Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    173s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20/02/2022, 05:04

General

  • Target

    84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe

  • Size

    167KB

  • MD5

    bbaf622ea0f80ceb357e19519bca0a49

  • SHA1

    a7deca0a331beba2a94e20d34e44c44f4d7cd6b6

  • SHA256

    84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e

  • SHA512

    20329239226f3c44be4736e3bb5df4f9f8dee477e939b34b7f9d334c6210c70855ad1a827487260879854a3c750ad4ecab782b1e71e955873ea51ed8ae5f805a

Score
10/10

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3952
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3332
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:2824
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:3056
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:2972
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:2908
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                1⤵
                  PID:2744
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
                  1⤵
                    PID:2552
                  • C:\Windows\system32\taskhostw.exe
                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                    1⤵
                      PID:2300
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                      1⤵
                        PID:2256
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                          PID:2232
                        • C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe
                          "C:\Users\Admin\AppData\Local\Temp\84df9b0cfcafbf57e05f6f675d95c8ee64c29f456329feb9c4a2945b8468df5e.exe"
                          1⤵
                          • Drops desktop.ini file(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2400
                        • C:\Windows\system32\BackgroundTransferHost.exe
                          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                          1⤵
                            PID:2152
                          • C:\Windows\system32\MusNotifyIcon.exe
                            %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                            1⤵
                              PID:4444

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads