ryuk | e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c

Analysis

max time kernel
175s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
Size

214KB
MD5

4d3454c85d85856674bb6e835f139649
SHA1

a8d64f6dddff26b423793e08994a6ee19077c1f7
SHA256

e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c
SHA512

e713ee2c5fe12dfa27e8294ce1a6415221cccead720dd5163d6ccb399518a810ad567db39023a763ce39a8b861b39400f1faa56d8398c7c64fa7a5fdc2010c6c

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2292 created 2228	2292	WerFault.exe	51

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
3900	yDVUSbb.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	yDVUSbb.exe

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2136	icacls.exe
4016	icacls.exe
4020	icacls.exe
3012	icacls.exe
2264	icacls.exe
3964	icacls.exe
388	icacls.exe
2144	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe"	reg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2868	2712	WerFault.exe	27
3120	2228	WerFault.exe	51

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3300	vssadmin.exe
3296	vssadmin.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.230060"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4212"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4220"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899693502377273"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.547952"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.318475"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4068"	svchost.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1fdf9fc-b78d-4eda-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1fdf9fc-b78d-4eda-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1fdf9fc-b78d-4eda- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1fdf9fc-b78d-4eda- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1fdf9fc-b78d-4eda- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fc41e1a9abef38935bd0e09bf57e090b5a28ab74d458558a9da50645ff570b56"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1fdf9fc-b78d-4eda- = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000310eeba9fe25d80118c68aaafe25d80118c68aaafe25d801df0100000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad013200000000005454ef102000666334316531613961626566333839333562643065303962663537653039306235613238616237346434353835353861396461353036343566663537306235360000b20009000400efbe5454ef105454ef102e00000000000000000000000000000000000000000000000000410e1601660063003400310065003100610039006100620065006600330038003900330035006200640030006500300039006200660035003700650030003900300062003500610032003800610062003700340064003400350038003500350038006100390064006100350030003600340035006600660035003700300062003500360000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea00000018000000030000007b5bcee61000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66633431653161396162656633383933356264306530396266353765303930623561323861623734643435383535386139646135303634356666353730623536000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d665119c499083ec1182d0c632f2c01808bad9b5dc40371b4eb595e9fc647d27d665119c499083ec1182d0c632f2c01808ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\6592d921-55ef-49c6-	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-790714498-1549421491-1643397139-1000\{63FC0E20-7274-4BBD-9235-EA3419EE6C49}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1fdf9fc-b78d-4eda- = 0aa245affe25d801	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\f1fdf9fc-b78d-4eda- = "0"	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
3900	yDVUSbb.exe
3900	yDVUSbb.exe
3120	WerFault.exe
2868	WerFault.exe
3120	WerFault.exe
2868	WerFault.exe
2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
Token: SeShutdownPrivilege	2956	RuntimeBroker.exe
Token: SeBackupPrivilege	2208	sihost.exe
Token: SeBackupPrivilege	3900	yDVUSbb.exe
Token: SeBackupPrivilege	2892	StartMenuExperienceHost.exe
Token: SeBackupPrivilege	332	BackgroundTransferHost.exe
Token: SeBackupPrivilege	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
Token: SeBackupPrivilege	2228	svchost.exe
Token: SeBackupPrivilege	3500	vssvc.exe
Token: SeRestorePrivilege	3500	vssvc.exe
Token: SeAuditPrivilege	3500	vssvc.exe
Token: SeShutdownPrivilege	2924	explorer.exe
Token: SeCreatePagefilePrivilege	2924	explorer.exe
Token: SeShutdownPrivilege	2924	explorer.exe
Token: SeCreatePagefilePrivilege	2924	explorer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1540	sihost.exe
2924	explorer.exe
2924	explorer.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2924	explorer.exe
2924	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3900	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	59
PID 2180 wrote to memory of 3900	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	59
PID 2180 wrote to memory of 2208	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	52
PID 2180 wrote to memory of 2228	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	51
PID 2180 wrote to memory of 2284	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	50
PID 2180 wrote to memory of 2512	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	28
PID 2180 wrote to memory of 2712	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	27
PID 2180 wrote to memory of 2892	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	25
PID 2180 wrote to memory of 2956	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	24
PID 2180 wrote to memory of 3036	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	49
PID 2180 wrote to memory of 2616	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	30
PID 2180 wrote to memory of 3472	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	47
PID 2180 wrote to memory of 3360	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	43
PID 2180 wrote to memory of 3064	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	37
PID 2180 wrote to memory of 332	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	34
PID 2208 wrote to memory of 388	2208	sihost.exe	73
PID 2208 wrote to memory of 388	2208	sihost.exe	73
PID 2208 wrote to memory of 3012	2208	sihost.exe	63
PID 2208 wrote to memory of 3012	2208	sihost.exe	63
PID 3900 wrote to memory of 3964	3900	yDVUSbb.exe	72
PID 3900 wrote to memory of 3964	3900	yDVUSbb.exe	72
PID 3900 wrote to memory of 2264	3900	yDVUSbb.exe	71
PID 3900 wrote to memory of 2264	3900	yDVUSbb.exe	71
PID 3900 wrote to memory of 2056	3900	yDVUSbb.exe	70
PID 3900 wrote to memory of 2056	3900	yDVUSbb.exe	70
PID 2180 wrote to memory of 2144	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	75
PID 2180 wrote to memory of 2144	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	75
PID 2180 wrote to memory of 2136	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	77
PID 2180 wrote to memory of 2136	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	77
PID 2180 wrote to memory of 1240	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	76
PID 2180 wrote to memory of 1240	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	76
PID 2056 wrote to memory of 3296	2056	cmd.exe	82
PID 2056 wrote to memory of 3296	2056	cmd.exe	82
PID 1240 wrote to memory of 3300	1240	cmd.exe	81
PID 1240 wrote to memory of 3300	1240	cmd.exe	81
PID 2228 wrote to memory of 4016	2228	svchost.exe	84
PID 2228 wrote to memory of 4016	2228	svchost.exe	84
PID 2228 wrote to memory of 4020	2228	svchost.exe	85
PID 2228 wrote to memory of 4020	2228	svchost.exe	85
PID 2712 wrote to memory of 2868	2712	DllHost.exe	88
PID 2712 wrote to memory of 2868	2712	DllHost.exe	88
PID 2180 wrote to memory of 3904	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	91
PID 2180 wrote to memory of 3904	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	91
PID 2180 wrote to memory of 1612	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	94
PID 2180 wrote to memory of 1612	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	94
PID 1540 wrote to memory of 2924	1540	sihost.exe	96
PID 1540 wrote to memory of 2924	1540	sihost.exe	96
PID 3904 wrote to memory of 1364	3904	net.exe	98
PID 3904 wrote to memory of 1364	3904	net.exe	98
PID 1612 wrote to memory of 3940	1612	net.exe	99
PID 1612 wrote to memory of 3940	1612	net.exe	99
PID 2292 wrote to memory of 2228	2292	WerFault.exe	51
PID 2292 wrote to memory of 2228	2292	WerFault.exe	51
PID 2180 wrote to memory of 2684	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	104
PID 2180 wrote to memory of 2684	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	104
PID 2180 wrote to memory of 2748	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	105
PID 2180 wrote to memory of 2748	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	105
PID 2180 wrote to memory of 2704	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	107
PID 2180 wrote to memory of 2704	2180	e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe	107
PID 2748 wrote to memory of 296	2748	net.exe	109
PID 2748 wrote to memory of 296	2748	net.exe	109
PID 2684 wrote to memory of 3224	2684	net.exe	110
PID 2684 wrote to memory of 3224	2684	net.exe	110
PID 2704 wrote to memory of 2296	2704	cmd.exe	111

