ryuk | 0d1a109933d886cceebfed38ae78acbd792dfba3e116ffb6e867f58fb4c592d0

General

Target

plant-mood.exe
Size

154KB
MD5

331e0f8acc9e862fc88c5d3c3a692451
SHA1

1154b6d321781cae818ca565eff78725189b29e2
SHA256

0d1a109933d886cceebfed38ae78acbd792dfba3e116ffb6e867f58fb4c592d0
SHA512

c55cfe084291a2dab7fa5d3f6194983447e0601ffd27e2311346672f6f34f792fa63c9584f9fbb9be1b4c81ca76d8c827cc47297e6e3197deef34ab20f451e1a

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 1E4fQqzCvS8wgqy5T7n1DW8JMNMaUbeFAS Ryuk No system is safe

Emails

[email protected]

Wallets

1E4fQqzCvS8wgqy5T7n1DW8JMNMaUbeFAS

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops file in Drivers directory 64 IoCs

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\arcsas.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\isapnp.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\HdAudio.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\modem.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\lsi_fc.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\Rtnic64.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vhdmp.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\smclib.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\tunnel.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\amdide.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\tape.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\vwifimp.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\winhv.sys	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\bowser.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\battc.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\mstee.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\pciidex.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\iaStorV.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\mpio.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\partmgr.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\fs_rec.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\smb.sys	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\CompositeBus.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pci.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\NV_AGP.SYS.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\mrxsmb20.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\PEAuth.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\beep.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\ipnat.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\sffdisk.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\fvevol.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\rdpdr.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\fdc.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\wanarp.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\WdfLdr.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\fileinfo.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\volmgrx.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\usbccgp.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndisuio.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tunnel.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\msrpc.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\serenum.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\wacompen.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\amdsata.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndis.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\hidusb.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\mup.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\swenum.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\vga.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\GAGP30KX.SYS.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tpm.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\RDPCDD.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\pcw.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\usbd.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\b57nd60a.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\cmdide.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mssmbios.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ipnat.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vwifibus.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\http.sys	taskhost.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RestartDeny.tif => C:\Users\Admin\Pictures\RestartDeny.tif.RYK	taskhost.exe
File renamed	C:\Users\Admin\Pictures\WatchMove.png => C:\Users\Admin\Pictures\WatchMove.png.RYK	taskhost.exe

Drops startup file 1 IoCs

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plant-mood.exe"	reg.exe

Drops file in System32 directory 64 IoCs

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\C_775.NLS	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmfcwia.PNF	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\Amd64\BRD9040N.GPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4100t.gpd	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\winusb.inf_amd64_neutral_6cb50ae9f480775b\winusb.PNF	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\WSDPrint.sys	taskhost.exe
File opened for modification	C:\Windows\System32\spool\tools\Microsoft XPS Document Writer\prnms001.inf	taskhost.exe
File opened for modification	C:\Windows\System32\spp\tokens\ppdlic\OMD-API-ppdlic.xrm-ms	taskhost.exe
File opened for modification	C:\Windows\System32\pegi-pt.rs	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB123456_client~31bf3856ad364e35~amd64~en-US~7.2.7601.16406.cat	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc8.inf_amd64_neutral_c93e7023ef90e637\ph3xibc8.PNF	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNB7TMAA.ICM	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpzpaw72.vdf	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NRC420D6.GPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHK1N002.GPD	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\C_500.NLS	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\config\RegBack\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Management-Protocols-Package-Win7~31bf3856ad364e35~amd64~~7.2.7601.16406.cat	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netvwifibus.inf_loc	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmlucnt.inf_amd64_neutral_642a5ab3f2a1ae20\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnova.inf_amd64_neutral_b52d8db82d8c3be9\mdmnova.PNF	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LAMPC303.PPD	taskhost.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-IIS-ManagementConsole-Deployment-DL.man	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00c.inf_amd64_neutral_79ebe29715d2fa47\Amd64\LXC544.PPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RAF21753.PPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RI1401E3.PPD	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\diskcomp.com	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\wbem\mstscax.mof	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-Professional-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	taskhost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnep00d.inf_loc	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVPA0.GPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIA7000.GPD	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\wbem\portabledevicewmdrm.mof	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\KYUD51EP.GDL	taskhost.exe
File opened for modification	C:\Windows\System32\ShiftJIS.uce	taskhost.exe
File opened for modification	C:\Windows\System32\wdi\perftrack\Wlansvc.ptxml	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\C_858.NLS	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\msdxm.tlb	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\wdi\perftrack\wdc.events.ptxml	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-CommandLineTools-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_neutral_b4e8ccc6ba210e97\SiSG664.sys	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\CNBCOL1.GPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\prngt002.PNF	taskhost.exe
File opened for modification	C:\Windows\System32\spp\tokens\ppdlic\msmpeg2enc-ppdlic.xrm-ms	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\msgsm32.acm.mui	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\amdsbs.inf_amd64_neutral_5cae6933bef20aa8\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\prnkm005.cat	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYK3225E.PPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIA3350B.GPD	taskhost.exe
File opened for modification	C:\Windows\System32\LogFiles\Fax\Outgoing\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\secpol.msc	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\Ultimate\license.rtf	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc9.inf_amd64_neutral_ff3a566e4b6ba035\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\en-US\WinSyncMetastore.rll.mui	taskhost.exe
File opened for modification	C:\Windows\System32\vidcap.ax	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igkrng400.bin	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_neutral_15bb3ed734fbbeb3\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd2400t.xml	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\en-US\MSFT_ServiceResource.schema.mfl	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OKDTUVER.GPD	taskhost.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04267_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0230876.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\PublicFunctions.js	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18228_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Media.accdt	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	taskhost.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01701_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21340_.GIF	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18189_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm.api	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01174_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02431_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10337_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME03.CSS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RESENDS.ICO	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.DPV	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_F_COL.HXK	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.DPV	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Macquarie	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00167_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALNDR98.POC	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BORDERBB.POC	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06200_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00345_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02233_.WMF	taskhost.exe

Drops file in Windows directory 64 IoCs

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC_MSIL\SrpUxSnapIn\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Fonts\ega40857.fon	taskhost.exe
File opened for modification	C:\Windows\IME\IMEJP10\help\IMJPTU.CHM	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\addUser.aspx.resx	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..splay-cpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9990bf7a1f2c0234\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..nent-sku-enterprise_31bf3856ad364e35_6.1.7601.17514_none_a381bd793c2342fb\Security-SPP-Component-SKU-Enterprise-VL-DMAK1-ul-oob.xrm-ms	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_microsoft.managemen..structure.resources_31bf3856ad364e35_7.2.7601.23317_en-us_f7295e77db1c9c93.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\msil_policy.1.0.microsoft.powershell.security_31bf3856ad364e35_7.2.7601.16406_none_3ad34267b1955923\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-xpsreachviewer_31bf3856ad364e35_6.1.7600.16385_none_7b64ef799c494a30\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_nete1g3e.inf_31bf3856ad364e35_6.1.7600.16385_none_04871f8f4b13ca44\E1G6032E.sys	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.1.7600.16385_none_af18775c5e06e5e2\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\FileMaps\programdata_microsoft_identitycrl_9ceb7e1568e6c6e7.cdf-ms	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_th-th_d3425786c0003660.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..cardgames.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cece0ab660493710.manifest	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Design\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Fonts\smalle.fon	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dfs-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4370608a2e5481d2\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3f3bc9163ae8cff9.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_ru-ru_693ce33a84090e48.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_fa5e4dffe1e88db4.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_uk-ua_822601d686410c28.manifest	taskhost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..-truetype-cordiaupc_31bf3856ad364e35_6.1.7600.16385_none_d5acc06207f06a2e\cordiau.ttf	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_mdmnis3t.inf_31bf3856ad364e35_6.1.7600.16385_none_1a28a36619b5178f.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-iisbasic_31bf3856ad364e35_6.1.7600.16385_none_9cc3e73209d48b56.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-shell-aclui-all_31bf3856ad364e35_6.1.7600.16385_none_b30697452480be02.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_windowssearchenginesku_31bf3856ad364e35_7.0.7601.17514_none_538773a9750edb75.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-crtdll_31bf3856ad364e35_6.1.7600.16385_none_e1ab47a4ec02b636\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\TS_DisabledInCPL.ps1	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\RPC-Remote-DL.man	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..r-tlntsvr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ae3d0be2b1c4024c\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-packager_31bf3856ad364e35_6.1.7600.16385_none_ede664a73211b389.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_6.1.7601.17514_hr-hr_3ff10ccd9e176890.manifest	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft.powershell.dsc.resources_31bf3856ad364e35_7.2.7601.16406_en-us_dbe421fd23c5b945\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..onal-codepage-20420_31bf3856ad364e35_6.1.7600.16385_none_ae7b823affac3dab.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000426_31bf3856ad364e35_6.1.7600.16385_none_4fc3369ab0dccc11\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_nl-nl_777cc1b961978f4c\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..mework-msctfmonitor_31bf3856ad364e35_6.1.7600.16385_none_e1310860626a47c0\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_prnkm003.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cb8ef5dc9e750493\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_system32_windowspowershell_v1.0_modules_ise_36c97e60b9fed45d.cdf-ms	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-foundation_31bf3856ad364e35_6.1.7601.17514_none_3e8cb52f886c2db2.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-errorreportingui_31bf3856ad364e35_6.1.7600.16385_none_ce3b80c0636ae33d.manifest	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-msac3enc_31bf3856ad364e35_6.1.7601.17514_none_a6e637e4d9e690e8.manifest	taskhost.exe
File opened for modification	C:\Windows\inf\ASP.NET\0006\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\inf\faxcn001.PNF	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.rsp	taskhost.exe
File opened for modification	C:\Windows\rescache\rc0002\ResCache.dir	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..r-name-ui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1557453db6f36a14\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile44.bmp	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_netfx-aspnet_webadmin_users_b03f5f7f11d50a3a_6.1.7600.16385_none_be918bff95b9bbc5.manifest	taskhost.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Balloon.wav	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Windows Navigation Start.wav	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft.powershel..nprovider.resources_31bf3856ad364e35_7.2.7601.16406_en-us_687db4ecf4ad0e25\MSFT_DSCMetaConfiguration.mfl	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_prnlx003.inf_31bf3856ad364e35_6.1.7600.16385_none_482c1e14df350b67\Amd64\LME238.GPD	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\84b83e7639310b35b5ce150df62a2843\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Fonts\INFROMAN.TTF	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-netvwifi.resources_31bf3856ad364e35_6.1.7600.16385_en-us_092802985125319e\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_netl160a.inf_31bf3856ad364e35_6.1.7600.16385_none_acf1ae130af9b0ab\l160x64.sys	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_prnnr004.inf_31bf3856ad364e35_6.1.7600.16385_none_ba2d2131f8a32d84\Amd64\NR1403E3.PPD	taskhost.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_microsoft.net_framework64_v3.0_wpf_xamlviewer_2a5223adddc9e767.cdf-ms	taskhost.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-a..ionrecord.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6f10e1dcdb94c3d8.manifest	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources\6.1.0.0_en_31bf3856ad364e35\RyukReadMe.txt	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

37708 1212 WerFault.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

plant-mood.exeWerFault.exe

pid process

1028 plant-mood.exe
37708 WerFault.exe
37708 WerFault.exe
37708 WerFault.exe
37708 WerFault.exe
37708 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

plant-mood.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1028 plant-mood.exe
Token: SeDebugPrivilege 37708 WerFault.exe

pid	pid_target	process	target process
37708	1212	WerFault.exe

pid	process
1028	plant-mood.exe
37708	WerFault.exe
37708	WerFault.exe
37708	WerFault.exe
37708	WerFault.exe
37708	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1028	plant-mood.exe
Token: SeDebugPrivilege	37708	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

plant-mood.execmd.exe

description	pid	process	target process
PID 1028 wrote to memory of 1248	1028	plant-mood.exe	cmd.exe
PID 1028 wrote to memory of 1248	1028	plant-mood.exe	cmd.exe
PID 1028 wrote to memory of 1248	1028	plant-mood.exe	cmd.exe
PID 1028 wrote to memory of 1116	1028	plant-mood.exe	taskhost.exe
PID 1028 wrote to memory of 1168	1028	plant-mood.exe	Dwm.exe
PID 1248 wrote to memory of 1732	1248	cmd.exe	reg.exe
PID 1248 wrote to memory of 1732	1248	cmd.exe	reg.exe
PID 1248 wrote to memory of 1732	1248	cmd.exe	reg.exe
PID 1028 wrote to memory of 1248	1028	plant-mood.exe	cmd.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1116

C:\Users\Admin\AppData\Local\Temp\plant-mood.exe
"C:\Users\Admin\AppData\Local\Temp\plant-mood.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\plant-mood.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\plant-mood.exe" /f
3⤵
- Adds Run key to start application
PID:1732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1212 -s 2016
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:37708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-60-0x000007FEFC381000-0x000007FEFC383000-memory.dmp

Filesize
8KB

Download
memory/1116-62-0x000000013F360000-0x000000013F6EA000-memory.dmp

Filesize
3.5MB

Download
memory/1248-61-0x0000000000000000-mapping.dmp

Download
memory/1732-63-0x0000000000000000-mapping.dmp

Download
memory/37708-67-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads