Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
155s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24/05/2021, 11:59
Static task
static1
Behavioral task
behavioral1
Sample
d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
-
Size
131KB
-
MD5
2cc630e080bb8de5faf9f5ae87f43f8b
-
SHA1
5a385b8b4b88b6eb93b771b7fbbe190789ef396a
-
SHA256
d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9
-
SHA512
901939718692e20a969887e64db581d6fed62c99026709c672edb75ebfa35ce02fa68308d70d463afbcc42a46e52ea9f7bc5ed93e5dbf3772d221064d88e11d7
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\RyukReadMe.html
Family
ryuk
Ransom Note
contact
balance of shadow universe
Ryuk
$password = '8x0nKKx5'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion';
function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs
http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 532 icacls.exe 1768 icacls.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\E: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\V: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\P: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\W: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\Q: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\O: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\N: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\M: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\G: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\Y: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\T: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\U: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\S: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\R: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\K: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\J: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\I: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\Z: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\X: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\H: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened (read-only) \??\F: d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\RyukReadMe.html d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\RyukReadMe.html d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+12 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+3 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.html d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\RyukReadMe.html d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\RyukReadMe.html d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\RyukReadMe.html d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\RyukReadMe.html d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\RyukReadMe.html d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\offset.ax d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Internet Explorer\en-US\RyukReadMe.html d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jawt.h d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\RyukReadMe.html d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\RyukReadMe.html d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1976 wrote to memory of 532 1976 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe 29 PID 1976 wrote to memory of 532 1976 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe 29 PID 1976 wrote to memory of 532 1976 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe 29 PID 1976 wrote to memory of 532 1976 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe 29 PID 1976 wrote to memory of 1768 1976 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe 31 PID 1976 wrote to memory of 1768 1976 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe 31 PID 1976 wrote to memory of 1768 1976 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe 31 PID 1976 wrote to memory of 1768 1976 d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe"C:\Users\Admin\AppData\Local\Temp\d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:532
-
-
C:\Windows\SysWOW64\icacls.exeicacls "D:\*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1768
-