ryuk | 46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e

Analysis

max time kernel
180s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
20-02-2022 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe
Size

152KB
MD5

bc041eb3eeb75312288557c23e919caa
SHA1

258c5fc6145aaeca748ae9fb85ca1d9dfba93fc6
SHA256

46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e
SHA512

461a0c07559c66157c9f285fed06dfe4888438ce29eebfa4b7ed89fb53cd70e3a4e4fc05f3816344cd3bda3040762069724b1f51189955a5dbf1a714427842b6

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 1L9fYHJJxeLMD2yyhh1cMFU2EWF5ihgAmJ Ryuk No system is safe

Emails

[email protected]

Wallets

1L9fYHJJxeLMD2yyhh1cMFU2EWF5ihgAmJ

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1564 created 2760	1564	WerFault.exe	25
PID 3120 created 2864	3120	WerFault.exe	22

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\localedata.jar	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansRegular.ttf	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\DenyGroup.avi	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunec.jar	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\nashorn.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	sihost.exe
File opened for modification	C:\Program Files\DenyGrant.ps1xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui	sihost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3252	2760	WerFault.exe	25
4412	2864	WerFault.exe	22
4408	2760	WerFault.exe	25

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899974543755803"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4080"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4212"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.350060"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.080559"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = 0556421f4026d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\89e438a32df92b68baa99a7b1f853e9c5016ac2f42d270dcdb0f22cca0d53f2e"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000005294291f4026d8015294291f4026d8015294291f4026d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054540d4f2000383965343338613332646639326236386261613939613762316638353365396335303136616332663432643237306463646230663232636361306435336632650000b20009000400efbe54540d4f54540d4f2e00000000000000000000000000000000000000000000000000ae6c9800380039006500340033003800610033003200640066003900320062003600380062006100610039003900610037006200310066003800350033006500390063003500300031003600610063003200660034003200640032003700300064006300640062003000660032003200630063006100300064003500330066003200650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ae316e6b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38396534333861333264663932623638626161393961376231663835336539633530313661633266343264323730646364623066323263636130643533663265000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d65499cf4a9083ec1182d0fa39700a2c38bad9b5dc40371b4eb595e9fc647d27d65499cf4a9083ec1182d0fa39700a2c38ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe
3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe
4412	WerFault.exe
4412	WerFault.exe
3252	WerFault.exe
3252	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 1916	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	59
PID 3228 wrote to memory of 1916	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	59
PID 3228 wrote to memory of 2224	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	21
PID 1916 wrote to memory of 1964	1916	cmd.exe	61
PID 1916 wrote to memory of 1964	1916	cmd.exe	61
PID 3228 wrote to memory of 2240	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	43
PID 3228 wrote to memory of 2296	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	42
PID 3228 wrote to memory of 2544	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	40
PID 3228 wrote to memory of 2760	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	25
PID 3228 wrote to memory of 2864	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	22
PID 3228 wrote to memory of 3000	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	23
PID 3228 wrote to memory of 1276	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	39
PID 3228 wrote to memory of 2624	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	26
PID 3228 wrote to memory of 3372	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	37
PID 3228 wrote to memory of 2008	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	34
PID 3228 wrote to memory of 916	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	30
PID 3228 wrote to memory of 860	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	55
PID 2760 wrote to memory of 3252	2760	DllHost.exe	70
PID 2760 wrote to memory of 3252	2760	DllHost.exe	70
PID 1564 wrote to memory of 2760	1564	WerFault.exe	25
PID 1564 wrote to memory of 2760	1564	WerFault.exe	25
PID 3120 wrote to memory of 2864	3120	WerFault.exe	22
PID 3120 wrote to memory of 2864	3120	WerFault.exe	22

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops file in Program Files directory
PID:2224

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2864 -s 2188
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:4412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2760 -s 404
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:3252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2760 -s 404
  2⤵
  - Program crash
  PID:4408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2624

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:916

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2544

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2240

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe
"C:\Users\Admin\AppData\Local\Temp\46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe" /f
    3⤵
    - Adds Run key to start application
    PID:1964

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2760 -ip 2760
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 2864 -ip 2864
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2224-130-0x00007FF7DF0E0000-0x00007FF7DF469000-memory.dmp

Filesize
3.5MB

Download