Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
06-03-2024 13:31
Static task
static1
Behavioral task
behavioral1
Sample
UvPSn.exe
Resource
win10-20240221-en
General
-
Target
UvPSn.exe
-
Size
170KB
-
MD5
31bd0f224e7e74eee2847f43aae23974
-
SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58
-
SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
-
SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249
-
SSDEEP
3072:2qeriftL/WSo1vDb53j/8WGUzaqVh4LI8zQpn:2trA/WSo1rl3ALrlHQpn
Malware Config
Extracted
F:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UvPSn.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\icu.md sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunpkcs11.jar sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties sihost.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\meta-index sihost.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml sihost.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\libxslt.md sihost.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md sihost.exe File opened for modification C:\Program Files\Java\jre-1.8\Welcome.html sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2088 UvPSn.exe 2088 UvPSn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2088 UvPSn.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2080 2088 UvPSn.exe 73 PID 2088 wrote to memory of 2080 2088 UvPSn.exe 73 PID 2088 wrote to memory of 2844 2088 UvPSn.exe 49 PID 2088 wrote to memory of 2864 2088 UvPSn.exe 50 PID 2080 wrote to memory of 2224 2080 cmd.exe 75 PID 2080 wrote to memory of 2224 2080 cmd.exe 75 PID 2088 wrote to memory of 3084 2088 UvPSn.exe 52 PID 2088 wrote to memory of 3680 2088 UvPSn.exe 55 PID 2088 wrote to memory of 3688 2088 UvPSn.exe 56 PID 2088 wrote to memory of 3892 2088 UvPSn.exe 57 PID 2088 wrote to memory of 4140 2088 UvPSn.exe 58 PID 2088 wrote to memory of 328 2088 UvPSn.exe 67 PID 2088 wrote to memory of 4716 2088 UvPSn.exe 68 PID 2088 wrote to memory of 4352 2088 UvPSn.exe 69
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
- Drops file in Program Files directory
PID:2844
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2864
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3084
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵PID:3680
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵PID:3688
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3892
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4140
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵PID:328
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵PID:4716
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\UvPSn.exe"C:\Users\Admin\AppData\Local\Temp\UvPSn.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UvPSn.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UvPSn.exe" /f3⤵
- Adds Run key to start application
PID:2224
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
804B
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda