ryuk | 52553630f01c9bedda6fb049aa37e9e1cd60c554fe81b04a1f22ec6b3c5747df

Analysis

max time kernel
270s
max time network
70s
platform
windows7_x64
resource
win7v20210408
submitted
27-04-2021 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

annoyed-boat.exe
Size

152KB
MD5

a36bf238e31af66bcc79ea8c774e0098
SHA1

512d84fb8d7197a369f021e45adbaee88fcda158
SHA256

52553630f01c9bedda6fb049aa37e9e1cd60c554fe81b04a1f22ec6b3c5747df
SHA512

00b5b8f9823ab63b153780ad3cc7d0569e39aeb2d48bee15a7a6d68a3358ec345f9065a63106f5401c64aec8580e4801131b55258ade9dec2d826d1781a5d37a

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 1FRNVupsCyTjUvF36GxHZrvLaPtY6hgkTm Ryuk No system is safe

Emails

[email protected]

Wallets

1FRNVupsCyTjUvF36GxHZrvLaPtY6hgkTm

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\serial.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\wimmount.sys	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\dmvsc.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\parport.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\hdaudbus.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\usbccgp.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\tdx.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\hcw85cir.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\MegaSR.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\NV_AGP.SYS.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\msdsm.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\mcd.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\msahci.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\Wdf01000.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\crashdmp.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\cdfs.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\hidusb.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\viaide.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\vsmraid.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\nwifi.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\disk.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\tdpipe.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\udfs.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\ULIAGPKX.SYS	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\sisraid2.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\usbhub.sys	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\MTConfig.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\mountmgr.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\videoprt.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\bowser.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\beep.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\adpahci.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\acpipmi.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\mouhid.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\rdyboost.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\Diskdump.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\battc.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\IPMIDrv.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\serenum.sys	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\BrParwdm.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\rdpwd.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\pacer.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\intelppm.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\fltMgr.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\umbus.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\sffp_sd.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\amdk8.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tcpip.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scfilter.sys.mui	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\kbdhid.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\sffdisk.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\usbrpm.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\agilevpn.sys	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\nwifi.sys	taskhost.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\NewFind.raw => C:\Users\Admin\Pictures\NewFind.raw.RYK	taskhost.exe
File renamed	C:\Users\Admin\Pictures\RenameLimit.tif => C:\Users\Admin\Pictures\RenameLimit.tif.RYK	taskhost.exe
File renamed	C:\Users\Admin\Pictures\RedoImport.crw => C:\Users\Admin\Pictures\RedoImport.crw.RYK	taskhost.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\annoyed-boat.exe"	reg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN1393E3.PPD	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IIS-WindowsAuthentication-Deployment-DL.man	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_neutral_4b99fffee061ff26\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYPS9130.GDL	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\KYFS8100.GPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\wpdcomp.inf	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\bth.PNF	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\swenum.sys	taskhost.exe
File opened for modification	C:\Windows\System32\config\DEFAULT.LOG	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\wbem\umpnpmgr.mof	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\adminui-dl.man	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1332E3.PPD	taskhost.exe
File opened for modification	C:\Windows\System32\wdi\perftrack\msdt.events.ptxml	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\EP0NCA8H.CMB	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO5H83L.GPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LR3350.GPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NR9000.GPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiabr008.inf_amd64_neutral_27d1c9a28eac4eed\wiabr008.inf	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayer-DVDRegistration-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Links-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dot4.inf_amd64_neutral_b89cfac15ccb2fba\dot4.PNF	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ShareMedia-ControlPanel-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RAF42153.PPD	taskhost.exe
File opened for modification	C:\Windows\System32\spool\drivers\x64\PCC\ntprint.inf_amd64_neutral_4616c3de1949be6d.cab	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\adpahci.inf_amd64_neutral_b082e95ec9f8c3f9\adpahci.PNF	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\Amd64\EP0NOE8C.DXT	taskhost.exe
File opened for modification	C:\Windows\System32\spool\drivers\color\D50.camp	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\imaadp32.acm.mui	taskhost.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-COM-DTC-Setup-DL\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\merlinc.rom	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LR2500.GPD	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\VBICodec.ax	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\breecemc.sys	taskhost.exe
File opened for modification	C:\Windows\System32\stdole32.tlb	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\wbem\mpssvc.mof	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\inline.xsd	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd7300t.xml	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\C_20106.NLS	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\KYUD1118.GDL	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaky002.inf_amd64_neutral_b898f5982403f3cb\wiaky002.PNF	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcxhv6.inf_amd64_neutral_81ba64c5b6150dd3\VSTCNXT6.SYS	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\Amd64\KOP5650U.PPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netxex64.inf_loc	taskhost.exe
File opened for modification	C:\Windows\System32\spool\drivers\x64\3\unidrv.hlp	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\EP0NOE8F.DXT	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIA9100D.GPD	taskhost.exe
File opened for modification	C:\Windows\System32\en-US\Licenses\_Default\Starter\license.rtf	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~ru-RU~7.1.7601.16492.cat	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO5H83L.XML	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd1500t.exp	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\EventViewer_EventDetails.xsl	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~ar-SA~7.1.7601.16492.cat	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GSC1500.GPD	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wvmbusvideo.inf_amd64_neutral_8f9a8242d3699a44\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\pl-PL\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\Maml.xsx	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_neutral_3ef33c750e6308ce\avc.inf	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500gt.xml	taskhost.exe
