Malware Analysis Report

2024-10-19 06:14

Sample ID 220220-kpzhtsafe6
Target 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4
SHA256 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4
Tags
ryuk persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4

Threat Level: Known bad

The file 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4 was found to be: Known bad.

Malicious Activity Summary

ryuk persistence ransomware

Ryuk

Checks computer location settings

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 08:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 08:47

Reported

2022-02-20 09:37

Platform

win7-en-20211208

Max time kernel

186s

Max time network

145s

Command Line

"taskhost.exe"

Signatures

Ryuk

ransomware ryuk

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5 C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7 C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ro.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\TextConv\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe

"C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe" /f

Network

N/A

Files

memory/1664-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

memory/1276-55-0x000000013FF00000-0x000000013FF35000-memory.dmp

memory/1276-57-0x000000013FF00000-0x000000013FF35000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 08:47

Reported

2022-02-20 09:38

Platform

win10v2004-en-20220113

Max time kernel

83s

Max time network

164s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe N/A

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe

"C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe" /f

Network

Country Destination Domain Proto
US 20.42.72.131:443 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp

Files

memory/2276-130-0x00007FF691510000-0x00007FF691545000-memory.dmp