Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    167s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/02/2022, 06:47

General

  • Target

    5e4160a133d44a1cf90d72eedd5e6084543521fecbf070d550c6012d294ccb28.exe

  • Size

    150KB

  • MD5

    e78cd758ff117ff26e2c333b484b03b1

  • SHA1

    a477b3fc1c8f9c571e1dcfda0c84606fb7d34d93

  • SHA256

    5e4160a133d44a1cf90d72eedd5e6084543521fecbf070d550c6012d294ccb28

  • SHA512

    a9bec103ecda3c0faca8868a46790787697d0c28ae849fb6857850a378c2812671ec3f2f96d4b9711d74cc3549e909bafb65ad82ab2bd86052f1d24b995e0708

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY Ryuk No system is safe
Wallets

1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1312
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      PID:1220
    • C:\Users\Admin\AppData\Local\Temp\5e4160a133d44a1cf90d72eedd5e6084543521fecbf070d550c6012d294ccb28.exe
      "C:\Users\Admin\AppData\Local\Temp\5e4160a133d44a1cf90d72eedd5e6084543521fecbf070d550c6012d294ccb28.exe"
      1⤵
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5e4160a133d44a1cf90d72eedd5e6084543521fecbf070d550c6012d294ccb28.exe" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:652
        • C:\Windows\system32\reg.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\5e4160a133d44a1cf90d72eedd5e6084543521fecbf070d550c6012d294ccb28.exe" /f
          3⤵
          • Adds Run key to start application
          PID:1468

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1220-58-0x000000013F5B0000-0x000000013F938000-memory.dmp

      Filesize

      3.5MB

    • memory/1220-56-0x000000013F5B0000-0x000000013F938000-memory.dmp

      Filesize

      3.5MB

    • memory/1312-59-0x000000013F5B0000-0x000000013F938000-memory.dmp

      Filesize

      3.5MB

    • memory/1660-55-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

      Filesize

      8KB