Analysis
-
max time kernel
176s -
max time network
159s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 00:33
Static task
static1
Behavioral task
behavioral1
Sample
ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe
Resource
win10-en-20211208
General
-
Target
ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe
-
Size
32.2MB
-
MD5
5aab976003bd9fd656efa03cdbb9c3da
-
SHA1
8535ea53061cfb86467c0dfc4cb9afc56ba9a828
-
SHA256
ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017
-
SHA512
b7660b61302c06bca58b4b003d5af13c7bffab3278c5918c2968ba8982c541446f33187579a90ec764d67c4018576467b560df6b9ebe59589a41b40463d85265
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\сфБщДтĐѨКК.txt
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 2 IoCs
Processes:
AAMS V3 Setup.exeWebmaster.exepid process 2380 AAMS V3 Setup.exe 3304 Webmaster.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WdiService\\Webmaster.lnk" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Webmaster.exedescription pid process target process PID 3304 set thread context of 1200 3304 Webmaster.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Webmaster.exeRegSvcs.exepid process 3304 Webmaster.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 3304 Webmaster.exe 1200 RegSvcs.exe 1200 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AAMS V3 Setup.exepid process 2380 AAMS V3 Setup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Webmaster.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3304 Webmaster.exe Token: SeDebugPrivilege 1200 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AAMS V3 Setup.exepid process 2380 AAMS V3 Setup.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exeWebmaster.execmd.exedescription pid process target process PID 832 wrote to memory of 2380 832 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe AAMS V3 Setup.exe PID 832 wrote to memory of 2380 832 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe AAMS V3 Setup.exe PID 832 wrote to memory of 2380 832 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe AAMS V3 Setup.exe PID 832 wrote to memory of 3304 832 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe Webmaster.exe PID 832 wrote to memory of 3304 832 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe Webmaster.exe PID 832 wrote to memory of 3304 832 ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe Webmaster.exe PID 3304 wrote to memory of 1220 3304 Webmaster.exe cmd.exe PID 3304 wrote to memory of 1220 3304 Webmaster.exe cmd.exe PID 3304 wrote to memory of 1220 3304 Webmaster.exe cmd.exe PID 1220 wrote to memory of 372 1220 cmd.exe reg.exe PID 1220 wrote to memory of 372 1220 cmd.exe reg.exe PID 1220 wrote to memory of 372 1220 cmd.exe reg.exe PID 3304 wrote to memory of 604 3304 Webmaster.exe Webmaster.exe PID 3304 wrote to memory of 604 3304 Webmaster.exe Webmaster.exe PID 3304 wrote to memory of 604 3304 Webmaster.exe Webmaster.exe PID 3304 wrote to memory of 1200 3304 Webmaster.exe RegSvcs.exe PID 3304 wrote to memory of 1200 3304 Webmaster.exe RegSvcs.exe PID 3304 wrote to memory of 1200 3304 Webmaster.exe RegSvcs.exe PID 3304 wrote to memory of 1200 3304 Webmaster.exe RegSvcs.exe PID 3304 wrote to memory of 1200 3304 Webmaster.exe RegSvcs.exe PID 3304 wrote to memory of 1200 3304 Webmaster.exe RegSvcs.exe PID 3304 wrote to memory of 1200 3304 Webmaster.exe RegSvcs.exe PID 3304 wrote to memory of 1200 3304 Webmaster.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe"C:\Users\Admin\AppData\Local\Temp\ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AAMS V3 Setup.exe"C:\Users\Admin\AppData\Local\Temp\AAMS V3 Setup.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exe" -n2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.lnk" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.lnk" /f4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AAMS V3 Setup.exeMD5
64f70c30f78e5a570b69fef6de907872
SHA1801e5e979c9b36a81e7ec8c22d01fd19767525e0
SHA256c617bf0cb0f1f008b910dcc38cf7a84b0b253e91937f97df4afa75058af10eb6
SHA5124b2cebabdd3d6c5eb77cdadc1702008571c68805df4b02bccfee77a1b74188bd2131ae16d0f8c3dc15276f74467f2f42fd2b893832fcd827584293a05357b534
-
C:\Users\Admin\AppData\Local\Temp\AAMS V3 Setup.exeMD5
64f70c30f78e5a570b69fef6de907872
SHA1801e5e979c9b36a81e7ec8c22d01fd19767525e0
SHA256c617bf0cb0f1f008b910dcc38cf7a84b0b253e91937f97df4afa75058af10eb6
SHA5124b2cebabdd3d6c5eb77cdadc1702008571c68805df4b02bccfee77a1b74188bd2131ae16d0f8c3dc15276f74467f2f42fd2b893832fcd827584293a05357b534
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exeMD5
5aab976003bd9fd656efa03cdbb9c3da
SHA18535ea53061cfb86467c0dfc4cb9afc56ba9a828
SHA256ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017
SHA512b7660b61302c06bca58b4b003d5af13c7bffab3278c5918c2968ba8982c541446f33187579a90ec764d67c4018576467b560df6b9ebe59589a41b40463d85265
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\Webmaster.exeMD5
5aab976003bd9fd656efa03cdbb9c3da
SHA18535ea53061cfb86467c0dfc4cb9afc56ba9a828
SHA256ce77093b54c13fbcfc399fdb3b61f13f9ab463a38f87428cf9239c53fc6c2017
SHA512b7660b61302c06bca58b4b003d5af13c7bffab3278c5918c2968ba8982c541446f33187579a90ec764d67c4018576467b560df6b9ebe59589a41b40463d85265
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WdiService\fl.txtMD5
b69d3741ef80b3cccbe86e607cdab511
SHA11ff16eec7db60c5f26987462323ed03010a061cc
SHA256da286b535ba2bc98eb82aa933d219510ede02f3f43c4a90cf56dd13b26a7b238
SHA5129692febad5bb8985bbcc843987330de0619367059179c430fc5a142db164d04fb5b9ac63040798832feb36934de49735f2aa5a05b02ed8687b2ad2cfe9a663de
-
memory/832-117-0x0000000004640000-0x0000000004641000-memory.dmpFilesize
4KB
-
memory/1200-162-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1200-164-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/3304-156-0x0000000003660000-0x0000000003661000-memory.dmpFilesize
4KB