Analysis
-
max time kernel
169s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-02-2022 03:54
Static task
static1
Behavioral task
behavioral1
Sample
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe
Resource
win10v2004-en-20220113
General
-
Target
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe
-
Size
171KB
-
MD5
567407d941d99abeff20a1b836570d30
-
SHA1
e8866fda01f91c6d4bf8c51cf4cbc7f103e87b0b
-
SHA256
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510
-
SHA512
514cc28f8da0e8bf054bf0a0963c4253a16df1d5cb8e87dd09294ab97d8e1b5b5fc18c54920a3829d40b0bdda5837567a73b39b4d1839ab919d672ceaf32989b
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb4
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
taskhost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\ExpandConfirm.pcx taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jni.h taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar taskhost.exe File opened for modification C:\Program Files\7-Zip\History.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2 taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml taskhost.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcjavas.inc taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_select-highlight.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik taskhost.exe File opened for modification C:\Program Files\7-Zip\descript.ion taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\offset.ax taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Metlakatla taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationUp_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Panama taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml taskhost.exe File opened for modification C:\Program Files\Common Files\System\en-US\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cancun taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY taskhost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exepid process 1624 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exedescription pid process Token: SeDebugPrivilege 1624 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.execmd.exedescription pid process target process PID 1624 wrote to memory of 1616 1624 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe cmd.exe PID 1624 wrote to memory of 1616 1624 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe cmd.exe PID 1624 wrote to memory of 1616 1624 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe cmd.exe PID 1624 wrote to memory of 1124 1624 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe taskhost.exe PID 1624 wrote to memory of 1212 1624 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe Dwm.exe PID 1624 wrote to memory of 1616 1624 a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe cmd.exe PID 1616 wrote to memory of 1104 1616 cmd.exe reg.exe PID 1616 wrote to memory of 1104 1616 cmd.exe reg.exe PID 1616 wrote to memory of 1104 1616 cmd.exe reg.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe"C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\a0dccbe010859116063fc3f7e00c8c7bd68b849eeb7238a10b1b9f07f5c36510.exe" /f3⤵
- Adds Run key to start application