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2712 -s 876
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2512

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2616

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3472

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3036

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4016
- C:\Windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4020
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2228 -s 864
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:3120

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\system32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3012
- C:\Windows\system32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:388

C:\Users\Admin\AppData\Local\Temp\e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe
"C:\Users\Admin\AppData\Local\Temp\e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\yDVUSbb.exe
  "C:\Users\Admin\AppData\Local\Temp\yDVUSbb.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3296
- - C:\Windows\SYSTEM32\icacls.exe
    icacls "D:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:2264
- - C:\Windows\SYSTEM32\icacls.exe
    icacls "C:\*" /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:3964
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
    3⤵
    PID:3768
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "audioendpointbuilder" /y
      4⤵
      PID:3480
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:1900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:2292
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\yDVUSbb.exe" /f
    3⤵
    PID:4384
- C:\Windows\SYSTEM32\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3300
- C:\Windows\SYSTEM32\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2136
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:1364
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3940
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:3224
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\e5ceb42928a16190aeb1a9893c89e808a756a30193ccd542f63c726da7d9fa5c.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2296
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:4336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:25748
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:4412
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:25740

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3700

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 2228 -ip 2228
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2208-132-0x00007FF6EAC50000-0x00007FF6EADC7000-memory.dmp

Filesize
1.5MB

Download
memory/2712-135-0x0000023E164C0000-0x0000023E164C8000-memory.dmp

Filesize
32KB

Download
memory/2712-136-0x0000023E16410000-0x0000023E16411000-memory.dmp

Filesize
4KB

Download
memory/2712-138-0x0000023E164C0000-0x0000023E164C8000-memory.dmp

Filesize
32KB

Download
memory/2712-139-0x0000023E16440000-0x0000023E16441000-memory.dmp

Filesize
4KB

Download