Analysis
-
max time kernel
176s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-02-2022 05:44
Static task
static1
Behavioral task
behavioral1
Sample
7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe
Resource
win10v2004-en-20220113
General
-
Target
7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe
-
Size
191KB
-
MD5
708f63f5ef0bafa61743f242f470480f
-
SHA1
96233bf3b488a31852b8e32f7cb91dd5d935f9c2
-
SHA256
7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9
-
SHA512
5e202f916430e179373c814e2b2cefbb993b83c597776afecea731c190f3aec1ce21c76ce1786afc8ab5d92c060201ce0828b9ac81d709407a8b6358146260c9
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
ryuk
Extracted
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 1 IoCs
Processes:
oChGcDY.exepid process 312 oChGcDY.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exeoChGcDY.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation oChGcDY.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oChGcDY.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exeoChGcDY.exepid process 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 312 oChGcDY.exe 312 oChGcDY.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 312 oChGcDY.exe 312 oChGcDY.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exeoChGcDY.exedescription pid process Token: SeDebugPrivilege 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe Token: SeBackupPrivilege 312 oChGcDY.exe Token: SeBackupPrivilege 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exenet.exenet.exenet.execmd.exenet.exeoChGcDY.exenet.execmd.exenet.exedescription pid process target process PID 4608 wrote to memory of 312 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe oChGcDY.exe PID 4608 wrote to memory of 312 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe oChGcDY.exe PID 4608 wrote to memory of 312 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe oChGcDY.exe PID 4608 wrote to memory of 2288 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe sihost.exe PID 4608 wrote to memory of 4196 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4608 wrote to memory of 4196 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4608 wrote to memory of 4196 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4196 wrote to memory of 2428 4196 net.exe net1.exe PID 4196 wrote to memory of 2428 4196 net.exe net1.exe PID 4196 wrote to memory of 2428 4196 net.exe net1.exe PID 4608 wrote to memory of 1492 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4608 wrote to memory of 1492 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4608 wrote to memory of 1492 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4608 wrote to memory of 2324 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe svchost.exe PID 1492 wrote to memory of 696 1492 net.exe net1.exe PID 1492 wrote to memory of 696 1492 net.exe net1.exe PID 1492 wrote to memory of 696 1492 net.exe net1.exe PID 4608 wrote to memory of 2416 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe taskhostw.exe PID 4608 wrote to memory of 764 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe svchost.exe PID 4608 wrote to memory of 3240 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe DllHost.exe PID 4608 wrote to memory of 3344 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe StartMenuExperienceHost.exe PID 4608 wrote to memory of 3408 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe RuntimeBroker.exe PID 4608 wrote to memory of 3496 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe SearchApp.exe PID 4608 wrote to memory of 3688 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe RuntimeBroker.exe PID 4608 wrote to memory of 3580 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe RuntimeBroker.exe PID 4608 wrote to memory of 1084 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe backgroundTaskHost.exe PID 4608 wrote to memory of 3672 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe RuntimeBroker.exe PID 4608 wrote to memory of 1232 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4608 wrote to memory of 1232 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4608 wrote to memory of 1232 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 1232 wrote to memory of 5024 1232 net.exe net1.exe PID 1232 wrote to memory of 5024 1232 net.exe net1.exe PID 1232 wrote to memory of 5024 1232 net.exe net1.exe PID 4608 wrote to memory of 3628 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe cmd.exe PID 4608 wrote to memory of 3628 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe cmd.exe PID 4608 wrote to memory of 3628 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe cmd.exe PID 3628 wrote to memory of 4100 3628 cmd.exe reg.exe PID 3628 wrote to memory of 4100 3628 cmd.exe reg.exe PID 3628 wrote to memory of 4100 3628 cmd.exe reg.exe PID 4608 wrote to memory of 3952 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4608 wrote to memory of 3952 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4608 wrote to memory of 3952 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 3952 wrote to memory of 1820 3952 net.exe net1.exe PID 3952 wrote to memory of 1820 3952 net.exe net1.exe PID 3952 wrote to memory of 1820 3952 net.exe net1.exe PID 312 wrote to memory of 4760 312 oChGcDY.exe net.exe PID 312 wrote to memory of 4760 312 oChGcDY.exe net.exe PID 312 wrote to memory of 4760 312 oChGcDY.exe net.exe PID 4760 wrote to memory of 2036 4760 net.exe net1.exe PID 4760 wrote to memory of 2036 4760 net.exe net1.exe PID 4760 wrote to memory of 2036 4760 net.exe net1.exe PID 312 wrote to memory of 5228 312 oChGcDY.exe cmd.exe PID 312 wrote to memory of 5228 312 oChGcDY.exe cmd.exe PID 312 wrote to memory of 5228 312 oChGcDY.exe cmd.exe PID 5228 wrote to memory of 5288 5228 cmd.exe reg.exe PID 5228 wrote to memory of 5288 5228 cmd.exe reg.exe PID 5228 wrote to memory of 5288 5228 cmd.exe reg.exe PID 4608 wrote to memory of 5328 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4608 wrote to memory of 5328 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 4608 wrote to memory of 5328 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe PID 5328 wrote to memory of 5392 5328 net.exe net1.exe PID 5328 wrote to memory of 5392 5328 net.exe net1.exe PID 5328 wrote to memory of 5392 5328 net.exe net1.exe PID 4608 wrote to memory of 11108 4608 7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe net.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe"C:\Users\Admin\AppData\Local\Temp\7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\oChGcDY.exe"C:\Users\Admin\AppData\Local\Temp\oChGcDY.exe" 8 LAN2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\oChGcDY.exe" /f /reg:643⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\oChGcDY.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe" /f /reg:642⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9.exe" /f /reg:643⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04fMD5
93a5aadeec082ffc1bca5aa27af70f52
SHA147a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45
-
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.htmlMD5
b99d47f48bba763d4eded8882f9d3fae
SHA1aa0b195e158e91b93ea7aa97c3f02461b86b0163
SHA256577cfa8bd59e6c4b007b33f03fffe15adf180ca48b121bfe6a837cf481a234fb
SHA512ce3186e760f8c441a14a01cb52ed147985946d5a672095024aade10db7238ef38ee71fecbe2b3266a0c5018f694c79f28e4a87849861c1ba74a307240548714b
-
C:\Users\Admin\AppData\Local\Temp\oChGcDY.exeMD5
708f63f5ef0bafa61743f242f470480f
SHA196233bf3b488a31852b8e32f7cb91dd5d935f9c2
SHA2567433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9
SHA5125e202f916430e179373c814e2b2cefbb993b83c597776afecea731c190f3aec1ce21c76ce1786afc8ab5d92c060201ce0828b9ac81d709407a8b6358146260c9
-
C:\Users\Admin\AppData\Local\Temp\oChGcDY.exeMD5
708f63f5ef0bafa61743f242f470480f
SHA196233bf3b488a31852b8e32f7cb91dd5d935f9c2
SHA2567433f2a47d324d386ed215930ab6607a7cce28d5cef868afe994582c409e5dc9
SHA5125e202f916430e179373c814e2b2cefbb993b83c597776afecea731c190f3aec1ce21c76ce1786afc8ab5d92c060201ce0828b9ac81d709407a8b6358146260c9