Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    164s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/02/2022, 04:10

General

  • Target

    9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f.exe

  • Size

    112KB

  • MD5

    990b689516914e33319296bf038b8d45

  • SHA1

    c0de363450821deb850bed1a2b6880d84bd9ec3b

  • SHA256

    9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f

  • SHA512

    e0d42a48a286aa21415e3d5b1e6a4ce0f2947eb0b1de6b73fd13fbd450e141975d05e00a4c332349039f41fb2d71807d9242118b6c0c69392ff9bd0aa062085d

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�������������������������������������������������������������������������������������������������������������������������������������������������������

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
[email protected] balance of shadow universe Ryuk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f.exe
    "C:\Users\Admin\AppData\Local\Temp\9a8f9a28040bf69a7179de263382b29d1b6da12efc330ada1f983e9fe9b56c7f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Users\Admin\AppData\Local\Temp\FqjkICAzVlan.exe
      "C:\Users\Admin\AppData\Local\Temp\FqjkICAzVlan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:524
    • C:\Users\Admin\AppData\Local\Temp\RQMmrniXMlan.exe
      "C:\Users\Admin\AppData\Local\Temp\RQMmrniXMlan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:576
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2156
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "WMIC.exe shadowcopy delete"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:692
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        WMIC.exe shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "bootstatuspolicy ignoreallfailures"
      2⤵
        PID:1084
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
        2⤵
          PID:540
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\*" /grant Everyone:F /T /C /Qþ
          2⤵
          • Modifies file permissions
          PID:752
        • C:\Windows\SysWOW64\icacls.exe
          icacls "D:\*" /grant Everyone:F /T /C /Qþ
          2⤵
          • Modifies file permissions
          PID:748
        • C:\Windows\SysWOW64\net.exe
          "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:288
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "audioendpointbuilder" /y
            3⤵
              PID:2272
          • C:\Windows\SysWOW64\net.exe
            "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1156
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "audioendpointbuilder" /y
              3⤵
                PID:2264
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\System32\net.exe" stop "samss" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2256
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop "samss" /y
                3⤵
                  PID:2352
              • C:\Windows\SysWOW64\net.exe
                "C:\Windows\System32\net.exe" stop "samss" /y
                2⤵
                  PID:2408
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "samss" /y
                    3⤵
                      PID:2440
                  • C:\Windows\SysWOW64\net.exe
                    "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
                    2⤵
                      PID:9332
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                        3⤵
                          PID:9356
                      • C:\Windows\SysWOW64\net.exe
                        "C:\Windows\System32\net.exe" stop "samss" /y
                        2⤵
                          PID:9380
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop "samss" /y
                            3⤵
                              PID:9404
                          • C:\Windows\SysWOW64\net.exe
                            "C:\Windows\System32\net.exe" stop "samss" /y
                            2⤵
                              PID:9420
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop "samss" /y
                                3⤵
                                  PID:9444
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                                PID:2780
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3344

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/1588-54-0x0000000076421000-0x0000000076423000-memory.dmp

                                Filesize

                                8KB