Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
199s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
19/02/2022, 08:33
Static task
static1
Behavioral task
behavioral1
Sample
08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe
-
Size
192KB
-
MD5
38df8a5c21f7df368490f8a0a0e276f9
-
SHA1
564641f0da5a9365a748a9589535f3b9439e5cc9
-
SHA256
08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c
-
SHA512
2d3aaabd9f2d1fc4438ff31717dd53667b16acfa421c0364374135ed41360a1dee78d8f51ae588017c895c192f031bf13cbbaa67b1d240ddd86025ebc06be2cf
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Family
ryuk
Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������
Emails
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 1 IoCs
pid Process 2068 ashpkCg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation ashpkCg.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 49 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.270820" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.544384" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899098677755890" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4160" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4260" svchost.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 2068 ashpkCg.exe 2068 ashpkCg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe Token: SeBackupPrivilege 2068 ashpkCg.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2068 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 71 PID 1740 wrote to memory of 2068 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 71 PID 1740 wrote to memory of 2068 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 71 PID 1740 wrote to memory of 3084 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 73 PID 1740 wrote to memory of 3084 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 73 PID 1740 wrote to memory of 3084 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 73 PID 1740 wrote to memory of 1116 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 72 PID 1740 wrote to memory of 1116 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 72 PID 1740 wrote to memory of 1116 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 72 PID 1740 wrote to memory of 1132 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 74 PID 1740 wrote to memory of 1132 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 74 PID 1740 wrote to memory of 1132 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 74 PID 1740 wrote to memory of 452 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 75 PID 1740 wrote to memory of 452 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 75 PID 1740 wrote to memory of 452 1740 08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe 75 PID 2068 wrote to memory of 3300 2068 ashpkCg.exe 81 PID 2068 wrote to memory of 3300 2068 ashpkCg.exe 81 PID 2068 wrote to memory of 3300 2068 ashpkCg.exe 81 PID 2068 wrote to memory of 3852 2068 ashpkCg.exe 82 PID 2068 wrote to memory of 3852 2068 ashpkCg.exe 82 PID 2068 wrote to memory of 3852 2068 ashpkCg.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe"C:\Users\Admin\AppData\Local\Temp\08577e8c9d1c872af3ff503b0b1d60c378d841679fc7f6b3ce48affad6bc781c.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\ashpkCg.exe"C:\Users\Admin\AppData\Local\Temp\ashpkCg.exe" 8 LAN2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y3⤵PID:3300
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y3⤵PID:3852
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:1116
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵PID:3084
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:1132
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵PID:452
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1572