Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    183s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20/02/2022, 07:04

General

  • Target

    58a0a5646669443e997f88d532219141ff6c9ca8d36cd449c34a1807be919a9d.exe

  • Size

    153KB

  • MD5

    91759691cfe41dd1a9dd07eaf9f48129

  • SHA1

    37fd2b22f3a9c85cdbaaf4cbbe33333ecc8030c4

  • SHA256

    58a0a5646669443e997f88d532219141ff6c9ca8d36cd449c34a1807be919a9d

  • SHA512

    f19d0b358f318e243a648311b1cf7e9c162cf18880f667ba4daff3fd5696a17854a091791452ee9814b1e1e85d07f4b98da07d957b7f51b450692e85a6b5e3a6

Score
10/10

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Program crash 4 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:2896
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
      • Modifies registry class
      PID:1244
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3988
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3988 -s 2992
        2⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:6124
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
      1⤵
        PID:544
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:3392
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:2868
          • C:\Users\Admin\AppData\Local\Temp\58a0a5646669443e997f88d532219141ff6c9ca8d36cd449c34a1807be919a9d.exe
            "C:\Users\Admin\AppData\Local\Temp\58a0a5646669443e997f88d532219141ff6c9ca8d36cd449c34a1807be919a9d.exe"
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3616
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:2976
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2832
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 2832 -s 352
                2⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                PID:6132
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2736
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 2736 -s 984
                2⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                PID:5268
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 2736 -s 984
                2⤵
                • Program crash
                PID:6100
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
              1⤵
                PID:2548
              • C:\Windows\system32\taskhostw.exe
                taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                1⤵
                  PID:2240
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                  1⤵
                    PID:2192
                  • C:\Windows\system32\sihost.exe
                    sihost.exe
                    1⤵
                    • Drops desktop.ini file(s)
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2172
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -pss -s 456 -p 3988 -ip 3988
                    1⤵
                    • Suspicious use of NtCreateProcessExOtherParentProcess
                    • Suspicious use of WriteProcessMemory
                    PID:4220
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -pss -s 496 -p 2832 -ip 2832
                    1⤵
                    • Suspicious use of NtCreateProcessExOtherParentProcess
                    • Suspicious use of WriteProcessMemory
                    PID:4232
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -pss -s 504 -p 2736 -ip 2736
                    1⤵
                    • Suspicious use of NtCreateProcessExOtherParentProcess
                    • Suspicious use of WriteProcessMemory
                    PID:4240
                  • C:\Windows\system32\MusNotifyIcon.exe
                    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                    1⤵
                    • Checks processor information in registry
                    PID:6516

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/2172-130-0x00007FF723380000-0x00007FF72370A000-memory.dmp

                    Filesize

                    3.5MB

                  • memory/2192-131-0x00007FF723380000-0x00007FF72370A000-memory.dmp

                    Filesize

                    3.5MB

                  • memory/2736-197-0x0000024BCED10000-0x0000024BCED18000-memory.dmp

                    Filesize

                    32KB

                  • memory/2736-198-0x0000024BCECB0000-0x0000024BCECB1000-memory.dmp

                    Filesize

                    4KB

                  • memory/2896-132-0x00007FF723380000-0x00007FF72370A000-memory.dmp

                    Filesize

                    3.5MB