Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18/01/2021, 11:45 UTC
General
-
Target
88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
-
Size
575KB
-
MD5
6cad2f7dc809b9353a31753a438aef4e
-
SHA1
459d816bb020f5da8257076a36d0ffd1f1f02d76
-
SHA256
88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335
-
SHA512
a67367990452bf21b7c0d0682c598422c78a5ed455a5d5e684d8fabb43366b0e9f9cd579a5f18123f6b1f97945f789904929838d1d893b70f450bfeafb243bb8
Score
10/10
Malware Config
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe"C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 6522⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
-
GEThttp://www.msftconnecttest.com/connecttest.txtRemote address:13.107.4.52:80RequestGET /connecttest.txt HTTP/1.1
Connection: Keep-Alive
Host: www.msftconnecttest.com
ResponseHTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 22
Content-Type: text/plain; charset=utf-8
Last-Modified: Mon, 04 Jan 2021 19:34:40 GMT
Accept-Ranges: bytes
ETag: 0x8D343F9E96C9DAC
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-MSEdge-Ref
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
X-MSEdge-Ref: Ref A: 8DA82A10F5C2475288AAF8D2123D32F9 Ref B: AMBEDGE0717 Ref C: 2021-01-18T11:46:32Z
Date: Mon, 18 Jan 2021 11:46:32 GMT
-
GEThttp://www.msftconnecttest.com/connecttest.txtRemote address:13.107.4.52:80RequestGET /connecttest.txt HTTP/1.1
Connection: Keep-Alive
Host: www.msftconnecttest.com
ResponseHTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 22
Content-Type: text/plain; charset=utf-8
Last-Modified: Mon, 04 Jan 2021 19:34:40 GMT
Accept-Ranges: bytes
ETag: 0x8D343F9E96C9DAC
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-MSEdge-Ref
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
X-MSEdge-Ref: Ref A: 5596D88DBB264694A828515FA7A928C1 Ref B: AMBEDGE0717 Ref C: 2021-01-18T11:46:32Z
Date: Mon, 18 Jan 2021 11:46:32 GMT
-
GEThttp://www.msftconnecttest.com/connecttest.txtRemote address:13.107.4.52:80RequestGET /connecttest.txt HTTP/1.1
Connection: Keep-Alive
Host: www.msftconnecttest.com
ResponseHTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 22
Content-Type: text/plain; charset=utf-8
Last-Modified: Mon, 04 Jan 2021 19:34:40 GMT
Accept-Ranges: bytes
ETag: 0x8D343F9E96C9DAC
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-MSEdge-Ref
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
X-MSEdge-Ref: Ref A: B8C485569FDF466EBA57E076644083B3 Ref B: AMBEDGE0717 Ref C: 2021-01-18T11:46:32Z
Date: Mon, 18 Jan 2021 11:46:32 GMT
-
GEThttp://www.msftconnecttest.com/connecttest.txtRemote address:13.107.4.52:80RequestGET /connecttest.txt HTTP/1.1
Connection: Keep-Alive
Host: www.msftconnecttest.com
ResponseHTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 22
Content-Type: text/plain; charset=utf-8
Last-Modified: Mon, 04 Jan 2021 19:34:40 GMT
Accept-Ranges: bytes
ETag: 0x8D343F9E96C9DAC
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-MSEdge-Ref
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
X-MSEdge-Ref: Ref A: CF9E59986F674140B19C0987766DFF57 Ref B: AMBEDGE0717 Ref C: 2021-01-18T11:46:32Z
Date: Mon, 18 Jan 2021 11:46:32 GMT
-
13.107.4.52:80http://www.msftconnecttest.com/connecttest.txthttp
HTTP Request
GET http://www.msftconnecttest.com/connecttest.txtHTTP Response
200HTTP Request
GET http://www.msftconnecttest.com/connecttest.txtHTTP Response
200HTTP Request
GET http://www.msftconnecttest.com/connecttest.txtHTTP Response
200HTTP Request
GET http://www.msftconnecttest.com/connecttest.txtHTTP Response
200
No results found
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB