Malware Analysis Report

2024-10-23 18:37

Sample ID 220220-ev2mgshfdk
Target 97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5
SHA256 97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5
Tags
ryuk persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5

Threat Level: Known bad

The file 97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5 was found to be: Known bad.

Malicious Activity Summary

ryuk persistence ransomware

Ryuk

Suspicious use of NtCreateProcessExOtherParentProcess

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 04:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 04:16

Reported

2022-02-20 04:56

Platform

win7-en-20211208

Max time kernel

174s

Max time network

33s

Command Line

"taskhost.exe"

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\users\Public\vZcBC.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\users\Public\vZcBC.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\vZcBC.exe" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Metlakatla C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG.wmv C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jawt.h C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pl.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\es-ES\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VGX\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyDrop32x32.gif C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\es.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png C:\Windows\system32\taskhost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\users\Public\vZcBC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\users\Public\vZcBC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe C:\users\Public\vZcBC.exe
PID 1628 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe C:\users\Public\vZcBC.exe
PID 1628 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe C:\users\Public\vZcBC.exe
PID 1628 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe C:\users\Public\vZcBC.exe
PID 1704 wrote to memory of 740 N/A C:\users\Public\vZcBC.exe C:\Windows\System32\cmd.exe
PID 1704 wrote to memory of 740 N/A C:\users\Public\vZcBC.exe C:\Windows\System32\cmd.exe
PID 1704 wrote to memory of 740 N/A C:\users\Public\vZcBC.exe C:\Windows\System32\cmd.exe
PID 1704 wrote to memory of 1124 N/A C:\users\Public\vZcBC.exe C:\Windows\system32\taskhost.exe
PID 1704 wrote to memory of 1224 N/A C:\users\Public\vZcBC.exe C:\Windows\system32\Dwm.exe
PID 1704 wrote to memory of 740 N/A C:\users\Public\vZcBC.exe C:\Windows\System32\cmd.exe
PID 740 wrote to memory of 1868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 740 wrote to memory of 1868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 740 wrote to memory of 1868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe

"C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe"

C:\users\Public\vZcBC.exe

"C:\users\Public\vZcBC.exe" C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\vZcBC.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\vZcBC.exe" /f

Network

N/A

Files

memory/1628-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

\Users\Public\vZcBC.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

C:\Users\Public\vZcBC.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/1704-58-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmp

memory/1124-59-0x000000013F970000-0x000000013FCFE000-memory.dmp

memory/1124-60-0x000000013F970000-0x000000013FCFE000-memory.dmp

memory/1224-63-0x000000013F970000-0x000000013FCFE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 04:16

Reported

2022-02-20 04:57

Platform

win10v2004-en-20220112

Max time kernel

200s

Max time network

210s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Ryuk

ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 3716 created 2652 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\DllHost.exe
PID 2908 created 2828 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\users\Public\uDqLV.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\users\Public\uDqLV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\uDqLV.exe" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\de-DE\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\US_export_policy.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\en.ttt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.chm C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ta.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\fr-FR\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pl.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\LICENSE C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.bat C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ko_KR.jar C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib C:\Windows\system32\sihost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\RyukReadMe.txt C:\Windows\system32\sihost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\users\Public\uDqLV.exe N/A
N/A N/A C:\users\Public\uDqLV.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\users\Public\uDqLV.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe C:\users\Public\uDqLV.exe
PID 2232 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe C:\users\Public\uDqLV.exe
PID 3684 wrote to memory of 1020 N/A C:\users\Public\uDqLV.exe C:\Windows\System32\cmd.exe
PID 3684 wrote to memory of 1020 N/A C:\users\Public\uDqLV.exe C:\Windows\System32\cmd.exe
PID 3684 wrote to memory of 2140 N/A C:\users\Public\uDqLV.exe C:\Windows\system32\sihost.exe
PID 3684 wrote to memory of 2160 N/A C:\users\Public\uDqLV.exe C:\Windows\system32\svchost.exe
PID 3684 wrote to memory of 2208 N/A C:\users\Public\uDqLV.exe C:\Windows\system32\taskhostw.exe
PID 3684 wrote to memory of 2456 N/A C:\users\Public\uDqLV.exe C:\Windows\system32\svchost.exe
PID 3684 wrote to memory of 2652 N/A C:\users\Public\uDqLV.exe C:\Windows\system32\DllHost.exe
PID 1020 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1020 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3684 wrote to memory of 2828 N/A C:\users\Public\uDqLV.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3684 wrote to memory of 3000 N/A C:\users\Public\uDqLV.exe C:\Windows\System32\RuntimeBroker.exe
PID 3684 wrote to memory of 2204 N/A C:\users\Public\uDqLV.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3684 wrote to memory of 3208 N/A C:\users\Public\uDqLV.exe C:\Windows\System32\RuntimeBroker.exe
PID 3684 wrote to memory of 3616 N/A C:\users\Public\uDqLV.exe C:\Windows\System32\RuntimeBroker.exe
PID 3684 wrote to memory of 3676 N/A C:\users\Public\uDqLV.exe C:\Windows\System32\RuntimeBroker.exe
PID 2652 wrote to memory of 1008 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2652 wrote to memory of 1008 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2908 wrote to memory of 2828 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2908 wrote to memory of 2828 N/A C:\Windows\system32\WerFault.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3716 wrote to memory of 2652 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\DllHost.exe
PID 3716 wrote to memory of 2652 N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe

"C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k wusvcs -p

C:\users\Public\uDqLV.exe

"C:\users\Public\uDqLV.exe" C:\Users\Admin\AppData\Local\Temp\97f96adce3c5f14cc0c061abe98555bc9ac042100af5db0226aa9e10f34430a5.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\uDqLV.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\uDqLV.exe" /f

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 416 -p 2652 -ip 2652

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2652 -s 388

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 452 -p 2828 -ip 2828

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2652 -s 388

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2828 -s 3220

Network

Country Destination Domain Proto
US 8.238.20.254:80 tcp
US 8.238.20.254:80 tcp
NL 104.80.224.57:443 tcp

Files

C:\users\Public\uDqLV.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

C:\Users\Public\uDqLV.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/2140-132-0x00007FF6EF480000-0x00007FF6EF80E000-memory.dmp

memory/2160-133-0x00007FF6EF480000-0x00007FF6EF80E000-memory.dmp