Analysis Overview
SHA256
3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4
Threat Level: Known bad
The file 3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Checks computer location settings
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 08:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 08:47
Reported
2022-02-20 09:37
Platform
win7-en-20211208
Max time kernel
186s
Max time network
145s
Command Line
Signatures
Ryuk
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe" | C:\Windows\system32\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5 | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7 | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\he.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ro.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\TextConv\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ashgabat | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_ButtonGraphic.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mn.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fi.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe
"C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe" /f
Network
Files
memory/1664-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp
memory/1276-55-0x000000013FF00000-0x000000013FF35000-memory.dmp
memory/1276-57-0x000000013FF00000-0x000000013FF35000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 08:47
Reported
2022-02-20 09:38
Platform
win10v2004-en-20220113
Max time kernel
83s
Max time network
164s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe
"C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\3012f472969327d5f8c9dac63b8ea9c5cb0de002d16c120a6bba4685120f58b4.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 20.42.72.131:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
Files
memory/2276-130-0x00007FF691510000-0x00007FF691545000-memory.dmp