ryuk | 46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e

General

Target

46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe
Size

152KB
MD5

bc041eb3eeb75312288557c23e919caa
SHA1

258c5fc6145aaeca748ae9fb85ca1d9dfba93fc6
SHA256

46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e
SHA512

461a0c07559c66157c9f285fed06dfe4888438ce29eebfa4b7ed89fb53cd70e3a4e4fc05f3816344cd3bda3040762069724b1f51189955a5dbf1a714427842b6

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 1L9fYHJJxeLMD2yyhh1cMFU2EWF5ihgAmJ Ryuk No system is safe

Emails

[email protected]

Wallets

1L9fYHJJxeLMD2yyhh1cMFU2EWF5ihgAmJ

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1564 created 2760 1564 WerFault.exe DllHost.exe
PID 3120 created 2864 3120 WerFault.exe StartMenuExperienceHost.exe

description	pid	process	target process
PID 1564 created 2760	1564	WerFault.exe	DllHost.exe
PID 3120 created 2864	3120	WerFault.exe	StartMenuExperienceHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\localedata.jar	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansRegular.ttf	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\DenyGroup.avi	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunec.jar	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\nashorn.jar	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	sihost.exe
File opened for modification	C:\Program Files\DenyGrant.ps1xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui	sihost.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3252 2760 WerFault.exe DllHost.exe
4412 2864 WerFault.exe StartMenuExperienceHost.exe
4408 2760 WerFault.exe DllHost.exe

pid	pid_target	process	target process
3252	2760	WerFault.exe	DllHost.exe
4412	2864	WerFault.exe	StartMenuExperienceHost.exe
4408	2760	WerFault.exe	DllHost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 47 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899974543755803"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4080"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4212"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.350060"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.080559"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe

Modifies registry class 10 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55-	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = 0556421f4026d801	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55-	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = "8324"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\89e438a32df92b68baa99a7b1f853e9c5016ac2f42d270dcdb0f22cca0d53f2e"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\1a20287e-7b20-4f55- = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000005294291f4026d8015294291f4026d8015294291f4026d801000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad0132000000000054540d4f2000383965343338613332646639326236386261613939613762316638353365396335303136616332663432643237306463646230663232636361306435336632650000b20009000400efbe54540d4f54540d4f2e00000000000000000000000000000000000000000000000000ae6c9800380039006500340033003800610033003200640066003900320062003600380062006100610039003900610037006200310066003800350033006500390063003500300031003600610063003200660034003200640032003700300064006300640062003000660032003200630063006100300064003500330066003200650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000ae316e6b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c38396534333861333264663932623638626161393961376231663835336539633530313661633266343264323730646364623066323263636130643533663265000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d65499cf4a9083ec1182d0fa39700a2c38bad9b5dc40371b4eb595e9fc647d27d65499cf4a9083ec1182d0fa39700a2c38ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exeWerFault.exeWerFault.exe

pid	process
3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe
3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe
4412	WerFault.exe
4412	WerFault.exe
3252	WerFault.exe
3252	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe

description pid process

Token: SeDebugPrivilege 3228 46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe

description	pid	process
Token: SeDebugPrivilege	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.execmd.exeDllHost.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 3228 wrote to memory of 1916	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	cmd.exe
PID 3228 wrote to memory of 1916	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	cmd.exe
PID 3228 wrote to memory of 2224	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	sihost.exe
PID 1916 wrote to memory of 1964	1916	cmd.exe	reg.exe
PID 1916 wrote to memory of 1964	1916	cmd.exe	reg.exe
PID 3228 wrote to memory of 2240	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	svchost.exe
PID 3228 wrote to memory of 2296	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	taskhostw.exe
PID 3228 wrote to memory of 2544	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	svchost.exe
PID 3228 wrote to memory of 2760	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	DllHost.exe
PID 3228 wrote to memory of 2864	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	StartMenuExperienceHost.exe
PID 3228 wrote to memory of 3000	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	RuntimeBroker.exe
PID 3228 wrote to memory of 1276	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	SearchApp.exe
PID 3228 wrote to memory of 2624	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	RuntimeBroker.exe
PID 3228 wrote to memory of 3372	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	RuntimeBroker.exe
PID 3228 wrote to memory of 2008	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	RuntimeBroker.exe
PID 3228 wrote to memory of 916	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	backgroundTaskHost.exe
PID 3228 wrote to memory of 860	3228	46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe	backgroundTaskHost.exe
PID 2760 wrote to memory of 3252	2760	DllHost.exe	WerFault.exe
PID 2760 wrote to memory of 3252	2760	DllHost.exe	WerFault.exe
PID 1564 wrote to memory of 2760	1564	WerFault.exe	DllHost.exe
PID 1564 wrote to memory of 2760	1564	WerFault.exe	DllHost.exe
PID 3120 wrote to memory of 2864	3120	WerFault.exe	StartMenuExperienceHost.exe
PID 3120 wrote to memory of 2864	3120	WerFault.exe	StartMenuExperienceHost.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops file in Program Files directory
PID:2224

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2864 -s 2188
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2760 -s 404
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2760 -s 404
2⤵
- Program crash
PID:4408

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2624

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:916

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3372

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
1⤵
PID:2544

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2240

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe
"C:\Users\Admin\AppData\Local\Temp\46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\46fb27f4cff2d33baae3b1c199797d1f0929bc03166cebd092081e4fe2f9ea6e.exe" /f
3⤵
- Adds Run key to start application
PID:1964

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:3276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2760 -ip 2760
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 2864 -ip 2864
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4536