Analysis
-
max time kernel
186s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 07:58
Static task
static1
Behavioral task
behavioral1
Sample
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe
Resource
win10v2004-en-20220112
General
-
Target
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe
-
Size
170KB
-
MD5
08fda98dfedd3e304a7128e4918fe1bc
-
SHA1
087793d8fdae310ee195f3e4c2d93395318f22a2
-
SHA256
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5
-
SHA512
e39b8cca6edd9540e4259974d9dda28edf14a4de1bc0c1d5f4f8f06bde02c24dfc3e439be606a201946d45446f73eae9b005b0e681f6128d41fe3cd29b947ce4
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 1844 created 2744 1844 WerFault.exe DllHost.exe PID 2204 created 1548 2204 WerFault.exe BackgroundTransferHost.exe PID 2024 created 2904 2024 WerFault.exe StartMenuExperienceHost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sihost.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\fi.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ko_KR.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jvm.lib sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.policy sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Content.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\th-TH\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\msadc\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Internet Explorer\images\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightItalic.ttf sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado25.tlb sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sk-SK\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Internet Explorer\en-US\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2220 2744 WerFault.exe DllHost.exe 4396 1548 WerFault.exe BackgroundTransferHost.exe 4388 2744 WerFault.exe DllHost.exe 4380 2904 WerFault.exe StartMenuExperienceHost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies registry class 2 IoCs
Processes:
RuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exeWerFault.exeWerFault.exeWerFault.exepid process 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 4396 WerFault.exe 4396 WerFault.exe 4380 WerFault.exe 4380 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exedescription pid process Token: SeDebugPrivilege 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.execmd.exeDllHost.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 3512 wrote to memory of 3812 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe cmd.exe PID 3512 wrote to memory of 3812 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe cmd.exe PID 3512 wrote to memory of 2228 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe sihost.exe PID 3812 wrote to memory of 1616 3812 cmd.exe reg.exe PID 3812 wrote to memory of 1616 3812 cmd.exe reg.exe PID 3512 wrote to memory of 2244 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe svchost.exe PID 3512 wrote to memory of 2296 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe taskhostw.exe PID 3512 wrote to memory of 2528 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe svchost.exe PID 3512 wrote to memory of 2744 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe DllHost.exe PID 3512 wrote to memory of 2904 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe StartMenuExperienceHost.exe PID 3512 wrote to memory of 2984 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe RuntimeBroker.exe PID 3512 wrote to memory of 3064 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe SearchApp.exe PID 3512 wrote to memory of 2628 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe RuntimeBroker.exe PID 3512 wrote to memory of 3324 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe RuntimeBroker.exe PID 3512 wrote to memory of 2572 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe RuntimeBroker.exe PID 3512 wrote to memory of 4056 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe backgroundTaskHost.exe PID 3512 wrote to memory of 1324 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe backgroundTaskHost.exe PID 3512 wrote to memory of 1548 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe BackgroundTransferHost.exe PID 2744 wrote to memory of 2220 2744 DllHost.exe WerFault.exe PID 2744 wrote to memory of 2220 2744 DllHost.exe WerFault.exe PID 1844 wrote to memory of 2744 1844 WerFault.exe DllHost.exe PID 1844 wrote to memory of 2744 1844 WerFault.exe DllHost.exe PID 2024 wrote to memory of 2904 2024 WerFault.exe StartMenuExperienceHost.exe PID 2024 wrote to memory of 2904 2024 WerFault.exe StartMenuExperienceHost.exe PID 2204 wrote to memory of 1548 2204 WerFault.exe BackgroundTransferHost.exe PID 2204 wrote to memory of 1548 2204 WerFault.exe BackgroundTransferHost.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2904 -s 29402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2744 -s 10122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2744 -s 10122⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe"C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1548 -s 25922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 488 -p 2904 -ip 29041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 1548 -ip 15481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 2744 -ip 27441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\2e2866ff-09db-427a-af72-33efc7e64417.down_dataMD5
277045b438381976db11df58d45356e8
SHA1061ba64b6dad4e3b79530d9c0f0ba68d0039f824
SHA25653f323bb21ed9bf93e5763be0260db87433256dd40b7f3768cb15f5570b305a4
SHA512b86f64924592649d2a1164404abc1acedf535fb6bc9f7b048392771484e97f2833ee282652096e6906f9fa0918f4dc031fefda3f0f5b42a7ea18d40fb34125b7
-
memory/2228-130-0x00007FF7F5B50000-0x00007FF7F5EDE000-memory.dmpFilesize
3.6MB
-
memory/2528-131-0x00007FF7F5B50000-0x00007FF7F5EDE000-memory.dmpFilesize
3.6MB