Analysis
-
max time kernel
169s -
max time network
45s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-02-2022 03:30
Static task
static1
Behavioral task
behavioral1
Sample
aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe
Resource
win10v2004-en-20220113
General
-
Target
aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe
-
Size
170KB
-
MD5
0e53108935aa122b8faeda0de6fae8bd
-
SHA1
fd7491b116e3695b832c171b6c003773fa95342b
-
SHA256
aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6
-
SHA512
df74ad57514cf8866a738f7ab3058a51f3ca7450bc63affc0ff05facc1e43e5d19dc1f23daa0ec7fc03312eacff2ff9e1233e6e420935365a260babc93d0d3d4
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
taskhost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5 taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar taskhost.exe File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-core.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hebron taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1 taskhost.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\fr-FR\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\LICENSE taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hovd taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montevideo taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-4 taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Dublin taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Chicago taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\RyukReadMe.txt taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exepid process 1636 aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exedescription pid process Token: SeDebugPrivilege 1636 aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.execmd.exedescription pid process target process PID 1636 wrote to memory of 1796 1636 aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe cmd.exe PID 1636 wrote to memory of 1796 1636 aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe cmd.exe PID 1636 wrote to memory of 1796 1636 aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe cmd.exe PID 1636 wrote to memory of 1216 1636 aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe taskhost.exe PID 1796 wrote to memory of 860 1796 cmd.exe reg.exe PID 1796 wrote to memory of 860 1796 cmd.exe reg.exe PID 1796 wrote to memory of 860 1796 cmd.exe reg.exe PID 1636 wrote to memory of 1308 1636 aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe Dwm.exe PID 1636 wrote to memory of 1796 1636 aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe cmd.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe"C:\Users\Admin\AppData\Local\Temp\aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\aa356e1d445cca768a71f037d6a0111e613213bf2fd67fffdeae346001143bf6.exe" /f3⤵
- Adds Run key to start application