Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 10:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe
-
Size
6.1MB
-
MD5
759444e3c79e8f7662457b4bd662feb0
-
SHA1
c966bcfe7f2704c3507c56b8336ea4d0878b1123
-
SHA256
f17ee95e3e9843832c7e27a03dac5db605bcb1624d885005287ee900834491b2
-
SHA512
0901aaf04b352c7a001eed1da343caf17d96559518111d91d0fce4c3b3cbc736a3b8203907b6790085344bfa4a34c3da698d18beed5334467dec4231ef5aba1e
-
SSDEEP
49152:mkB988jwQmEcgxFF7q22WJxdyKv8ySStzKb/3k2OSaLCvE55pCx2WampGjnRzNvo:VFNdPSSE/AL5pCx2HmpGjnRzNv3
Malware Config
Extracted
\Device\HarddiskVolume1\HOW TO BACK FILES.txt
targetcompany
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin
http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion
Signatures
-
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2556 bcdedit.exe 2572 bcdedit.exe -
Renames multiple (7269) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\H: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\K: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\Q: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\D: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\E: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\J: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\P: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\R: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\T: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\U: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\A: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\I: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\L: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\M: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\N: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\W: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\Y: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\Z: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\G: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\O: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\S: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\V: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened (read-only) \??\X: 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\HOW TO BACK FILES.txt 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\HOW TO BACK FILES.txt 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48F.GIF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\HOW TO BACK FILES.txt 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_01.MID 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\HOW TO BACK FILES.txt 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Tijuana 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityReport.Dotx 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099199.GIF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\WHOOSH.WAV 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105234.WMF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HOW TO BACK FILES.txt 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01368_.WMF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME45.CSS 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\ANALYS32.XLL 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPPT.OLB 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.HXS 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153265.WMF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXC 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\HOW TO BACK FILES.txt 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.XML 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jre7\bin\server\Xusage.txt 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Windows Journal\es-ES\MSPVWCTL.DLL.mui 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00015_.WMF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18203_.WMF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Ojinaga 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Default.dotx 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Windows Journal\it-IT\JNTFiltr.dll.mui 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152560.WMF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0250504.WMF 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\HOW TO BACK FILES.txt 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeDebugPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe Token: SeTakeOwnershipPrivilege 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2464 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe 28 PID 2100 wrote to memory of 2464 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe 28 PID 2100 wrote to memory of 2464 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe 28 PID 2100 wrote to memory of 3068 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe 30 PID 2100 wrote to memory of 3068 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe 30 PID 2100 wrote to memory of 3068 2100 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe 30 PID 2464 wrote to memory of 2556 2464 cmd.exe 33 PID 2464 wrote to memory of 2556 2464 cmd.exe 33 PID 2464 wrote to memory of 2556 2464 cmd.exe 33 PID 3068 wrote to memory of 2572 3068 cmd.exe 32 PID 3068 wrote to memory of 2572 3068 cmd.exe 32 PID 3068 wrote to memory of 2572 3068 cmd.exe 32 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" 2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-15_759444e3c79e8f7662457b4bd662feb0_gazer_ryuk.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2572
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52dcd12f3228568e6b089e4283f1d9ead
SHA13fa2f8e1eabaf32d0ed401a2330d11b7fd08af60
SHA256f9de69792ee366a7a27760fce4bae7b9b0018fa094f1ffb2bb90550c6c16a154
SHA512ba0f974a0191d94769910ce9c9bc0b353b2017a6539c91dafa332fc78d39fea547aa240a53698bae23bf0763e7ac0d399b1692592fa9f7566013b17c07044c7b