Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    186s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20/02/2022, 07:58

General

  • Target

    43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe

  • Size

    170KB

  • MD5

    08fda98dfedd3e304a7128e4918fe1bc

  • SHA1

    087793d8fdae310ee195f3e4c2d93395318f22a2

  • SHA256

    43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5

  • SHA512

    e39b8cca6edd9540e4259974d9dda28edf14a4de1bc0c1d5f4f8f06bde02c24dfc3e439be606a201946d45446f73eae9b005b0e681f6128d41fe3cd29b947ce4

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2296
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:2904
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2904 -s 2940
          2⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          PID:4380
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:2984
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3324
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
            1⤵
              PID:1324
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
              1⤵
                PID:4056
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                • Modifies registry class
                PID:2572
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:2628
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:3064
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2744
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -u -p 2744 -s 1012
                      2⤵
                      • Program crash
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2220
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -u -p 2744 -s 1012
                      2⤵
                      • Program crash
                      PID:4388
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p
                    1⤵
                      PID:2528
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                      1⤵
                        PID:2244
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Drops file in Program Files directory
                        PID:2228
                      • C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe
                        "C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe"
                        1⤵
                        • Checks computer location settings
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:3512
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe" /f
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3812
                          • C:\Windows\system32\reg.exe
                            REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe" /f
                            3⤵
                            • Adds Run key to start application
                            PID:1616
                      • C:\Windows\system32\BackgroundTransferHost.exe
                        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                        1⤵
                          PID:1548
                          • C:\Windows\system32\WerFault.exe
                            C:\Windows\system32\WerFault.exe -u -p 1548 -s 2592
                            2⤵
                            • Program crash
                            • Checks processor information in registry
                            • Enumerates system info in registry
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4396
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -pss -s 488 -p 2904 -ip 2904
                          1⤵
                          • Suspicious use of NtCreateProcessExOtherParentProcess
                          • Suspicious use of WriteProcessMemory
                          PID:2024
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -pss -s 460 -p 1548 -ip 1548
                          1⤵
                          • Suspicious use of NtCreateProcessExOtherParentProcess
                          • Suspicious use of WriteProcessMemory
                          PID:2204
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -pss -s 452 -p 2744 -ip 2744
                          1⤵
                          • Suspicious use of NtCreateProcessExOtherParentProcess
                          • Suspicious use of WriteProcessMemory
                          PID:1844

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/2228-130-0x00007FF7F5B50000-0x00007FF7F5EDE000-memory.dmp

                          Filesize

                          3.6MB

                        • memory/2528-131-0x00007FF7F5B50000-0x00007FF7F5EDE000-memory.dmp

                          Filesize

                          3.6MB