Analysis
-
max time kernel
200s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 04:16
Static task
static1
Behavioral task
behavioral1
Sample
97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe
Resource
win10v2004-en-20220112
General
-
Target
97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe
-
Size
384KB
-
MD5
002e3ea0f8a404171a0995a8cbce2588
-
SHA1
fbf489d4114a585fcb4af427f8c44cb661de0f74
-
SHA256
97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5
-
SHA512
dc8551f5c4ca02b156012852d578ffc73c2f66aab329cd5ab4c8857f666d00092b37d29bcc2c83555c97c56dea25d46b4546a91afba9e54e3446badcc8d3a9ea
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 3716 created 2652 3716 WerFault.exe DllHost.exe PID 2908 created 2828 2908 WerFault.exe StartMenuExperienceHost.exe -
Executes dropped EXE 1 IoCs
Processes:
uDqLV.exepid process 3684 uDqLV.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
uDqLV.exe97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation uDqLV.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\uDqLV.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sihost.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\de-DE\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\US_export_policy.jar sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info sihost.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties sihost.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man sihost.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\LICENSE sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.bat sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ko_KR.jar sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml sihost.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\RyukReadMe.txt sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1008 2652 WerFault.exe DllHost.exe 3112 2652 WerFault.exe DllHost.exe 2464 2828 WerFault.exe StartMenuExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
uDqLV.exeWerFault.exeWerFault.exepid process 3684 uDqLV.exe 3684 uDqLV.exe 2464 WerFault.exe 2464 WerFault.exe 1008 WerFault.exe 1008 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
uDqLV.exedescription pid process Token: SeDebugPrivilege 3684 uDqLV.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
RuntimeBroker.exepid process 3000 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exeuDqLV.execmd.exeDllHost.exeWerFault.exeWerFault.exedescription pid process target process PID 2232 wrote to memory of 3684 2232 97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe uDqLV.exe PID 2232 wrote to memory of 3684 2232 97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe uDqLV.exe PID 3684 wrote to memory of 1020 3684 uDqLV.exe cmd.exe PID 3684 wrote to memory of 1020 3684 uDqLV.exe cmd.exe PID 3684 wrote to memory of 2140 3684 uDqLV.exe sihost.exe PID 3684 wrote to memory of 2160 3684 uDqLV.exe svchost.exe PID 3684 wrote to memory of 2208 3684 uDqLV.exe taskhostw.exe PID 3684 wrote to memory of 2456 3684 uDqLV.exe svchost.exe PID 3684 wrote to memory of 2652 3684 uDqLV.exe DllHost.exe PID 1020 wrote to memory of 2608 1020 cmd.exe reg.exe PID 1020 wrote to memory of 2608 1020 cmd.exe reg.exe PID 3684 wrote to memory of 2828 3684 uDqLV.exe StartMenuExperienceHost.exe PID 3684 wrote to memory of 3000 3684 uDqLV.exe RuntimeBroker.exe PID 3684 wrote to memory of 2204 3684 uDqLV.exe SearchApp.exe PID 3684 wrote to memory of 3208 3684 uDqLV.exe RuntimeBroker.exe PID 3684 wrote to memory of 3616 3684 uDqLV.exe RuntimeBroker.exe PID 3684 wrote to memory of 3676 3684 uDqLV.exe RuntimeBroker.exe PID 2652 wrote to memory of 1008 2652 DllHost.exe WerFault.exe PID 2652 wrote to memory of 1008 2652 DllHost.exe WerFault.exe PID 2908 wrote to memory of 2828 2908 WerFault.exe StartMenuExperienceHost.exe PID 2908 wrote to memory of 2828 2908 WerFault.exe StartMenuExperienceHost.exe PID 3716 wrote to memory of 2652 3716 WerFault.exe DllHost.exe PID 3716 wrote to memory of 2652 3716 WerFault.exe DllHost.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2828 -s 32202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2652 -s 3882⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2652 -s 3882⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe"C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\users\Public\uDqLV.exe"C:\users\Public\uDqLV.exe" C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\uDqLV.exe" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\uDqLV.exe" /f4⤵
- Adds Run key to start application
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 416 -p 2652 -ip 26521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 2828 -ip 28281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\uDqLV.exeMD5
31bd0f224e7e74eee2847f43aae23974
SHA192e331e1e8ad30538f38dd7ba31386afafa14a58
SHA2568b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249
-
C:\users\Public\uDqLV.exeMD5
31bd0f224e7e74eee2847f43aae23974
SHA192e331e1e8ad30538f38dd7ba31386afafa14a58
SHA2568b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249
-
memory/2140-132-0x00007FF6EF480000-0x00007FF6EF80E000-memory.dmpFilesize
3.6MB
-
memory/2160-133-0x00007FF6EF480000-0x00007FF6EF80E000-memory.dmpFilesize
3.6MB