Analysis
-
max time kernel
164s -
max time network
219s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 02:55
Static task
static1
Behavioral task
behavioral1
Sample
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
Resource
win10v2004-en-20220113
General
-
Target
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe
-
Size
196KB
-
MD5
35fb90e465df48871ee78df492fe22de
-
SHA1
ddfba2e525968f6aedf050613f32b124b13f776a
-
SHA256
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2
-
SHA512
60511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
ryuk
Extracted
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 1 IoCs
Processes:
yeFcpTq.exepid process 2368 yeFcpTq.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exeyeFcpTq.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation yeFcpTq.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exepid process 988 icacls.exe 3752 icacls.exe 1440 icacls.exe 4388 icacls.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yeFcpTq.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exeyeFcpTq.exepid process 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe 2368 yeFcpTq.exe 2368 yeFcpTq.exe 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exeyeFcpTq.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe Token: SeBackupPrivilege 2368 yeFcpTq.exe Token: SeBackupPrivilege 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe Token: SeIncreaseQuotaPrivilege 1656 WMIC.exe Token: SeSecurityPrivilege 1656 WMIC.exe Token: SeTakeOwnershipPrivilege 1656 WMIC.exe Token: SeLoadDriverPrivilege 1656 WMIC.exe Token: SeSystemProfilePrivilege 1656 WMIC.exe Token: SeSystemtimePrivilege 1656 WMIC.exe Token: SeProfSingleProcessPrivilege 1656 WMIC.exe Token: SeIncBasePriorityPrivilege 1656 WMIC.exe Token: SeCreatePagefilePrivilege 1656 WMIC.exe Token: SeBackupPrivilege 1656 WMIC.exe Token: SeRestorePrivilege 1656 WMIC.exe Token: SeShutdownPrivilege 1656 WMIC.exe Token: SeDebugPrivilege 1656 WMIC.exe Token: SeSystemEnvironmentPrivilege 1656 WMIC.exe Token: SeRemoteShutdownPrivilege 1656 WMIC.exe Token: SeUndockPrivilege 1656 WMIC.exe Token: SeManageVolumePrivilege 1656 WMIC.exe Token: 33 1656 WMIC.exe Token: 34 1656 WMIC.exe Token: 35 1656 WMIC.exe Token: 36 1656 WMIC.exe Token: SeIncreaseQuotaPrivilege 1352 WMIC.exe Token: SeSecurityPrivilege 1352 WMIC.exe Token: SeTakeOwnershipPrivilege 1352 WMIC.exe Token: SeLoadDriverPrivilege 1352 WMIC.exe Token: SeSystemProfilePrivilege 1352 WMIC.exe Token: SeSystemtimePrivilege 1352 WMIC.exe Token: SeProfSingleProcessPrivilege 1352 WMIC.exe Token: SeIncBasePriorityPrivilege 1352 WMIC.exe Token: SeCreatePagefilePrivilege 1352 WMIC.exe Token: SeBackupPrivilege 1352 WMIC.exe Token: SeRestorePrivilege 1352 WMIC.exe Token: SeShutdownPrivilege 1352 WMIC.exe Token: SeDebugPrivilege 1352 WMIC.exe Token: SeSystemEnvironmentPrivilege 1352 WMIC.exe Token: SeRemoteShutdownPrivilege 1352 WMIC.exe Token: SeUndockPrivilege 1352 WMIC.exe Token: SeManageVolumePrivilege 1352 WMIC.exe Token: 33 1352 WMIC.exe Token: 34 1352 WMIC.exe Token: 35 1352 WMIC.exe Token: 36 1352 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exenet.exenet.exeyeFcpTq.exenet.exedescription pid process target process PID 1332 wrote to memory of 2368 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe yeFcpTq.exe PID 1332 wrote to memory of 2368 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe yeFcpTq.exe PID 1332 wrote to memory of 2368 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe yeFcpTq.exe PID 1332 wrote to memory of 2280 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe sihost.exe PID 1332 wrote to memory of 2860 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 1332 wrote to memory of 2860 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 1332 wrote to memory of 2860 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 1332 wrote to memory of 3144 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 1332 wrote to memory of 3144 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 1332 wrote to memory of 3144 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 1332 wrote to memory of 2312 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe svchost.exe PID 1332 wrote to memory of 2432 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe taskhostw.exe PID 1332 wrote to memory of 744 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe svchost.exe PID 1332 wrote to memory of 3252 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe DllHost.exe PID 1332 wrote to memory of 3348 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe StartMenuExperienceHost.exe PID 1332 wrote to memory of 3424 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe RuntimeBroker.exe PID 1332 wrote to memory of 3516 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe SearchApp.exe PID 1332 wrote to memory of 3848 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe RuntimeBroker.exe PID 1332 wrote to memory of 4052 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe RuntimeBroker.exe PID 1332 wrote to memory of 1752 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe backgroundTaskHost.exe PID 1332 wrote to memory of 2208 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe RuntimeBroker.exe PID 2860 wrote to