Analysis
-
max time kernel
85s -
max time network
93s -
platform
windows11_x64 -
resource
win11 -
submitted
20-10-2021 08:57
Static task
static1
Behavioral task
behavioral1
Sample
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
Resource
win11
General
-
Target
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
-
Size
170KB
-
MD5
1bd7d1b87c5091a9653fe8005892b784
-
SHA1
3dcf19b833266a3591fd97c93e5b9bca4ac2c21c
-
SHA256
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703
-
SHA512
4c13373a150b1e3bd12fdd9ad5c379a43e41c59ba5b6dd6982c79599839128bcbde30d7083a810d66604382f4d5aff24c22b504fdaab03f6743a7dc263d85651
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
WayneEvenson@protonmail.com
WayneEvenson@tutanota.com
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 2148 created 4020 2148 WerFault.exe DllHost.exe PID 2084 created 4212 2084 WerFault.exe DllHost.exe PID 4544 created 3648 4544 WerFault.exe StartMenuExperienceHost.exe -
Sets service image path in registry 2 TTPs
-
Drops startup file 1 IoCs
Processes:
sihost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt sihost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sihost.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL121.XML sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Locales\tt.pak.DATA sihost.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ThirdPartyNotices.MSHWLatin.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\Locales\ro.pak sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\Locales\ta.pak sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\Locales\hr.pak sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Locales\fil.pak.DATA sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Word 2010 look.dotx sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\ka.pak sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\Locales\ta.pak sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\resources.pak sihost.exe File opened for modification C:\Program Files\Common Files\System\msadc\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\20210804165427.pma sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ro-RO\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\MLModels\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Locales\ko.pak.DATA sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\92.0.902.62\ResiliencyLinks\Locales\tr.pak.DATA sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.ELM sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\Locales\nn.pak sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\THMBNAIL.PNG sihost.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\92.0.902.62\EdgeWebView.dat sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\ResiliencyLinks\Locales\sl.pak.DATA sihost.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C4F2D170-24C6-49F9-B899-364F0C07846E}\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ClassicPhotoAlbum.potx sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms sihost.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4616 4020 WerFault.exe DllHost.exe 5024 4212 WerFault.exe DllHost.exe 4000 3648 WerFault.exe StartMenuExperienceHost.exe -
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exeWaaSMedicAgent.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe -
Modifies registry class 2 IoCs
Processes:
StartMenuExperienceHost.exeRuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{2C283E0C-BE51-436F-956D-6D34A45843D4} RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeWerFault.exeWerFault.exeWerFault.exepid process 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe 5024 WerFault.exe 5024 WerFault.exe 4616 WerFault.exe 4616 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
svchost.exesvchost.exef130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exesvchost.exeRuntimeBroker.exeWaaSMedicAgent.exedescription pid process Token: SeSystemtimePrivilege 4956 svchost.exe Token: SeSystemtimePrivilege 4956 svchost.exe Token: SeIncBasePriorityPrivilege 4956 svchost.exe Token: SeShutdownPrivilege 4456 svchost.exe Token: SeCreatePagefilePrivilege 4456 svchost.exe Token: SeShutdownPrivilege 4456 svchost.exe Token: SeCreatePagefilePrivilege 4456 svchost.exe Token: SeShutdownPrivilege 4456 svchost.exe Token: SeCreatePagefilePrivilege 4456 svchost.exe Token: SeDebugPrivilege 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe Token: SeShutdownPrivilege 1320 svchost.exe Token: SeCreatePagefilePrivilege 1320 svchost.exe Token: SeShutdownPrivilege 3900 RuntimeBroker.exe Token: SeShutdownPrivilege 3900 RuntimeBroker.exe Token: SeTakeOwnershipPrivilege 4080 WaaSMedicAgent.exe Token: SeSecurityPrivilege 4080 WaaSMedicAgent.exe Token: SeRestorePrivilege 4080 WaaSMedicAgent.exe Token: SeBackupPrivilege 4080 WaaSMedicAgent.exe Token: SeShutdownPrivilege 4456 svchost.exe Token: SeCreatePagefilePrivilege 4456 svchost.exe Token: SeShutdownPrivilege 3900 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
StartMenuExperienceHost.exepid process 17352 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.execmd.exesvchost.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5100 wrote to memory of 1956 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe cmd.exe PID 5100 wrote to memory of 1956 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe cmd.exe PID 5100 wrote to memory of 2060 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe sihost.exe PID 1956 wrote to memory of 2400 1956 cmd.exe reg.exe PID 1956 wrote to memory of 2400 1956 cmd.exe reg.exe PID 5100 wrote to memory of 3052 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe svchost.exe PID 1320 wrote to memory of 3164 1320 svchost.exe MoUsoCoreWorker.exe PID 1320 wrote to memory of 3164 1320 svchost.exe MoUsoCoreWorker.exe PID 5100 wrote to memory of 3360 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe svchost.exe PID 5100 wrote to memory of 3636 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe SearchHost.exe PID 5100 wrote to memory of 3648 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe StartMenuExperienceHost.exe PID 5100 wrote to memory of 3744 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe RuntimeBroker.exe PID 5100 wrote to memory of 3880 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe svchost.exe PID 5100 wrote to memory of 3900 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe RuntimeBroker.exe PID 5100 wrote to memory of 4020 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe DllHost.exe PID 5100 wrote to memory of 4212 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe DllHost.exe PID 2148 wrote to memory of 4020 2148 WerFault.exe DllHost.exe PID 2148 wrote to memory of 4020 2148 WerFault.exe DllHost.exe PID 2084 wrote to memory of 4212 2084 WerFault.exe DllHost.exe PID 2084 wrote to memory of 4212 2084 WerFault.exe DllHost.exe PID 5100 wrote to memory of 4332 5100 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe smartscreen.exe PID 4544 wrote to memory of 3648 4544 WerFault.exe StartMenuExperienceHost.exe PID 4544 wrote to memory of 3648 4544 WerFault.exe StartMenuExperienceHost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops startup file
- Drops file in Program Files directory
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3648 -s 25202⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4020 -s 4442⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4212 -s 9042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\System32\smartscreen.exeC:\Windows\System32\smartscreen.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv xvr26FWfUE+dxGj/FwtjkQ.01⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv roe7HoQykUCc7QAfwLsm0A.0.21⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 1e7f5cfd5cbc41958340b0d0c1bca9da roe7HoQykUCc7QAfwLsm0A.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 4020 -ip 40201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 4212 -ip 42121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 484 -p 3648 -ip 36481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 1e7f5cfd5cbc41958340b0d0c1bca9da roe7HoQykUCc7QAfwLsm0A.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Network\Downloader\edb.logMD5
92079f84a3356b2b9d58555babfe5e22
SHA1765b633155c076a0a33c78bb81d0823bf02c7225
SHA2566ffe40773163d5f4ac5b98c85931f498861e78b7181067dd5a95960a851d85c8
SHA512f09e9f338f02622bd9bf0ef2e7ce7ef3c6a6ee1ff0016899e9a707ae750730e5b2708f0074f41b4fb9ef0328c664e22927c283670443f7834d6f9abbbba36635
-
C:\ProgramData\Microsoft\Network\Downloader\qmgr.dbMD5
6c5b27babcd2bea420328d335278ccc1
SHA19be63594dd3113af0b739aab895255ea07f39ec1
SHA2560a71daf3baa226bfd2d94c3201d2013033a2dc3d2fe759a1ee303cf3e36eaf53
SHA5126641c5d0b8fdb9fecfb1e550a5a6823be3a2d820497102707218469e37d7c0666c7ae3e0d9f961b41773530fe0715824f92b08c18f7fa3faf887eec60d8c43a0
-
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfmMD5
f69bbc04c1cebf5e5fd0c3ed570290eb
SHA1c10b07159434b5d20b9f5603d473285fcbcbec5a
SHA2566b1dff53a69d97d53fa8e2a63958ba36e9d727b54582e12db5dee725c4d8b456
SHA5121ef6a0cda698ea1ae47de45edcbeb02905851ab4f577144fb8cfd91ed404207934f0328a5f0d81cf300df6ab74ec4e482a059990e6b8f75363850d10d35db0a0
-
memory/1956-152-0x0000000000000000-mapping.dmp
-
memory/2060-155-0x00007FF6E0F70000-0x00007FF6E12FE000-memory.dmpFilesize
3.6MB
-
memory/2400-153-0x0000000000000000-mapping.dmp
-
memory/3164-154-0x0000000000000000-mapping.dmp
-
memory/4456-151-0x0000022B82960000-0x0000022B82964000-memory.dmpFilesize
16KB
-
memory/4536-146-0x00000214BA570000-0x00000214BA580000-memory.dmpFilesize
64KB
-
memory/4536-148-0x00000214BA9F0000-0x00000214BA9F4000-memory.dmpFilesize
16KB
-
memory/4536-147-0x00000214BA5F0000-0x00000214BA600000-memory.dmpFilesize
64KB
-
memory/17352-156-0x000001F339830000-0x000001F339832000-memory.dmpFilesize
8KB
-
memory/17352-157-0x000001F339830000-0x000001F339832000-memory.dmpFilesize
8KB
-
memory/17352-158-0x000001F339830000-0x000001F339832000-memory.dmpFilesize
8KB