Analysis
-
max time kernel
170s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 03:29
Static task
static1
Behavioral task
behavioral1
Sample
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe
Resource
win10v2004-en-20220112
General
-
Target
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe
-
Size
168KB
-
MD5
226a208a5421b06f3e2189f1ce516ae3
-
SHA1
5b375d13a7a92962a4bbd7dac44e0c340e1de8b9
-
SHA256
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35
-
SHA512
537351deba56379b58e98ecb1d885cab6ced7c406071477d69b33ea8b98fd5aa82b684a2c8503b188dba71c9c88cdacd94c67358ce9166b64afff3ef719fa1c4
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
description pid Process procid_target PID 64 created 2760 64 WerFault.exe 35 PID 4044 created 2936 4044 WerFault.exe 33 PID 3424 created 3936 3424 WerFault.exe 19 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\el.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ro-RO\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ja-JP\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\sound.properties sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Content.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\javaws.jar sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.bat sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\LICENSE sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado27.tlb sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.bat sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfc sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
pid pid_target Process procid_target 3800 2760 WerFault.exe 35 4144 2936 WerFault.exe 33 4152 2760 WerFault.exe 35 4136 3936 WerFault.exe 19 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 4136 WerFault.exe 4144 WerFault.exe 4144 WerFault.exe 4136 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3120 wrote to memory of 3168 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 59 PID 3120 wrote to memory of 3168 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 59 PID 3120 wrote to memory of 2236 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 40 PID 3168 wrote to memory of 3688 3168 cmd.exe 61 PID 3168 wrote to memory of 3688 3168 cmd.exe 61 PID 3120 wrote to memory of 2256 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 39 PID 3120 wrote to memory of 2308 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 38 PID 3120 wrote to memory of 2568 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 36 PID 3120 wrote to memory of 2760 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 35 PID 3120 wrote to memory of 2936 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 33 PID 3120 wrote to memory of 3008 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 11 PID 3120 wrote to memory of 976 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 32 PID 3120 wrote to memory of 3132 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 31 PID 3120 wrote to memory of 3492 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 29 PID 3120 wrote to memory of 4060 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 22 PID 3120 wrote to memory of 3936 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 19 PID 3120 wrote to memory of 228 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 16 PID 2760 wrote to memory of 3800 2760 DllHost.exe 68 PID 2760 wrote to memory of 3800 2760 DllHost.exe 68 PID 64 wrote to memory of 2760 64 WerFault.exe 35 PID 3424 wrote to memory of 3936 3424 WerFault.exe 19 PID 64 wrote to memory of 2760 64 WerFault.exe 35 PID 3424 wrote to memory of 3936 3424 WerFault.exe 19 PID 4044 wrote to memory of 2936 4044 WerFault.exe 33 PID 4044 wrote to memory of 2936 4044 WerFault.exe 33
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:228
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3936
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3936 -s 18042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4136
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4060
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3492
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3132
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:976
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2936
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2936 -s 21242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4144
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2760 -s 3562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3800
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2760 -s 3562⤵
- Program crash
PID:4152
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵PID:2568
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵PID:2256
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops file in Program Files directory
PID:2236
-
C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe"C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" /f3⤵
- Adds Run key to start application
PID:3688
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 2760 -ip 27601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:64
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 2936 -ip 29361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4044
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 496 -p 3936 -ip 39361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3424