Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-fqlk5saaaq
Target 84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e
SHA256 84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e

Threat Level: Known bad

The file 84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Drops desktop.ini file(s)

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 05:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 05:04

Reported

2022-02-20 05:48

Platform

win7-en-20211208

Max time kernel

194s

Max time network

153s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\system32\taskhost.exe
PID 1536 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\system32\Dwm.exe
PID 1536 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1924 wrote to memory of 676 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1924 wrote to memory of 676 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1924 wrote to memory of 676 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1924 wrote to memory of 676 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1536 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 396 wrote to memory of 1140 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 396 wrote to memory of 1140 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 396 wrote to memory of 1140 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 396 wrote to memory of 1140 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1536 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1324 wrote to memory of 1312 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1324 wrote to memory of 1312 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1324 wrote to memory of 1312 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1324 wrote to memory of 1312 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1536 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1960 wrote to memory of 1784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1960 wrote to memory of 1784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1960 wrote to memory of 1784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1960 wrote to memory of 1784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1536 wrote to memory of 9096 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 9096 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 9096 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 9096 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 9096 wrote to memory of 9120 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 9096 wrote to memory of 9120 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 9096 wrote to memory of 9120 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 9096 wrote to memory of 9120 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1536 wrote to memory of 9136 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 9136 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 9136 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 9136 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 9136 wrote to memory of 9160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 9136 wrote to memory of 9160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 9136 wrote to memory of 9160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 9136 wrote to memory of 9160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1536 wrote to memory of 18768 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 18768 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 18768 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 18768 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 18768 wrote to memory of 18792 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18768 wrote to memory of 18792 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18768 wrote to memory of 18792 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18768 wrote to memory of 18792 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1536 wrote to memory of 18812 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 18812 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 18812 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 18812 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SysWOW64\net.exe
PID 18812 wrote to memory of 18840 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 18812 wrote to memory of 18840 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe

"C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

N/A

Files

memory/1536-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

memory/1116-55-0x0000000030000000-0x0000000030389000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 05:04

Reported

2022-02-20 05:45

Platform

win10v2004-en-20220112

Max time kernel

173s

Max time network

188s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
File opened for modification C:\Documents and Settings\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\system32\sihost.exe
PID 2400 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\system32\svchost.exe
PID 2400 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\system32\taskhostw.exe
PID 2400 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\system32\svchost.exe
PID 2400 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\system32\DllHost.exe
PID 2400 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2400 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2400 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2400 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2400 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2400 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\System32\RuntimeBroker.exe
PID 2400 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe C:\Windows\system32\BackgroundTransferHost.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe

"C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

Network

Country Destination Domain Proto
NL 8.248.7.254:80 tcp
NL 8.248.7.254:80 tcp
NL 8.248.7.254:80 tcp

Files

N/A