Analysis
-
max time kernel
164s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-01-2022 00:33
Static task
static1
Behavioral task
behavioral1
Sample
ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe
Resource
win10-en-20211208
General
-
Target
ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe
-
Size
32.2MB
-
MD5
5aab976003bd9fd656efa03cdbb9c3da
-
SHA1
8535ea53061cfb86467c0dfc4cb9afc56ba9a828
-
SHA256
ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017
-
SHA512
b7660b61302c06bca58b4b003d5af13c7bffab3278c5918c2968ba8982c541446f33187579a90ec764d67c4018576467b560df6b9ebe59589a41b40463d85265
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\сфБщДтĐѨКК.txt
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
Processes:
AAMS V3 Setup.exeWebmaster.exeWebmaster.exepid process 472 AAMS V3 Setup.exe 1908 Webmaster.exe 1404 Webmaster.exe -
Loads dropped DLL 4 IoCs
Processes:
ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exeWebmaster.exepid process 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe 1908 Webmaster.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WdiService\\Webmaster.lnk" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Webmaster.exedescription pid process target process PID 1908 set thread context of 1404 1908 Webmaster.exe Webmaster.exe PID 1908 set thread context of 1684 1908 Webmaster.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Webmaster.exeRegSvcs.exepid process 1908 Webmaster.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1908 Webmaster.exe 1684 RegSvcs.exe 1684 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
AAMS V3 Setup.exeWebmaster.exepid process 472 AAMS V3 Setup.exe 1404 Webmaster.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Webmaster.exeRegSvcs.exeWebmaster.exedescription pid process Token: SeDebugPrivilege 1908 Webmaster.exe Token: SeDebugPrivilege 1684 RegSvcs.exe Token: SeDebugPrivilege 1404 Webmaster.exe Token: 33 1404 Webmaster.exe Token: SeIncBasePriorityPrivilege 1404 Webmaster.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AAMS V3 Setup.exepid process 472 AAMS V3 Setup.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Webmaster.exepid process 1404 Webmaster.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exeWebmaster.execmd.exedescription pid process target process PID 1876 wrote to memory of 472 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe AAMS V3 Setup.exe PID 1876 wrote to memory of 472 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe AAMS V3 Setup.exe PID 1876 wrote to memory of 472 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe AAMS V3 Setup.exe PID 1876 wrote to memory of 472 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe AAMS V3 Setup.exe PID 1876 wrote to memory of 472 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe AAMS V3 Setup.exe PID 1876 wrote to memory of 472 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe AAMS V3 Setup.exe PID 1876 wrote to memory of 472 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe AAMS V3 Setup.exe PID 1876 wrote to memory of 1908 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe Webmaster.exe PID 1876 wrote to memory of 1908 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe Webmaster.exe PID 1876 wrote to memory of 1908 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe Webmaster.exe PID 1876 wrote to memory of 1908 1876 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe Webmaster.exe PID 1908 wrote to memory of 1824 1908 Webmaster.exe cmd.exe PID 1908 wrote to memory of 1824 1908 Webmaster.exe cmd.exe PID 1908 wrote to memory of 1824 1908 Webmaster.exe cmd.exe PID 1908 wrote to memory of 1824 1908 Webmaster.exe cmd.exe PID 1824 wrote to memory of 1884 1824 cmd.exe reg.exe PID 1824 wrote to memory of 1884 1824 cmd.exe reg.exe PID 1824 wrote to memory of 1884 1824 cmd.exe reg.exe PID 1824 wrote to memory of 1884 1824 cmd.exe reg.exe PID 1908 wrote to memory of 1404 1908 Webmaster.exe Webmaster.exe PID 1908 wrote to memory of 1404 1908 Webmaster.exe Webmaster.exe PID 1908 wrote to memory of 1404 1908 Webmaster.exe Webmaster.exe PID 1908 wrote to memory of 1404 1908 Webmaster.exe Webmaster.exe PID 1908 wrote to memory of 1404 1908 Webmaster.exe Webmaster.exe PID 1908 wrote to memory of 1404 1908 Webmaster.exe Webmaster.exe PID 1908 wrote to memory of 1404 1908 Webmaster.exe Webmaster.exe PID 1908 wrote to memory of 1404 1908 Webmaster.exe Webmaster.exe PID 1908 wrote to memory of 1404 1908 Webmaster.exe Webmaster.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe PID 1908 wrote to memory of 1684 1908 Webmaster.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe"C:\Users\Admin\AppData\Local\Temp\ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AAMS V3 Setup.exe"C:\Users\Admin\AppData\Local\Temp\AAMS V3 Setup.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exe" -n2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.lnk" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.lnk" /f4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AAMS V3 Setup.exeMD5
