Analysis
-
max time kernel
167s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-02-2022 05:02
Static task
static1
Behavioral task
behavioral1
Sample
85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3.exe
Resource
win10v2004-en-20220112
General
-
Target
85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3.exe
-
Size
385KB
-
MD5
3895a370b0c69c7e23ebb5ca1598525d
-
SHA1
0eea1b978df04a50f44657bbdc520905fdcd11cc
-
SHA256
85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3
-
SHA512
bc87ca0f0a4ba081e92eaab959988f29c8c0d2d338a7d679025a3d4c5921d20856b55febcc41b19c67f6a5a9f8e89bb60a11e641f54d2de62949e37ce6305f1c
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
15FC73BdkpDMUWmxo7e7gtLRtM8gQgXyb4
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 1 IoCs
pid Process 528 WJKeH.exe -
Deletes itself 1 IoCs
pid Process 528 WJKeH.exe -
Loads dropped DLL 1 IoCs
pid Process 1876 85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\WJKeH.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml taskhost.exe File opened for modification C:\Program Files\DVD Maker\ja-JP\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm taskhost.exe File opened for modification C:\Program Files\Common Files\System\ado\adojavas.inc taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5 taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcjavas.inc taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10 taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4ADT taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Marengo taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+5 taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml taskhost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NavigationButtonSubpicture.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2 taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml taskhost.exe File opened for modification C:\Program Files\DisconnectUnlock.svg taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EET taskhost.exe File opened for modification C:\Program Files\Common Files\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 528 WJKeH.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 528 WJKeH.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1876 wrote to memory of 528 1876 85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3.exe 27 PID 1876 wrote to memory of 528 1876 85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3.exe 27 PID 1876 wrote to memory of 528 1876 85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3.exe 27 PID 1876 wrote to memory of 528 1876 85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3.exe 27 PID 528 wrote to memory of 1528 528 WJKeH.exe 28 PID 528 wrote to memory of 1528 528 WJKeH.exe 28 PID 528 wrote to memory of 1528 528 WJKeH.exe 28 PID 528 wrote to memory of 1144 528 WJKeH.exe 11 PID 528 wrote to memory of 1232 528 WJKeH.exe 10 PID 528 wrote to memory of 1528 528 WJKeH.exe 28 PID 1528 wrote to memory of 1780 1528 cmd.exe 30 PID 1528 wrote to memory of 1780 1528 cmd.exe 30 PID 1528 wrote to memory of 1780 1528 cmd.exe 30
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1232
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Drops file in Program Files directory
PID:1144
-
C:\Users\Admin\AppData\Local\Temp\85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3.exe"C:\Users\Admin\AppData\Local\Temp\85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\users\Public\WJKeH.exe"C:\users\Public\WJKeH.exe" C:\Users\Admin\AppData\Local\Temp\85d9b9e22f6b8e1f1d6a56d219d7c4d486b72657834050ce7652792536d0c8e3.exe2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\WJKeH.exe" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\WJKeH.exe" /f4⤵
- Adds Run key to start application
PID:1780
-
-
-