Analysis Overview
SHA256
aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c
Threat Level: Known bad
The file aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c was found to be: Known bad.
Malicious Activity Summary
Ryuk
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 03:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 03:18
Reported
2022-02-20 03:31
Platform
win7-en-20211208
Max time kernel
167s
Max time network
146s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gimaDgm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\gimaDgm.exe |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\gimaDgm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
"C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe"
C:\Users\Admin\AppData\Local\Temp\gimaDgm.exe
"C:\Users\Admin\AppData\Local\Temp\gimaDgm.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 17052
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.13:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1404-55-0x0000000075F81000-0x0000000075F83000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gimaDgm.exe
| MD5 | 856961d44f9e6775ad573cf58c438a2a |
| SHA1 | 818bbf02fd1bd0eda9ee62c73b63266bf859e699 |
| SHA256 | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c |
| SHA512 | d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e |
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
| MD5 | 856961d44f9e6775ad573cf58c438a2a |
| SHA1 | 818bbf02fd1bd0eda9ee62c73b63266bf859e699 |
| SHA256 | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c |
| SHA512 | d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e |
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
| MD5 | 856961d44f9e6775ad573cf58c438a2a |
| SHA1 | 818bbf02fd1bd0eda9ee62c73b63266bf859e699 |
| SHA256 | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c |
| SHA512 | d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | eeae33f6319833acff6ed78524dc44b8 |
| SHA1 | 1471f98e6d9081874d5a6da23060dceadcfbe5b9 |
| SHA256 | f4e7d2847e6f43ad0039338ec59480ed2e949706bc8141e26c9a3a2b5eb7ead1 |
| SHA512 | 8f1da0d82c255239e85e8173603a9c7e2089bee3533bf49dfa22748f5528737d1745b7d80e07b77edf322a3e3253599bf42cf11b8dbd8524b8fe7ce9f6671add |
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
| MD5 | 856961d44f9e6775ad573cf58c438a2a |
| SHA1 | 818bbf02fd1bd0eda9ee62c73b63266bf859e699 |
| SHA256 | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c |
| SHA512 | d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e |
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
| MD5 | 856961d44f9e6775ad573cf58c438a2a |
| SHA1 | 818bbf02fd1bd0eda9ee62c73b63266bf859e699 |
| SHA256 | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c |
| SHA512 | d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e |
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
| MD5 | 856961d44f9e6775ad573cf58c438a2a |
| SHA1 | 818bbf02fd1bd0eda9ee62c73b63266bf859e699 |
| SHA256 | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c |
| SHA512 | d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e |
C:\Users\Admin\AppData\Local\Temp\gimaDgm.exe
| MD5 | 856961d44f9e6775ad573cf58c438a2a |
| SHA1 | 818bbf02fd1bd0eda9ee62c73b63266bf859e699 |
| SHA256 | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c |
| SHA512 | d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e |
\Users\Admin\AppData\Local\Temp\gimaDgm.exe
| MD5 | 856961d44f9e6775ad573cf58c438a2a |
| SHA1 | 818bbf02fd1bd0eda9ee62c73b63266bf859e699 |
| SHA256 | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c |
| SHA512 | d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e |
C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2329389628-4064185017-3901522362-1000\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a
| MD5 | 1acc3c1ef21d045cd29a81a1ae83ae80 |
| SHA1 | fbbfd9b338875e79522f139cfac1ef696a50527b |
| SHA256 | de569f619870bb738523da38b9526bf6760b479a8d50f9cc2a78eed10493a758 |
| SHA512 | e1a98d2ab5cf95420fa7f6f96e39aade374f87d455530468286baf9ad78f40e8aa9f18c1e4d7710c37bc2dba6e73a6a89c31ab2a8134e663ec07adff41363dbf |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 03:18
Reported
2022-02-20 03:32
Platform
win10v2004-en-20220113
Max time kernel
227s
Max time network
242s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UyLcPnD.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UyLcPnD.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\UyLcPnD.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe
"C:\Users\Admin\AppData\Local\Temp\aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c.exe"
C:\Users\Admin\AppData\Local\Temp\UyLcPnD.exe
"C:\Users\Admin\AppData\Local\Temp\UyLcPnD.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 72.21.91.29:80 | crl4.digicert.com | tcp |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\UyLcPnD.exe
| MD5 | 856961d44f9e6775ad573cf58c438a2a |
| SHA1 | 818bbf02fd1bd0eda9ee62c73b63266bf859e699 |
| SHA256 | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c |
| SHA512 | d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e |
C:\Users\Admin\AppData\Local\Temp\UyLcPnD.exe
| MD5 | 856961d44f9e6775ad573cf58c438a2a |
| SHA1 | 818bbf02fd1bd0eda9ee62c73b63266bf859e699 |
| SHA256 | aebfcf161ae2086459aa9ca99cbab2c2118a6d617fe645d65c148c5d3436de5c |
| SHA512 | d6bfb664f6a1496df539c86a9b2b2b1bf3d43e252109af2f3e9dc40b566804e0b6d8ef051f953ea998391664ce8db8ea2dc5b2b4199493082e473c9b196ebc0e |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |