Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10/04/2021, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
bPQDRgviZlan.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
bPQDRgviZlan.exe
Resource
win10v20201028
General
-
Target
bPQDRgviZlan.exe
-
Size
136KB
-
MD5
45295780f2ba837be42ccf50710bd2b5
-
SHA1
f937b1b7b3593a38702f870077658a891974edda
-
SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025
-
SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b
Malware Config
Extracted
C:\$Recycle.Bin\RyukReadMe.html
ryuk
http://smtpys6pvcvdvram6xucwecfv7rdhs6fmxzivrbcrncdeiphryhb75id.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 2 IoCs
pid Process 792 oXkmcHcGMrep.exe 1692 wwMzGyhcylan.exe -
Loads dropped DLL 6 IoCs
pid Process 1336 bPQDRgviZlan.exe 1336 bPQDRgviZlan.exe 1336 bPQDRgviZlan.exe 1336 bPQDRgviZlan.exe 1336 bPQDRgviZlan.exe 1336 bPQDRgviZlan.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1060 icacls.exe 368 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1336 wrote to memory of 792 1336 bPQDRgviZlan.exe 29 PID 1336 wrote to memory of 792 1336 bPQDRgviZlan.exe 29 PID 1336 wrote to memory of 792 1336 bPQDRgviZlan.exe 29 PID 1336 wrote to memory of 792 1336 bPQDRgviZlan.exe 29 PID 1336 wrote to memory of 1692 1336 bPQDRgviZlan.exe 30 PID 1336 wrote to memory of 1692 1336 bPQDRgviZlan.exe 30 PID 1336 wrote to memory of 1692 1336 bPQDRgviZlan.exe 30 PID 1336 wrote to memory of 1692 1336 bPQDRgviZlan.exe 30 PID 1336 wrote to memory of 388 1336 bPQDRgviZlan.exe 31 PID 1336 wrote to memory of 388 1336 bPQDRgviZlan.exe 31 PID 1336 wrote to memory of 388 1336 bPQDRgviZlan.exe 31 PID 1336 wrote to memory of 388 1336 bPQDRgviZlan.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\bPQDRgviZlan.exe"C:\Users\Admin\AppData\Local\Temp\bPQDRgviZlan.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\oXkmcHcGMrep.exe"C:\Users\Admin\AppData\Local\Temp\oXkmcHcGMrep.exe" 9 REP2⤵
- Executes dropped EXE
PID:792
-
-
C:\Users\Admin\AppData\Local\Temp\wwMzGyhcylan.exe"C:\Users\Admin\AppData\Local\Temp\wwMzGyhcylan.exe" 8 LAN2⤵
- Executes dropped EXE
PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\TksiBiAAGlan.exe"C:\Users\Admin\AppData\Local\Temp\TksiBiAAGlan.exe" 8 LAN2⤵PID:388
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1060
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:368
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:1560
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:2044
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:668
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:1564
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:2028
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:2100
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y1⤵PID:3068
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y1⤵PID:2956