Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

13/07/2021, 07:27

210713-ndxveajg2s 10

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    13/07/2021, 07:28

General

  • Target

    74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe

  • Size

    186KB

  • MD5

    45f643feeb41a49320ba6bfdc2968f4e

  • SHA1

    572c0f765ab89777ef63dd00f6c7970bc0219e06

  • SHA256

    74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f

  • SHA512

    326b14e3e577eb8839a514f6313b45470f15ab9af90d7213ebf471015ceccbc2926282384ddabceac33ef2c2cfef7e3b04743f19dc7c1f4d11fb0a423bcd3d0e

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
[email protected] [email protected] balance of shadow universe Ryuk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe
    "C:\Users\Admin\AppData\Local\Temp\74654957ba3c9f1ce8bb513954b9deea68a5a82217806977a1247fb342db109f.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Users\Admin\AppData\Local\Temp\SEhpNMG.exe
      "C:\Users\Admin\AppData\Local\Temp\SEhpNMG.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Windows\SysWOW64\net.exe
        "C:\Windows\System32\net.exe" stop "samss" /y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:6200
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "samss" /y
          4⤵
            PID:6336
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "samss" /y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:55536
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "samss" /y
            4⤵
              PID:55744
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop "samss" /y
            3⤵
              PID:118916
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "samss" /y
                4⤵
                  PID:118964
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1380
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                3⤵
                  PID:2020
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" stop "samss" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2160
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  3⤵
                    PID:2424
                • C:\Windows\SysWOW64\net.exe
                  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3868
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                    3⤵
                      PID:2456
                  • C:\Windows\SysWOW64\net.exe
                    "C:\Windows\System32\net.exe" stop "samss" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2520
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop "samss" /y
                      3⤵
                        PID:4152
                    • C:\Windows\SysWOW64\net.exe
                      "C:\Windows\System32\net.exe" stop "samss" /y
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:46176
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "samss" /y
                        3⤵
                          PID:46268
                      • C:\Windows\SysWOW64\net.exe
                        "C:\Windows\System32\net.exe" stop "samss" /y
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:47472
                        • C:\Windows\SysWOW64\net1.exe
                          C:\Windows\system32\net1 stop "samss" /y
                          3⤵
                            PID:47576
                        • C:\Windows\SysWOW64\net.exe
                          "C:\Windows\System32\net.exe" stop "samss" /y
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:114448
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop "samss" /y
                            3⤵
                              PID:114620
                          • C:\Windows\SysWOW64\net.exe
                            "C:\Windows\System32\net.exe" stop "samss" /y
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:114480
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 stop "samss" /y
                              3⤵
                                PID:114636

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads