Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    196s
  • max time network
    209s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20/02/2022, 07:43

General

  • Target

    493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe

  • Size

    170KB

  • MD5

    70358de67cd46462293bb07b716674d2

  • SHA1

    d2e29a91e5b9b3272f8ac8853277ada2c46fad61

  • SHA256

    493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6

  • SHA512

    5fb14ef25950ccc356ab230741cf6a8ef075df3b0bc3d47f3aee123978f9f70123fcece69bc990d81d454f5b2e8e7f39a866a1d7d688e911f7a57bcd310cba2a

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 49 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3000
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
      1⤵
        PID:2104
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        1⤵
          PID:3344
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
          • Modifies registry class
          PID:3676
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3616
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3208
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:2204
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:2828
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 2828 -s 2536
                    2⤵
                    • Program crash
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4496
                • C:\Windows\system32\DllHost.exe
                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2652
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 2652 -s 388
                    2⤵
                    • Program crash
                    • Suspicious behavior: EnumeratesProcesses
                    PID:968
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
                  1⤵
                    PID:2456
                  • C:\Windows\system32\taskhostw.exe
                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                    1⤵
                      PID:2208
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                      1⤵
                        PID:2160
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Drops file in Program Files directory
                        PID:2140
                      • C:\Users\Admin\AppData\Local\Temp\493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe
                        "C:\Users\Admin\AppData\Local\Temp\493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe"
                        1⤵
                        • Checks computer location settings
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1600
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe" /f
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1012
                          • C:\Windows\system32\reg.exe
                            REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\493a001c9a9c4e8b8503df84e783de837074daa8bc92b51836e2c8a79a3a4eb6.exe" /f
                            3⤵
                            • Adds Run key to start application
                            PID:2196
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -pss -s 404 -p 2828 -ip 2828
                        1⤵
                        • Suspicious use of NtCreateProcessExOtherParentProcess
                        • Suspicious use of WriteProcessMemory
                        PID:3040
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k NetworkService -p
                        1⤵
                        • Drops file in Windows directory
                        • Modifies data under HKEY_USERS
                        PID:4332

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/2140-130-0x00007FF706A50000-0x00007FF706DDE000-memory.dmp

                        Filesize

                        3.6MB

                      • memory/2160-131-0x00007FF706A50000-0x00007FF706DDE000-memory.dmp

                        Filesize

                        3.6MB

                      • memory/2652-132-0x000001A8A9AC0000-0x000001A8A9AC8000-memory.dmp

                        Filesize

                        32KB

                      • memory/2652-133-0x000001A8A99A0000-0x000001A8A99A1000-memory.dmp

                        Filesize

                        4KB

                      • memory/2652-134-0x000001A8A9AC0000-0x000001A8A9AC8000-memory.dmp

                        Filesize

                        32KB

                      • memory/2652-135-0x000001A8A99A0000-0x000001A8A99A1000-memory.dmp

                        Filesize

                        4KB