Analysis
-
max time kernel
182s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20-02-2022 08:45
Static task
static1
Behavioral task
behavioral1
Sample
3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe
Resource
win10v2004-en-20220112
General
-
Target
3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe
-
Size
150KB
-
MD5
d7fe5e5a7f201faa9e4c170a6b5584de
-
SHA1
b18fd85bd286be4390b6a2479dbbc63dac48ff56
-
SHA256
3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f
-
SHA512
da7369aee1407d170217f0ec824cbaf38c5c4433280bd349ffc90ec0d57891bdc0e9f3b86c3f05b859ff665bb2d76464216c0dd4f93e22c6edba4fa6dfe58c0e
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
1FRNVupsCyTjUvF36GxHZrvLaPtY6hgkTm
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1280 created 2816 1280 WerFault.exe StartMenuExperienceHost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sihost.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\af.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.bat sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCallbacks.h sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_it.properties sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\ja-JP\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.bat sihost.exe File opened for modification C:\Program Files\Internet Explorer\fr-FR\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado60.tlb sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hr-HR\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_it.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Triedit\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\GRAY.pf sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiBold.ttf sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war sihost.exe File opened for modification C:\Program Files\7-Zip\7z.sfx sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml sihost.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1828 2712 WerFault.exe DllHost.exe 3956 2816 WerFault.exe StartMenuExperienceHost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.492609" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899996085996827" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4156" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe -
Modifies registry class 2 IoCs
Processes:
RuntimeBroker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exeWerFault.exeWerFault.exepid process 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe 3956 WerFault.exe 3956 WerFault.exe 1828 WerFault.exe 1828 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exedescription pid process Token: SeDebugPrivilege 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
RuntimeBroker.exepid process 2932 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.execmd.exeDllHost.exeWerFault.exedescription pid process target process PID 2648 wrote to memory of 3776 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe cmd.exe PID 2648 wrote to memory of 3776 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe cmd.exe PID 2648 wrote to memory of 2204 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe sihost.exe PID 3776 wrote to memory of 3696 3776 cmd.exe reg.exe PID 3776 wrote to memory of 3696 3776 cmd.exe reg.exe PID 2648 wrote to memory of 2224 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe svchost.exe PID 2648 wrote to memory of 2276 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe taskhostw.exe PID 2648 wrote to memory of 2528 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe svchost.exe PID 2648 wrote to memory of 2712 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe DllHost.exe PID 2648 wrote to memory of 2816 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe StartMenuExperienceHost.exe PID 2648 wrote to memory of 2948 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe RuntimeBroker.exe PID 2648 wrote to memory of 3024 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe SearchApp.exe PID 2648 wrote to memory of 2172 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe RuntimeBroker.exe PID 2648 wrote to memory of 3372 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe RuntimeBroker.exe PID 2648 wrote to memory of 2932 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe RuntimeBroker.exe PID 2648 wrote to memory of 2976 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe backgroundTaskHost.exe PID 2648 wrote to memory of 2992 2648 3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe backgroundTaskHost.exe PID 2712 wrote to memory of 1828 2712 DllHost.exe WerFault.exe PID 2712 wrote to memory of 1828 2712 DllHost.exe WerFault.exe PID 1280 wrote to memory of 2816 1280 WerFault.exe StartMenuExperienceHost.exe PID 1280 wrote to memory of 2816 1280 WerFault.exe StartMenuExperienceHost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops file in Program Files directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2712 -s 10042⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2816 -s 28442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Users\Admin\AppData\Local\Temp\3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe"C:\Users\Admin\AppData\Local\Temp\3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3081e7cb254917f64638d21e52f307e6e1661ab64b8adaa50568578d1c3e888f.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 2816 -ip 28161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2204-130-0x00007FF64CF90000-0x00007FF64D319000-memory.dmpFilesize
3.5MB
-
memory/2224-131-0x00007FF64CF90000-0x00007FF64D319000-memory.dmpFilesize
3.5MB
-
memory/2712-133-0x000001F6170A0000-0x000001F6170A8000-memory.dmpFilesize
32KB
-
memory/2712-134-0x000001F617090000-0x000001F617091000-memory.dmpFilesize
4KB
-
memory/2932-132-0x00007FF64CF90000-0x00007FF64D319000-memory.dmpFilesize
3.5MB