Analysis Overview
SHA256
9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f
Threat Level: Known bad
The file 9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f was found to be: Known bad.
Malicious Activity Summary
Ryuk
Deletes shadow copies
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Drops file in Windows directory
Enumerates physical storage devices
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 04:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 04:10
Reported
2022-02-20 04:23
Platform
win7-en-20211208
Max time kernel
164s
Max time network
145s
Command Line
Signatures
Ryuk
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FqjkICAzVlan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RQMmrniXMlan.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FqjkICAzVlan.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RQMmrniXMlan.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f.exe
"C:\Users\Admin\AppData\Local\Temp\9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f.exe"
C:\Users\Admin\AppData\Local\Temp\FqjkICAzVlan.exe
"C:\Users\Admin\AppData\Local\Temp\FqjkICAzVlan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\RQMmrniXMlan.exe
"C:\Users\Admin\AppData\Local\Temp\RQMmrniXMlan.exe" 8 LAN
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "WMIC.exe shadowcopy delete"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bootstatuspolicy ignoreallfailures"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Qþ
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Qþ
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1588-54-0x0000000076421000-0x0000000076423000-memory.dmp
\Users\Admin\AppData\Local\Temp\FqjkICAzVlan.exe
| MD5 | 990b689516914e33319296bf038b8d45 |
| SHA1 | c0de363450821deb850bed1a2b6880d84bd9ec3b |
| SHA256 | 9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f |
| SHA512 | e0d42a48a286aa21415e3d5b1e6a4ce0f2947eb0b1de6b73fd13fbd450e141975d05e00a4c332349039f41fb2d71807d9242118b6c0c69392ff9bd0aa062085d |
C:\Users\Admin\AppData\Local\Temp\FqjkICAzVlan.exe
| MD5 | 990b689516914e33319296bf038b8d45 |
| SHA1 | c0de363450821deb850bed1a2b6880d84bd9ec3b |
| SHA256 | 9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f |
| SHA512 | e0d42a48a286aa21415e3d5b1e6a4ce0f2947eb0b1de6b73fd13fbd450e141975d05e00a4c332349039f41fb2d71807d9242118b6c0c69392ff9bd0aa062085d |
\Users\Admin\AppData\Local\Temp\FqjkICAzVlan.exe
| MD5 | 990b689516914e33319296bf038b8d45 |
| SHA1 | c0de363450821deb850bed1a2b6880d84bd9ec3b |
| SHA256 | 9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f |
| SHA512 | e0d42a48a286aa21415e3d5b1e6a4ce0f2947eb0b1de6b73fd13fbd450e141975d05e00a4c332349039f41fb2d71807d9242118b6c0c69392ff9bd0aa062085d |
\Users\Admin\AppData\Local\Temp\RQMmrniXMlan.exe
| MD5 | 990b689516914e33319296bf038b8d45 |
| SHA1 | c0de363450821deb850bed1a2b6880d84bd9ec3b |
| SHA256 | 9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f |
| SHA512 | e0d42a48a286aa21415e3d5b1e6a4ce0f2947eb0b1de6b73fd13fbd450e141975d05e00a4c332349039f41fb2d71807d9242118b6c0c69392ff9bd0aa062085d |
C:\Users\Admin\AppData\Local\Temp\RQMmrniXMlan.exe
| MD5 | 990b689516914e33319296bf038b8d45 |
| SHA1 | c0de363450821deb850bed1a2b6880d84bd9ec3b |
| SHA256 | 9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f |
| SHA512 | e0d42a48a286aa21415e3d5b1e6a4ce0f2947eb0b1de6b73fd13fbd450e141975d05e00a4c332349039f41fb2d71807d9242118b6c0c69392ff9bd0aa062085d |
\Users\Admin\AppData\Local\Temp\RQMmrniXMlan.exe
| MD5 | 990b689516914e33319296bf038b8d45 |
| SHA1 | c0de363450821deb850bed1a2b6880d84bd9ec3b |
| SHA256 | 9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f |
| SHA512 | e0d42a48a286aa21415e3d5b1e6a4ce0f2947eb0b1de6b73fd13fbd450e141975d05e00a4c332349039f41fb2d71807d9242118b6c0c69392ff9bd0aa062085d |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\users\Public\RyukReadMe.html
| MD5 | 69b7f67a74c65540b1e18bd12e33e4f9 |
| SHA1 | 80da102b7ca8028707850345a4b3cde7ae591106 |
| SHA256 | a299fc7655cbe7ec4ba52f95466d657734111373c19bd4ae24ae3291bfd75770 |
| SHA512 | 4bfd2ca30e0494494fed40dde104b7c57fcb7592051a04a9049cdf807ad2530104469119bee7ed66ec793af59f7a5c359c786d55467be0488fd7cb4c1e20c4ea |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 04:10
Reported
2022-02-20 04:23
Platform
win10v2004-en-20220113
Max time kernel
175s
Max time network
181s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f.exe
"C:\Users\Admin\AppData\Local\Temp\9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
Network
Files
memory/3828-134-0x00000288DF380000-0x00000288DF390000-memory.dmp
memory/3828-133-0x00000288DF320000-0x00000288DF330000-memory.dmp
memory/3828-135-0x00000288E1A30000-0x00000288E1A34000-memory.dmp