Analysis
-
max time kernel
185s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 05:30
Static task
static1
Behavioral task
behavioral1
Sample
7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
Resource
win10v2004-en-20220112
General
-
Target
7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe
-
Size
171KB
-
MD5
d92a64dce52edbbf70f9a5ebd25600be
-
SHA1
7e0a7323d4ba0454e6d54c4746dbac8373af9d0d
-
SHA256
7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841
-
SHA512
a629f2c4e38b4ee3a357f24da3f5e5310081bb46617f5e67a634e6308ce946860701879a114852eb2dc30d7d5696bcf01df9715cd3f689c2b19f879701600471
Malware Config
Extracted
C:\RyukReadMe.html
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Drops desktop.ini file(s) 3 IoCs
Processes:
7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exedescription ioc process File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exepid process 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exedescription pid process Token: SeDebugPrivilege 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe Token: SeBackupPrivilege 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exedescription pid process target process PID 3024 wrote to memory of 2172 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe sihost.exe PID 3024 wrote to memory of 2192 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe svchost.exe PID 3024 wrote to memory of 2240 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe taskhostw.exe PID 3024 wrote to memory of 2548 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe svchost.exe PID 3024 wrote to memory of 2736 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe DllHost.exe PID 3024 wrote to memory of 2832 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe StartMenuExperienceHost.exe PID 3024 wrote to memory of 2896 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe RuntimeBroker.exe PID 3024 wrote to memory of 2976 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe SearchApp.exe PID 3024 wrote to memory of 2868 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe RuntimeBroker.exe PID 3024 wrote to memory of 3392 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe RuntimeBroker.exe PID 3024 wrote to memory of 1500 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe RuntimeBroker.exe PID 3024 wrote to memory of 3960 3024 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe BackgroundTransferHost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2172
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵PID:2548
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2736
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2896
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1500
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3392
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2868
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe"C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:3960
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵PID:1192
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵PID:4320