Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 09:11
Static task
static1
Behavioral task
behavioral1
Sample
KD.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
KD.exe
Resource
win10v2004-en-20220113
General
-
Target
KD.exe
-
Size
7KB
-
MD5
ad309c9d2e62a1ceb52cdb76833bb9ff
-
SHA1
f93694b6d153c6a50950f1df29c36fbbae5d1931
-
SHA256
34e4e0f587ea3cbbd417710ec5b90de335dca96f6773fdd4ffb31b97b8913f8d
-
SHA512
addb8b06e6c0791f72b39183cfa850b2553730b60242a38775acc65f6c88e44f431ec3eaadb9bb3c506e639b391f74391890ae6a27c4a2f4e7c3da336b9954a4
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\dllhost.txt
ryuk
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/112-63-0x0000000001060000-0x0000000002B38000-memory.dmp disable_win_def behavioral1/memory/112-64-0x0000000001060000-0x0000000002B38000-memory.dmp disable_win_def -
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 112 dllhost.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
dllhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
KD.exepid process 1584 KD.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\dllhost.exe themida \Users\Admin\AppData\Roaming\dllhost.exe themida behavioral1/memory/112-63-0x0000000001060000-0x0000000002B38000-memory.dmp themida behavioral1/memory/112-64-0x0000000001060000-0x0000000002B38000-memory.dmp themida -
Processes:
dllhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features dllhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" dllhost.exe -
Processes:
dllhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dllhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dllhost.exepid process 112 dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1100 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
KD.exepowershell.exedescription pid process Token: SeDebugPrivilege 1584 KD.exe Token: SeDebugPrivilege 1100 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
KD.exedllhost.exedescription pid process target process PID 1584 wrote to memory of 112 1584 KD.exe dllhost.exe PID 1584 wrote to memory of 112 1584 KD.exe dllhost.exe PID 1584 wrote to memory of 112 1584 KD.exe dllhost.exe PID 1584 wrote to memory of 112 1584 KD.exe dllhost.exe PID 112 wrote to memory of 1100 112 dllhost.exe powershell.exe PID 112 wrote to memory of 1100 112 dllhost.exe powershell.exe PID 112 wrote to memory of 1100 112 dllhost.exe powershell.exe PID 112 wrote to memory of 1100 112 dllhost.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KD.exe"C:\Users\Admin\AppData\Local\Temp\KD.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dllhost.exeMD5
c89cc2bc9f5d03991470bb955d0af7b9
SHA1ff49a64cb8f60ea2cfccdc630ab9bc6452d7f6dd
SHA256271fd20da630104079b1de33b726d33abc01de725958922efcde1d11f730b4a3
SHA51249d0bd8e6f415c1c5a101c4ee6b2cfdf99c4887e7009e525cf3d5d1169b4bbd824eb53f348d6b85d6a8b1ceef936179b8760197b5bc48eb5943d7338ba567656
-
\Users\Admin\AppData\Roaming\dllhost.exeMD5
c89cc2bc9f5d03991470bb955d0af7b9
SHA1ff49a64cb8f60ea2cfccdc630ab9bc6452d7f6dd
SHA256271fd20da630104079b1de33b726d33abc01de725958922efcde1d11f730b4a3
SHA51249d0bd8e6f415c1c5a101c4ee6b2cfdf99c4887e7009e525cf3d5d1169b4bbd824eb53f348d6b85d6a8b1ceef936179b8760197b5bc48eb5943d7338ba567656
-
memory/112-63-0x0000000001060000-0x0000000002B38000-memory.dmpFilesize
26.8MB
-
memory/112-64-0x0000000001060000-0x0000000002B38000-memory.dmpFilesize
26.8MB
-
memory/1100-66-0x0000000001CF0000-0x0000000001CF1000-memory.dmpFilesize
4KB
-
memory/1100-67-0x0000000001CF1000-0x0000000001CF2000-memory.dmpFilesize
4KB
-
memory/1100-68-0x0000000001CF2000-0x0000000001CF4000-memory.dmpFilesize
8KB
-
memory/1584-55-0x0000000000220000-0x0000000000228000-memory.dmpFilesize
32KB
-
memory/1584-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/1584-57-0x00000000021B0000-0x0000000004290000-memory.dmpFilesize
32.9MB