Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-f7a6qsabgl
Target 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841
SHA256 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841

Threat Level: Known bad

The file 7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841 was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Drops desktop.ini file(s)

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 05:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 05:30

Reported

2022-02-20 06:17

Platform

win7-en-20211208

Max time kernel

160s

Max time network

26s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\system32\taskhost.exe
PID 960 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\system32\Dwm.exe
PID 960 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 1092 wrote to memory of 1652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1092 wrote to memory of 1652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1092 wrote to memory of 1652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1092 wrote to memory of 1652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 1136 wrote to memory of 624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1136 wrote to memory of 624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1136 wrote to memory of 624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1136 wrote to memory of 624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 960 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 1804 wrote to memory of 1068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1804 wrote to memory of 1068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1804 wrote to memory of 1068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1804 wrote to memory of 1068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 960 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 2096 wrote to memory of 2208 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2096 wrote to memory of 2208 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2096 wrote to memory of 2208 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2096 wrote to memory of 2208 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 960 wrote to memory of 18428 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18428 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18428 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18428 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 18428 wrote to memory of 18456 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18428 wrote to memory of 18456 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18428 wrote to memory of 18456 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18428 wrote to memory of 18456 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 960 wrote to memory of 18468 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18468 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18468 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18468 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 18468 wrote to memory of 18496 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18468 wrote to memory of 18496 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18468 wrote to memory of 18496 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18468 wrote to memory of 18496 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 960 wrote to memory of 18540 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18540 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18540 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18540 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 18540 wrote to memory of 18564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18540 wrote to memory of 18564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18540 wrote to memory of 18564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18540 wrote to memory of 18564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 960 wrote to memory of 18584 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18584 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18584 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 960 wrote to memory of 18584 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SysWOW64\net.exe
PID 18584 wrote to memory of 18608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18584 wrote to memory of 18608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

"C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

N/A

Files

memory/960-54-0x0000000076151000-0x0000000076153000-memory.dmp

memory/1108-55-0x0000000030000000-0x000000003038A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 05:30

Reported

2022-02-20 06:16

Platform

win10v2004-en-20220112

Max time kernel

185s

Max time network

201s

Command Line

sihost.exe

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\system32\sihost.exe
PID 3024 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\system32\taskhostw.exe
PID 3024 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\system32\svchost.exe
PID 3024 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\system32\DllHost.exe
PID 3024 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3024 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\System32\RuntimeBroker.exe
PID 3024 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3024 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\System32\RuntimeBroker.exe
PID 3024 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\System32\RuntimeBroker.exe
PID 3024 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\System32\RuntimeBroker.exe
PID 3024 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe C:\Windows\system32\BackgroundTransferHost.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe

"C:\Users\Admin\AppData\Local\Temp\7a08d89337170c61788759dcb0d9287551a338b592ebd915cd0249be33736841.exe"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

Network

Country Destination Domain Proto
NL 92.123.77.56:80 tcp
NL 67.26.105.254:80 tcp
US 93.184.220.29:80 tcp
NL 104.80.224.57:443 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 crl4.digicert.com tcp

Files

N/A