Analysis
-
max time kernel
171s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 02:49
Static task
static1
Behavioral task
behavioral1
Sample
b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe
Resource
win10v2004-en-20220112
General
-
Target
b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe
-
Size
123KB
-
MD5
2ea4d8210255c338743dbd770528251f
-
SHA1
494eda967c0262e8e50ffc7903fc550fefad9e46
-
SHA256
b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720
-
SHA512
404ed8fdb7307e54ffd3f953ffb296173a742a45eb4a7884c65662a575386f59376d00735ea76d6cd6da3dd986abc38bf03791d6db96e2461e21f4d2b12e8899
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\ru.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\System\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklisted.certs b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\CIEXYZ.pf b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightRegular.ttf b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\7-Zip\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Internet Explorer\images\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\ExitUninstall.3gp2 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\GroupImport.3g2 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.cpl b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.password.template b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\plugin.jar b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\sound.properties b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\System\ado\msado28.tlb b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\ExportRestore.wmf b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Triedit\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunpkcs11.jar b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages.properties b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterBold.ttf b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\he-IL\RyukReadMe.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\derby_common.bat b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe File opened for modification C:\Program Files\Common Files\Services\verisign.bmp b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exepid process 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exedescription pid process Token: SeDebugPrivilege 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.execmd.exedescription pid process target process PID 3748 wrote to memory of 2616 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe cmd.exe PID 3748 wrote to memory of 2616 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe cmd.exe PID 3748 wrote to memory of 2616 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe cmd.exe PID 3748 wrote to memory of 2228 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe sihost.exe PID 3748 wrote to memory of 2244 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe svchost.exe PID 2616 wrote to memory of 1476 2616 cmd.exe reg.exe PID 2616 wrote to memory of 1476 2616 cmd.exe reg.exe PID 2616 wrote to memory of 1476 2616 cmd.exe reg.exe PID 3748 wrote to memory of 2296 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe taskhostw.exe PID 3748 wrote to memory of 2528 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe svchost.exe PID 3748 wrote to memory of 2744 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe DllHost.exe PID 3748 wrote to memory of 2904 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe StartMenuExperienceHost.exe PID 3748 wrote to memory of 2984 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe RuntimeBroker.exe PID 3748 wrote to memory of 3064 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe SearchApp.exe PID 3748 wrote to memory of 2628 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe RuntimeBroker.exe PID 3748 wrote to memory of 3324 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe RuntimeBroker.exe PID 3748 wrote to memory of 2572 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe RuntimeBroker.exe PID 3748 wrote to memory of 3264 3748 b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe MusNotifyIcon.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2296
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3064
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2572
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3324
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2628
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2904
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵PID:2528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵PID:2244
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe"C:\Users\Admin\AppData\Local\Temp\b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe" /f /reg:642⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b8857e26d83b061ade0ade27558c4c6a83e80a6a85142d7c016e01a597852720.exe" /f /reg:643⤵
- Adds Run key to start application
PID:1476
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:3264
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵PID:4336