Malware Analysis Report

2024-10-23 18:37

Sample ID 220220-d18gjsgcc6
Target aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35
SHA256 aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35
Tags
ryuk persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35

Threat Level: Known bad

The file aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35 was found to be: Known bad.

Malicious Activity Summary

ryuk persistence ransomware

Suspicious use of NtCreateProcessExOtherParentProcess

Ryuk

Checks computer location settings

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 03:29

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 03:29

Reported

2022-02-20 03:45

Platform

win10v2004-en-20220112

Max time kernel

170s

Max time network

207s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Ryuk

ransomware ryuk

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ro-RO\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\ja-JP\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ja.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\sound.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Content.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mk.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\javaws.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-MX\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.bat C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\LICENSE C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ast.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gl.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado27.tlb C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo.bat C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfc C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar C:\Windows\system32\sihost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3120 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\System32\cmd.exe
PID 3120 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\System32\cmd.exe
PID 3120 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\system32\sihost.exe
PID 3168 wrote to memory of 3688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3168 wrote to memory of 3688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3120 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\system32\svchost.exe
PID 3120 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\system32\taskhostw.exe
PID 3120 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\system32\svchost.exe
PID 3120 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\system32\DllHost.exe
PID 3120 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3120 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\System32\RuntimeBroker.exe
PID 3120 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3120 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\System32\RuntimeBroker.exe
PID 3120 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\System32\RuntimeBroker.exe
PID 3120 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3120 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3120 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe C:\Windows\System32\RuntimeBroker.exe
PID 2760 wrote to memory of 3800 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2760 wrote to memory of 3800 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 64 wrote to memory of 2760 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\DllHost.exe
PID 3424 wrote to memory of 3936 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\backgroundTaskHost.exe
PID 64 wrote to memory of 2760 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\DllHost.exe
PID 3424 wrote to memory of 3936 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4044 wrote to memory of 2936 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4044 wrote to memory of 2936 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe

"C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" /f

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 2760 -ip 2760

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 464 -p 2936 -ip 2936

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 496 -p 3936 -ip 3936

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2760 -s 356

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2936 -s 2124

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2760 -s 356

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3936 -s 1804

Network

Country Destination Domain Proto
NL 104.80.224.57:443 tcp

Files

memory/2236-130-0x00007FF799600000-0x00007FF79998D000-memory.dmp

memory/3936-131-0x00007FF799600000-0x00007FF79998D000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1645332205

MD5 b170f58244cf6788e4fbbfb319bafab9
SHA1 e00c5fd880a0cbb32cac151cc3e1ad01d15e1a90
SHA256 4bbbea997a5f78d12d885b184c8fc98b5064659b8b41473c1d3fa8a639264893
SHA512 7b0114ceaef3951177cd91798ed8d070da2431116b3a3aaab8cc62a2019f2d2583cf721ced69f075428f80e8d2fbfc84c2437a5daeaa02923da3981d764128a9

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 03:29

Reported

2022-02-20 03:48

Platform

win7-en-20211208

Max time kernel

170s

Max time network

42s

Command Line

"taskhost.exe"

Signatures

Ryuk

ransomware ryuk

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00269_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IA32.api C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\PREVIEW.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\rt.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\La_Paz C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\US_export_policy.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\audiodepthconverter.ax C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBLR6.CHM C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_ja_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe

"C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa76633d91e96a6e583883381639329afc97f8bbda699c74577f32f35610df35.exe" /f

Network

N/A

Files

memory/1164-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

memory/1256-55-0x000000013FCE0000-0x000000014006D000-memory.dmp

memory/1256-57-0x000000013FCE0000-0x000000014006D000-memory.dmp