Analysis Overview
SHA256
8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2
Threat Level: Known bad
The file 8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Suspicious use of NtCreateProcessExOtherParentProcess
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:08
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:08
Reported
2022-02-20 05:53
Platform
win10v2004-en-20220113
Max time kernel
177s
Max time network
204s
Command Line
Signatures
Ryuk
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 10412 created 1300 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe |
| PID 10420 created 1300 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
"C:\Users\Admin\AppData\Local\Temp\8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe"
C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe
"C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1300 -ip 1300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1300 -ip 1300
Network
| Country | Destination | Domain | Proto |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe
| MD5 | 2ee9a7ce3356c032d49c1947761c63b2 |
| SHA1 | 30181311c46b89cc3e01d3d8207c4c533199fa88 |
| SHA256 | 8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2 |
| SHA512 | d2e8c140e5935ab0761283c8f85a0f9881129a0f131e51d1d4e1257d47874be9326437bac33c1f921eff3f0658b0147f026492083e47d8bea6b50ddc9873afd2 |
C:\Users\Admin\AppData\Local\Temp\LIwIAuS.exe
| MD5 | 2ee9a7ce3356c032d49c1947761c63b2 |
| SHA1 | 30181311c46b89cc3e01d3d8207c4c533199fa88 |
| SHA256 | 8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2 |
| SHA512 | d2e8c140e5935ab0761283c8f85a0f9881129a0f131e51d1d4e1257d47874be9326437bac33c1f921eff3f0658b0147f026492083e47d8bea6b50ddc9873afd2 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | cc9731a1394a7195d52b9770a4b1f71e |
| SHA1 | b39a6e2e5b63caf53add9b3596dd7426f02f1969 |
| SHA256 | 545183ba23f32b6ad8a4ee26e0101171eb398ad4f528506a99e2720ab30a5476 |
| SHA512 | fa29e221fe23962d550490e61e32a8193fb23d20894b1e10a2b97c9133e1c4bec3c02d42fc0046a3cc16918e981337301e4863817d25ca3f13422b9babd5e273 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:08
Reported
2022-02-20 05:53
Platform
win7-en-20211208
Max time kernel
188s
Max time network
148s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KgJNfBI.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\KgJNfBI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe
"C:\Users\Admin\AppData\Local\Temp\8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2.exe"
C:\Users\Admin\AppData\Local\Temp\KgJNfBI.exe
"C:\Users\Admin\AppData\Local\Temp\KgJNfBI.exe" 8 LAN
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1916-54-0x0000000076041000-0x0000000076043000-memory.dmp
\Users\Admin\AppData\Local\Temp\KgJNfBI.exe
| MD5 | 2ee9a7ce3356c032d49c1947761c63b2 |
| SHA1 | 30181311c46b89cc3e01d3d8207c4c533199fa88 |
| SHA256 | 8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2 |
| SHA512 | d2e8c140e5935ab0761283c8f85a0f9881129a0f131e51d1d4e1257d47874be9326437bac33c1f921eff3f0658b0147f026492083e47d8bea6b50ddc9873afd2 |
\Users\Admin\AppData\Local\Temp\KgJNfBI.exe
| MD5 | 2ee9a7ce3356c032d49c1947761c63b2 |
| SHA1 | 30181311c46b89cc3e01d3d8207c4c533199fa88 |
| SHA256 | 8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2 |
| SHA512 | d2e8c140e5935ab0761283c8f85a0f9881129a0f131e51d1d4e1257d47874be9326437bac33c1f921eff3f0658b0147f026492083e47d8bea6b50ddc9873afd2 |
C:\Users\Admin\AppData\Local\Temp\KgJNfBI.exe
| MD5 | 2ee9a7ce3356c032d49c1947761c63b2 |
| SHA1 | 30181311c46b89cc3e01d3d8207c4c533199fa88 |
| SHA256 | 8366f63d37f8cefda19657c49000b662c4dde38463517c34168b33bf427db5d2 |
| SHA512 | d2e8c140e5935ab0761283c8f85a0f9881129a0f131e51d1d4e1257d47874be9326437bac33c1f921eff3f0658b0147f026492083e47d8bea6b50ddc9873afd2 |
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | cc9731a1394a7195d52b9770a4b1f71e |
| SHA1 | b39a6e2e5b63caf53add9b3596dd7426f02f1969 |
| SHA256 | 545183ba23f32b6ad8a4ee26e0101171eb398ad4f528506a99e2720ab30a5476 |
| SHA512 | fa29e221fe23962d550490e61e32a8193fb23d20894b1e10a2b97c9133e1c4bec3c02d42fc0046a3cc16918e981337301e4863817d25ca3f13422b9babd5e273 |