Analysis
-
max time kernel
172s -
max time network
44s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-02-2022 05:34
Static task
static1
Behavioral task
behavioral1
Sample
782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe
Resource
win10v2004-en-20220113
General
-
Target
782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe
-
Size
170KB
-
MD5
32d91009c10608aa3fb20abea38af923
-
SHA1
c0af7c4c2acd9f76b8ff7206aed50b206a32ee26
-
SHA256
782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e
-
SHA512
9abe7527384cb8381b62ba4a476f28519859ed3c504183fb8cad2d0e34cd5328492864541cf3a2410daac018caf98cab92dc8f4fe6aa9435834ca9f0f8f18780
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
taskhost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4ADT taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png taskhost.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki taskhost.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Wake taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\calendars.properties taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2 taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Minsk taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Maceio taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Troll taskhost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi taskhost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\RyukReadMe.txt taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exepid process 1668 782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exedescription pid process Token: SeDebugPrivilege 1668 782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.execmd.exedescription pid process target process PID 1668 wrote to memory of 544 1668 782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe cmd.exe PID 1668 wrote to memory of 544 1668 782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe cmd.exe PID 1668 wrote to memory of 544 1668 782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe cmd.exe PID 1668 wrote to memory of 1256 1668 782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe taskhost.exe PID 1668 wrote to memory of 1336 1668 782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe Dwm.exe PID 1668 wrote to memory of 544 1668 782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe cmd.exe PID 544 wrote to memory of 608 544 cmd.exe reg.exe PID 544 wrote to memory of 608 544 cmd.exe reg.exe PID 544 wrote to memory of 608 544 cmd.exe reg.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe"C:\Users\Admin\AppData\Local\Temp\782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\782788d736a6c603dbfb57f302e54e9050219e24dbde3c3b6f69484004d9415e.exe" /f3⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1256-55-0x000000013F520000-0x000000013F8AE000-memory.dmpFilesize
3.6MB
-
memory/1256-56-0x000000013F520000-0x000000013F8AE000-memory.dmpFilesize
3.6MB
-
memory/1336-59-0x000000013F520000-0x000000013F8AE000-memory.dmpFilesize
3.6MB
-
memory/1668-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmpFilesize
8KB