memory of 3632 2860 net.exe net1.exe PID 2860 wrote to memory of 3632 2860 net.exe net1.exe PID 2860 wrote to memory of 3632 2860 net.exe net1.exe PID 3144 wrote to memory of 100 3144 net.exe net1.exe PID 3144 wrote to memory of 100 3144 net.exe net1.exe PID 3144 wrote to memory of 100 3144 net.exe net1.exe PID 2368 wrote to memory of 3752 2368 yeFcpTq.exe icacls.exe PID 2368 wrote to memory of 3752 2368 yeFcpTq.exe icacls.exe PID 2368 wrote to memory of 3752 2368 yeFcpTq.exe icacls.exe PID 1332 wrote to memory of 988 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe icacls.exe PID 1332 wrote to memory of 988 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe icacls.exe PID 1332 wrote to memory of 988 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe icacls.exe PID 2368 wrote to memory of 4388 2368 yeFcpTq.exe icacls.exe PID 2368 wrote to memory of 4388 2368 yeFcpTq.exe icacls.exe PID 2368 wrote to memory of 4388 2368 yeFcpTq.exe icacls.exe PID 1332 wrote to memory of 1440 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe icacls.exe PID 1332 wrote to memory of 1440 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe icacls.exe PID 1332 wrote to memory of 1440 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe icacls.exe PID 2368 wrote to memory of 4592 2368 yeFcpTq.exe cmd.exe PID 2368 wrote to memory of 4592 2368 yeFcpTq.exe cmd.exe PID 2368 wrote to memory of 4592 2368 yeFcpTq.exe cmd.exe PID 1332 wrote to memory of 3112 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe cmd.exe PID 1332 wrote to memory of 3112 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe cmd.exe PID 1332 wrote to memory of 3112 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe cmd.exe PID 2368 wrote to memory of 4552 2368 yeFcpTq.exe net.exe PID 2368 wrote to memory of 4552 2368 yeFcpTq.exe net.exe PID 2368 wrote to memory of 4552 2368 yeFcpTq.exe net.exe PID 2368 wrote to memory of 944 2368 yeFcpTq.exe net.exe PID 2368 wrote to memory of 944 2368 yeFcpTq.exe net.exe PID 2368 wrote to memory of 944 2368 yeFcpTq.exe net.exe PID 1332 wrote to memory of 2052 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 1332 wrote to memory of 2052 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 1332 wrote to memory of 2052 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 1332 wrote to memory of 4712 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe cmd.exe PID 1332 wrote to memory of 4712 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe cmd.exe PID 1332 wrote to memory of 4712 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe cmd.exe PID 1332 wrote to memory of 4988 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 1332 wrote to memory of 4988 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 1332 wrote to memory of 4988 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe PID 944 wrote to memory of 896 944 net.exe net1.exe PID 944 wrote to memory of 896 944 net.exe net1.exe PID 944 wrote to memory of 896 944 net.exe net1.exe PID 1332 wrote to memory of 428 1332 b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe net.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe"C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe"C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe" 8 LAN2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c "WMIC.exe shadowcopy delet"3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC.exe shadowcopy delet4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y4⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c "WMIC.exe shadowcopy delet"2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC.exe shadowcopy delet3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2.exe" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04fMD5
93a5aadeec082ffc1bca5aa27af70f52
SHA147a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45
-
C:\RyukReadMe.htmlMD5
c41739852bd55bc696f12de5b67f888b
SHA1bccf16bbd0a27888c11e4db5c0dc0da409935739
SHA256ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9
SHA512f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187
-
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.htmlMD5
c41739852bd55bc696f12de5b67f888b
SHA1bccf16bbd0a27888c11e4db5c0dc0da409935739
SHA256ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9
SHA512f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187
-
C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exeMD5
35fb90e465df48871ee78df492fe22de
SHA1ddfba2e525968f6aedf050613f32b124b13f776a
SHA256b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2
SHA51260511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7
-
C:\Users\Admin\AppData\Local\Temp\yeFcpTq.exeMD5
35fb90e465df48871ee78df492fe22de
SHA1ddfba2e525968f6aedf050613f32b124b13f776a
SHA256b6a77965f94dfc6f0ed0a3465e8d17e998328a9659ef860fbe2396bb0014f8a2
SHA51260511d000df87164627fb6053049e82be0833e60a8b8a7ae30e93084e4293e250f1a7b2a4eaf3d875408a304e845ae548ff2cd68d6f604090cdc5be3d168d5f7
-
C:\Users\RyukReadMe.htmlMD5
c41739852bd55bc696f12de5b67f888b
SHA1bccf16bbd0a27888c11e4db5c0dc0da409935739
SHA256ef2073974f87e4972ab1c6daaefe3e881fc201c1cc4eed4dc037259454e8e5d9
SHA512f9141c917641a77ea41bf6c52a4301d807fbeb0f511213b6dbc8ef26fc9b2d1d28d92c792c72155e3b38035beed6eee989178ff7cff76975264c08aec0e35187