Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

  • Size

    201KB

  • Sample

    220220-apbrnafgcq

  • MD5

    3f5da05d62a70eb1212db39d5d6cf45e

  • SHA1

    369b0ba084ba65268d56019653d8edd37c4838f1

  • SHA256

    f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

  • SHA512

    7424a9e8dc8dd521cbc98b910ab4642eb50f9d0c3a00e9b230207b505e3d7e74d16872d7be828983d6ec24c67858f1755cc1ac058fd48acefd8a730a41d790b1

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> quimephybe1986@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������
Emails

quimephybe1986@protonmail.com

Extracted

Path

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

Family

ryuk

Ransom Note
quimephybe1986@protonmail.com balance of shadow universe Ryuk
Emails

quimephybe1986@protonmail.com

Targets

    • Target

      f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

    • Size

      201KB

    • MD5

      3f5da05d62a70eb1212db39d5d6cf45e

    • SHA1

      369b0ba084ba65268d56019653d8edd37c4838f1

    • SHA256

      f361afd4dd267d6f74f262033b700da652b4da1c0a21e14a8a468f6093d48e31

    • SHA512

      7424a9e8dc8dd521cbc98b910ab4642eb50f9d0c3a00e9b230207b505e3d7e74d16872d7be828983d6ec24c67858f1755cc1ac058fd48acefd8a730a41d790b1

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.