File opened for modification	C:\Windows\System32\imaadp32.acm	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~cs-CZ~7.1.7601.16492.cat	taskhost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Stockholm	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxerror.ico	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00350_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar	taskhost.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\WT61ES.LEX	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\common.js	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00296_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21310_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\PREVIEW.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00648_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215718.WMF	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuching	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_OFF.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\COPYRIGHT	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert.css	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\RIPPLE.INF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183174.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionMember.ico	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7F.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\10.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294989.WMF	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01080_.WMF	taskhost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\sysglobl\v4.0_4.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9\8514fixe.fon	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ngine-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92ae7bc7fccaab93\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Windows Exclamation.wav	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx	taskhost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-media-mp3acm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_872be93eaa9f6a40\l3codeca.acm.mui	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Hardware Remove.wav	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..ional-codepage-1143_31bf3856ad364e35_6.1.7600.16385_none_7e815e4b23b4db5c\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Windows Battery Critical.wav	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-wu.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4fa470191505f690\wu.h1s	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_9ee1491f45855a27\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-opticalmediadisc-api_31bf3856ad364e35_6.1.7601.17514_none_14133f190e6d86a7\OMD-API-ppdlic.xrm-ms	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Fonts\vgasys.fon	taskhost.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~zh-HK~7.1.7601.16492.mum	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_flpydisk.inf_31bf3856ad364e35_6.1.7600.16385_none_42ff01d4942cc5ea\flpydisk.sys	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..quota-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ca7476b12667c868\DiskQuota.adml	taskhost.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_DisplayIdleTimeout.ps1	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_eaime-traceproviders_31bf3856ad364e35_6.1.7600.16385_none_4707e1890fa7a633\eaimeapi.mof	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Windows Logon Sound.wav	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000419_31bf3856ad364e35_6.1.7600.16385_none_46c3389a7ba0fe0a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l2gpstore-mof_31bf3856ad364e35_6.1.7601.17514_none_9dddd1742fd9e98c\l2gpstore.mof	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rasbase-rasl2tp_31bf3856ad364e35_6.1.7601.17514_none_f802520bfe8dd487\rasl2tp.sys	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.AddIn.Contract\2.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\IME\IMETC10\DICTS\IMTCLS.IMD	taskhost.exe
File opened for modification	C:\Windows\inf\prnrc00b.inf	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_pt-br_21b8020a9fb81040\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-directshow-devenum_31bf3856ad364e35_6.1.7600.16385_none_b5329db3599c7800\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_dc21x4vm.inf_31bf3856ad364e35_6.1.7600.16385_none_8a8756a57a292631\dc21x4vm.inf	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bebeb572af940bcd\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-sysprepmce_31bf3856ad364e35_6.1.7600.16385_none_392f70de8a2650e9\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..-service-mmc-snapin_31bf3856ad364e35_6.1.7600.16385_none_76a3e7136851eccf\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.1.7601.17514_none_e4433b761c0c84cd\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_dot4prt.inf_31bf3856ad364e35_6.1.7601.17514_none_cb6128e5835622ff\dot4prt.inf	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\Gadget_Main_Background_QuickLaunch.png	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\greenStateIcon.png	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-snmp-mib-files_31bf3856ad364e35_6.1.7600.16385_none_6b1c9d28fd950bf2\wins.mib	taskhost.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Styles\NTSC\Symphony\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Media\Afternoon\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-credssp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_93def1b5bafe358b\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..-recopack.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8e3c8adf70a7b932\Recopack.h1s	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-netcfg_31bf3856ad364e35_6.1.7600.16385_none_6c23cd5f6b2a8dbc\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\inf\mdmcpq.PNF	taskhost.exe
File opened for modification	C:\Windows\inf\tsprint.PNF	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmcommu.inf_31bf3856ad364e35_6.1.7600.16385_none_4d3b1a3089ccc445\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-help_31bf3856ad364e35_6.1.7600.16385_none_cdfd15e4a5a167d0\IMJPTU.CHM	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\9.png	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dynamic\ab89d3e41fb16b5f514f99804185e0c5\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_6.1.7601.17514_fi-fi_5d5731ebcdd07714\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-webdings_31bf3856ad364e35_6.1.7600.16385_none_0afbb87eda82d5dd\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-powershell_31bf3856ad364e35_6.1.7601.18216_none_5b589c6dbd59342a\types.ps1xml	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\winlogon-DL.man	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-printerdiagnostic_31bf3856ad364e35_6.1.7600.16385_none_21b432d7b46a7554\DiagPackage.diagpkg	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..llercommandlinetool_31bf3856ad364e35_6.1.7600.16385_none_d0632cbfee5db937\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-ICM-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	taskhost.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.mum	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
38296	1196	WerFault.exe	12

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1304	annoyed-boat.exe
38296	WerFault.exe
38296	WerFault.exe
38296	WerFault.exe
38296	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	annoyed-boat.exe
Token: SeDebugPrivilege	38296	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1348	1304	annoyed-boat.exe	29
PID 1304 wrote to memory of 1348	1304	annoyed-boat.exe	29
PID 1304 wrote to memory of 1348	1304	annoyed-boat.exe	29
PID 1304 wrote to memory of 1112	1304	annoyed-boat.exe	14
PID 1348 wrote to memory of 1520	1348	cmd.exe	31
PID 1348 wrote to memory of 1520	1348	cmd.exe	31
PID 1348 wrote to memory of 1520	1348	cmd.exe	31
PID 1304 wrote to memory of 1168	1304	annoyed-boat.exe	13

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1112

C:\Users\Admin\AppData\Local\Temp\annoyed-boat.exe
"C:\Users\Admin\AppData\Local\Temp\annoyed-boat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\annoyed-boat.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\annoyed-boat.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1196 -s 1460
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:38296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-63-0x000000013FB30000-0x000000013FEB9000-memory.dmp

Filesize
3.5MB

Download
memory/1304-60-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/38296-66-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download