64f70c30f78e5a570b69fef6de907872
SHA1801e5e979c9b36a81e7ec8c22d01fd19767525e0
SHA256c617bf0cb0f1f008b910dcc38cf7a84b0b253e91937f97df4afa75058af10eb6
SHA5124b2cebabdd3d6c5eb77cdadc1702008571c68805df4b02bccfee77a1b74188bd2131ae16d0f8c3dc15276f74467f2f42fd2b893832fcd827584293a05357b534
-
C:\Users\Admin\AppData\Local\Temp\AAMS V3 Setup.exeMD5
64f70c30f78e5a570b69fef6de907872
SHA1801e5e979c9b36a81e7ec8c22d01fd19767525e0
SHA256c617bf0cb0f1f008b910dcc38cf7a84b0b253e91937f97df4afa75058af10eb6
SHA5124b2cebabdd3d6c5eb77cdadc1702008571c68805df4b02bccfee77a1b74188bd2131ae16d0f8c3dc15276f74467f2f42fd2b893832fcd827584293a05357b534
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exeMD5
5aab976003bd9fd656efa03cdbb9c3da
SHA18535ea53061cfb86467c0dfc4cb9afc56ba9a828
SHA256ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017
SHA512b7660b61302c06bca58b4b003d5af13c7bffab3278c5918c2968ba8982c541446f33187579a90ec764d67c4018576467b560df6b9ebe59589a41b40463d85265
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exeMD5
5aab976003bd9fd656efa03cdbb9c3da
SHA18535ea53061cfb86467c0dfc4cb9afc56ba9a828
SHA256ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017
SHA512b7660b61302c06bca58b4b003d5af13c7bffab3278c5918c2968ba8982c541446f33187579a90ec764d67c4018576467b560df6b9ebe59589a41b40463d85265
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exeMD5
5aab976003bd9fd656efa03cdbb9c3da
SHA18535ea53061cfb86467c0dfc4cb9afc56ba9a828
SHA256ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017
SHA512b7660b61302c06bca58b4b003d5af13c7bffab3278c5918c2968ba8982c541446f33187579a90ec764d67c4018576467b560df6b9ebe59589a41b40463d85265
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\fl.txtMD5
b69d3741ef80b3cccbe86e607cdab511
SHA11ff16eec7db60c5f26987462323ed03010a061cc
SHA256da286b535ba2bc98eb82aa933d219510ede02f3f43c4a90cf56dd13b26a7b238
SHA5129692febad5bb8985bbcc843987330de0619367059179c430fc5a142db164d04fb5b9ac63040798832feb36934de49735f2aa5a05b02ed8687b2ad2cfe9a663de
-
\Users\Admin\AppData\Local\Temp\AAMS V3 Setup.exeMD5
64f70c30f78e5a570b69fef6de907872
SHA1801e5e979c9b36a81e7ec8c22d01fd19767525e0
SHA256c617bf0cb0f1f008b910dcc38cf7a84b0b253e91937f97df4afa75058af10eb6
SHA5124b2cebabdd3d6c5eb77cdadc1702008571c68805df4b02bccfee77a1b74188bd2131ae16d0f8c3dc15276f74467f2f42fd2b893832fcd827584293a05357b534
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exeMD5
5aab976003bd9fd656efa03cdbb9c3da
SHA18535ea53061cfb86467c0dfc4cb9afc56ba9a828
SHA256ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017
SHA512b7660b61302c06bca58b4b003d5af13c7bffab3278c5918c2968ba8982c541446f33187579a90ec764d67c4018576467b560df6b9ebe59589a41b40463d85265
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exeMD5
5aab976003bd9fd656efa03cdbb9c3da
SHA18535ea53061cfb86467c0dfc4cb9afc56ba9a828
SHA256ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017
SHA512b7660b61302c06bca58b4b003d5af13c7bffab3278c5918c2968ba8982c541446f33187579a90ec764d67c4018576467b560df6b9ebe59589a41b40463d85265
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exeMD5
5aab976003bd9fd656efa03cdbb9c3da
SHA18535ea53061cfb86467c0dfc4cb9afc56ba9a828
SHA256ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017
SHA512b7660b61302c06bca58b4b003d5af13c7bffab3278c5918c2968ba8982c541446f33187579a90ec764d67c4018576467b560df6b9ebe59589a41b40463d85265
-
memory/472-67-0x00000000732D1000-0x00000000732D3000-memory.dmpFilesize
8KB
-
memory/1404-69-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1404-76-0x0000000002940000-0x0000000002941000-memory.dmpFilesize
4KB
-
memory/1404-70-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1404-71-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1404-72-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1404-73-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1684-77-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1684-78-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1684-79-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1684-80-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1684-81-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1684-84-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/1876-54-0x0000000076001000-0x0000000076003000-memory.dmpFilesize
8KB
-
memory/1876-55-0x0000000000250000-0x0000000000290000-memory.dmpFilesize
256KB
-
memory/1908-65-0x0000000004230000-0x0000000004231000-memory.dmpFilesize
4KB