Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
186s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
20/02/2022, 07:58
Static task
static1
Behavioral task
behavioral1
Sample
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe
Resource
win10v2004-en-20220112
General
-
Target
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe
-
Size
170KB
-
MD5
08fda98dfedd3e304a7128e4918fe1bc
-
SHA1
087793d8fdae310ee195f3e4c2d93395318f22a2
-
SHA256
43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5
-
SHA512
e39b8cca6edd9540e4259974d9dda28edf14a4de1bc0c1d5f4f8f06bde02c24dfc3e439be606a201946d45446f73eae9b005b0e681f6128d41fe3cd29b947ce4
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
description pid Process procid_target PID 1844 created 2744 1844 WerFault.exe 33 PID 2204 created 1548 2204 WerFault.exe 57 PID 2024 created 2904 2024 WerFault.exe 12 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\fi.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ko_KR.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jvm.lib sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.policy sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Content.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\th-TH\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\msadc\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml sihost.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Internet Explorer\images\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightItalic.ttf sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado25.tlb sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html sihost.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sk-SK\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Internet Explorer\en-US\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
pid pid_target Process procid_target 2220 2744 WerFault.exe 33 4396 1548 WerFault.exe 57 4388 2744 WerFault.exe 33 4380 2904 WerFault.exe 12 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 4396 WerFault.exe 4396 WerFault.exe 4380 WerFault.exe 4380 WerFault.exe 2220 WerFault.exe 2220 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3512 wrote to memory of 3812 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 58 PID 3512 wrote to memory of 3812 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 58 PID 3512 wrote to memory of 2228 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 37 PID 3812 wrote to memory of 1616 3812 cmd.exe 60 PID 3812 wrote to memory of 1616 3812 cmd.exe 60 PID 3512 wrote to memory of 2244 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 36 PID 3512 wrote to memory of 2296 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 11 PID 3512 wrote to memory of 2528 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 34 PID 3512 wrote to memory of 2744 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 33 PID 3512 wrote to memory of 2904 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 12 PID 3512 wrote to memory of 2984 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 13 PID 3512 wrote to memory of 3064 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 31 PID 3512 wrote to memory of 2628 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 30 PID 3512 wrote to memory of 3324 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 14 PID 3512 wrote to memory of 2572 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 26 PID 3512 wrote to memory of 4056 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 22 PID 3512 wrote to memory of 1324 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 21 PID 3512 wrote to memory of 1548 3512 43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe 57 PID 2744 wrote to memory of 2220 2744 DllHost.exe 65 PID 2744 wrote to memory of 2220 2744 DllHost.exe 65 PID 1844 wrote to memory of 2744 1844 WerFault.exe 33 PID 1844 wrote to memory of 2744 1844 WerFault.exe 33 PID 2024 wrote to memory of 2904 2024 WerFault.exe 12 PID 2024 wrote to memory of 2904 2024 WerFault.exe 12 PID 2204 wrote to memory of 1548 2204 WerFault.exe 57 PID 2204 wrote to memory of 1548 2204 WerFault.exe 57
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2296
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:2904
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2904 -s 29402⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4380
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3324
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1324
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:2572
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2628
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3064
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2744 -s 10122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2744 -s 10122⤵
- Program crash
PID:4388
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵PID:2528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵PID:2244
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops file in Program Files directory
PID:2228
-
C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe"C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\43a3b16216f966be5ec1b394f31d521877ba20894f218641fa8f5e6928279dc5.exe" /f3⤵
- Adds Run key to start application
PID:1616
-
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:1548
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1548 -s 25922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 488 -p 2904 -ip 29041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2024
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 1548 -ip 15481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2204
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 2744 -ip 27441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1844