Analysis
-
max time kernel
170s -
max time network
42s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-02-2022 03:29
Static task
static1
Behavioral task
behavioral1
Sample
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe
Resource
win10v2004-en-20220112
General
-
Target
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe
-
Size
168KB
-
MD5
226a208a5421b06f3e2189f1ce516ae3
-
SHA1
5b375d13a7a92962a4bbd7dac44e0c340e1de8b9
-
SHA256
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35
-
SHA512
537351deba56379b58e98ecb1d885cab6ced7c406071477d69b33ea8b98fd5aa82b684a2c8503b188dba71c9c88cdacd94c67358ce9166b64afff3ef719fa1c4
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IA32.api taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\PREVIEW.GIF taskhost.exe File opened for modification C:\Program Files (x86)\Internet Explorer\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\rt.jar taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\La_Paz taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\security\US_export_policy.jar taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\audiodepthconverter.ax taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBLR6.CHM taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1164 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1164 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1164 wrote to memory of 1596 1164 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 27 PID 1164 wrote to memory of 1596 1164 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 27 PID 1164 wrote to memory of 1596 1164 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 27 PID 1164 wrote to memory of 1256 1164 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 13 PID 1164 wrote to memory of 1336 1164 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 14 PID 1164 wrote to memory of 1596 1164 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 27 PID 1596 wrote to memory of 1380 1596 cmd.exe 29 PID 1596 wrote to memory of 1380 1596 cmd.exe 29 PID 1596 wrote to memory of 1380 1596 cmd.exe 29
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
PID:1256
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe"C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" /f3⤵
- Adds Run key to start application
PID:1380
-
-