 1656	4300	cmd.exe	reg.exe
PID 4300 wrote to memory of 1656	4300	cmd.exe	reg.exe
PID 4300 wrote to memory of 1656	4300	cmd.exe	reg.exe
PID 2380 wrote to memory of 1872	2380	cmd.exe	WMIC.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3104

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3772

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4344

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2724

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:440

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3296

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2508

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe
"C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe
"C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe" 8 LAN
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1828

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
3⤵
PID:1108

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe" /f /reg:64
3⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe" /f /reg:64
4⤵
- Adds Run key to start application
PID:1768

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2776

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3360

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3840

C:\Windows\SysWOW64\cmd.exe
cmd /c "WMIC.exe shadowcopy delet"
2⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delet
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:4268

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe" /f /reg:64
2⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:1656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:4012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:112

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:10228

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit
C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe
MD5
ac4845378d6e9585c758efeffe713857

SHA1
4febb67955fa4743db70dad7481702bb46f60d69

SHA256
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10

SHA512
6edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874

Download Submit
C:\Users\Admin\AppData\Local\Temp\pziWeTX.exe
MD5
ac4845378d6e9585c758efeffe713857

SHA1
4febb67955fa4743db70dad7481702bb46f60d69

SHA256
c4811bfb426e9af4ee8ee99ea61db612bbd7ab91b2fb0a21a847990c5626bb10

SHA512
6edaf5e417087b428feaa81214bad3deab967462b6448f6252a413f839a32dcc40cd6be369284a8d940ad1b0804bbc6a85ae22a179af9d7a5cb780658009c874

Download Submit
C:\Users\RyukReadMe.html
MD5
b8d47880de3aa1b3e8ebcfa62510b0f1

SHA1
541e9a0841cfc17d7a61eb89973359a75ec64aaa

SHA256
6f50767446c3b71c9d2db5653f8f3b662461958de66bb5875e0cb6a035831b73

SHA512
cdb7c0b7ea13b01e44cd3e564dddd9d6a1b5c9a6724fb4a2a806bc99a0476794ece0ad6a8ac3891ede5e738057499a5e55d8044f8e04a85d928b3379e0c48702

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads