Analysis
-
max time kernel
193s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 02:51
Static task
static1
Behavioral task
behavioral1
Sample
b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
Resource
win10v2004-en-20220113
General
-
Target
b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe
-
Size
168KB
-
MD5
26ffd8020e1ce334c259ff92457c8d66
-
SHA1
c62df79f5e481720ecd3d835d476f246759e6149
-
SHA256
b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32
-
SHA512
9731d30073c293f20d50f9202c1b5266bbd13f6a2c77794b0e5fbb3765a01bd807a327063edf36533c880b0da4d57e4b8d99518e34f559453f83889ec21f6de5
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exepid process 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exedescription pid process Token: SeDebugPrivilege 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe Token: SeBackupPrivilege 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exenet.exenet.exenet.exenet.exedescription pid process target process PID 4904 wrote to memory of 2336 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe svchost.exe PID 4904 wrote to memory of 2344 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe sihost.exe PID 4904 wrote to memory of 2432 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe taskhostw.exe PID 4904 wrote to memory of 2972 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe svchost.exe PID 4904 wrote to memory of 3260 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe DllHost.exe PID 4904 wrote to memory of 3348 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe StartMenuExperienceHost.exe PID 4904 wrote to memory of 3424 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe RuntimeBroker.exe PID 4904 wrote to memory of 3508 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe SearchApp.exe PID 4904 wrote to memory of 3708 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe RuntimeBroker.exe PID 4904 wrote to memory of 3660 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe RuntimeBroker.exe PID 4904 wrote to memory of 1324 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe backgroundTaskHost.exe PID 4904 wrote to memory of 392 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe RuntimeBroker.exe PID 4904 wrote to memory of 2784 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 4904 wrote to memory of 2784 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 4904 wrote to memory of 2784 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 4904 wrote to memory of 1272 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 4904 wrote to memory of 1272 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 4904 wrote to memory of 1272 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 4904 wrote to memory of 4752 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 4904 wrote to memory of 4752 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 4904 wrote to memory of 4752 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 4904 wrote to memory of 4452 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 4904 wrote to memory of 4452 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 4904 wrote to memory of 4452 4904 b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe net.exe PID 2784 wrote to memory of 3916 2784 net.exe net1.exe PID 2784 wrote to memory of 3916 2784 net.exe net1.exe PID 2784 wrote to memory of 3916 2784 net.exe net1.exe PID 1272 wrote to memory of 2412 1272 net.exe net1.exe PID 1272 wrote to memory of 2412 1272 net.exe net1.exe PID 1272 wrote to memory of 2412 1272 net.exe net1.exe PID 4452 wrote to memory of 1704 4452 net.exe net1.exe PID 4452 wrote to memory of 1704 4452 net.exe net1.exe PID 4452 wrote to memory of 1704 4452 net.exe net1.exe PID 4752 wrote to memory of 860 4752 net.exe net1.exe PID 4752 wrote to memory of 860 4752 net.exe net1.exe PID 4752 wrote to memory of 860 4752 net.exe net1.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe"C:\Users\Admin\AppData\Local\Temp\b7dbb846d30fbd8d2d35171ae1e5df9eb7c8b5ad53e6cfaf4f6b5c08e3d5cc32.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