Analysis
-
max time kernel
170s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 03:29
Static task
static1
Behavioral task
behavioral1
Sample
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe
Resource
win10v2004-en-20220112
General
-
Target
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe
-
Size
168KB
-
MD5
226a208a5421b06f3e2189f1ce516ae3
-
SHA1
5b375d13a7a92962a4bbd7dac44e0c340e1de8b9
-
SHA256
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35
-
SHA512
537351deba56379b58e98ecb1d885cab6ced7c406071477d69b33ea8b98fd5aa82b684a2c8503b188dba71c9c88cdacd94c67358ce9166b64afff3ef719fa1c4
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 64 created 2760 64 WerFault.exe DllHost.exe PID 4044 created 2936 4044 WerFault.exe StartMenuExperienceHost.exe PID 3424 created 3936 3424 WerFault.exe backgroundTaskHost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sihost.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\el.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ro-RO\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ja-JP\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\sound.properties sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Content.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\javaws.jar sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.bat sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\LICENSE sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado27.tlb sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.bat sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfc sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3800 2760 WerFault.exe DllHost.exe 4144 2936 WerFault.exe StartMenuExperienceHost.exe 4152 2760 WerFault.exe DllHost.exe 4136 3936 WerFault.exe backgroundTaskHost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exeWerFault.exeWerFault.exeWerFault.exepid process 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe 4136 WerFault.exe 4144 WerFault.exe 4144 WerFault.exe 4136 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exedescription pid process Token: SeDebugPrivilege 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.execmd.exeDllHost.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 3120 wrote to memory of 3168 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe cmd.exe PID 3120 wrote to memory of 3168 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe cmd.exe PID 3120 wrote to memory of 2236 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe sihost.exe PID 3168 wrote to memory of 3688 3168 cmd.exe reg.exe PID 3168 wrote to memory of 3688 3168 cmd.exe reg.exe PID 3120 wrote to memory of 2256 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe svchost.exe PID 3120 wrote to memory of 2308 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe taskhostw.exe PID 3120 wrote to memory of 2568 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe svchost.exe PID 3120 wrote to memory of 2760 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe DllHost.exe PID 3120 wrote to memory of 2936 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe StartMenuExperienceHost.exe PID 3120 wrote to memory of 3008 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe RuntimeBroker.exe PID 3120 wrote to memory of 976 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe SearchApp.exe PID 3120 wrote to memory of 3132 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe RuntimeBroker.exe PID 3120 wrote to memory of 3492 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe RuntimeBroker.exe PID 3120 wrote to memory of 4060 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe backgroundTaskHost.exe PID 3120 wrote to memory of 3936 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe backgroundTaskHost.exe PID 3120 wrote to memory of 228 3120 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe RuntimeBroker.exe PID 2760 wrote to memory of 3800 2760 DllHost.exe WerFault.exe PID 2760 wrote to memory of 3800 2760 DllHost.exe WerFault.exe PID 64 wrote to memory of 2760 64 WerFault.exe DllHost.exe PID 3424 wrote to memory of 3936 3424 WerFault.exe backgroundTaskHost.exe PID 64 wrote to memory of 2760 64 WerFault.exe DllHost.exe PID 3424 wrote to memory of 3936 3424 WerFault.exe backgroundTaskHost.exe PID 4044 wrote to memory of 2936 4044 WerFault.exe StartMenuExperienceHost.exe PID 4044 wrote to memory of 2936 4044 WerFault.exe StartMenuExperienceHost.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3936 -s 18042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2936 -s 21242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2760 -s 3562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2760 -s 3562⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe"C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 2760 -ip 27601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 2936 -ip 29361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 496 -p 3936 -ip 39361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1645332205MD5
b170f58244cf6788e4fbbfb319bafab9
SHA1e00c5fd880a0cbb32cac151cc3e1ad01d15e1a90
SHA2564bbbea997a5f78d12d885b184c8fc98b5064659b8b41473c1d3fa8a639264893
SHA5127b0114ceaef3951177cd91798ed8d070da2431116b3a3aaab8cc62a2019f2d2583cf721ced69f075428f80e8d2fbfc84c2437a5daeaa02923da3981d764128a9
-
memory/2236-130-0x00007FF799600000-0x00007FF79998D000-memory.dmpFilesize
3.6MB
-
memory/3936-131-0x00007FF799600000-0x00007FF79998D000-memory.dmpFilesize
3.6MB