Analysis
-
max time kernel
176s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-02-2022 02:41
Static task
static1
Behavioral task
behavioral1
Sample
bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe
Resource
win10v2004-en-20220112
General
-
Target
bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe
-
Size
153KB
-
MD5
bc812e73df40f9c193d3039041c4dd32
-
SHA1
5329a5292bf28d89eb0c7f1cbd7960d60239e951
-
SHA256
bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470
-
SHA512
945f66e50155086560d33615250db8dd517fe2fbf517720e4c43ffedf83f3cf8b7f8372fe39c51b33f8463590120b4a62b394d7462dafd01362b88aa90a44b89
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
15LsUgfnuGc1PsHJPcfLQJEnHm2FnGAgYC
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
taskhost.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\ba.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png taskhost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\profile.jfc taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml taskhost.exe File opened for modification C:\Program Files\Common Files\Services\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_sv.properties taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt taskhost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Jujuy taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg taskhost.exe File opened for modification C:\Program Files\Common Files\System\en-US\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boa_Vista taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_es.properties taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar taskhost.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\meta-index taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exepid process 528 bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exedescription pid process Token: SeDebugPrivilege 528 bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.execmd.exedescription pid process target process PID 528 wrote to memory of 1704 528 bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe cmd.exe PID 528 wrote to memory of 1704 528 bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe cmd.exe PID 528 wrote to memory of 1704 528 bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe cmd.exe PID 528 wrote to memory of 1236 528 bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe taskhost.exe PID 528 wrote to memory of 1320 528 bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe Dwm.exe PID 528 wrote to memory of 1704 528 bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe cmd.exe PID 1704 wrote to memory of 564 1704 cmd.exe reg.exe PID 1704 wrote to memory of 564 1704 cmd.exe reg.exe PID 1704 wrote to memory of 564 1704 cmd.exe reg.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
PID:1236
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe"C:\Users\Admin\AppData\Local\Temp\bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\bb43f54a93284e12598c1650b23cb44e0a254c6ab0593cc1d87fae2f19768470.exe" /f3⤵
- Adds Run key to start application
PID:564