Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    178s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/02/2022, 09:18

General

  • Target

    23bc676a012c7fda532cbfc0d41ecd0bdda9b1cdd261e2923a03a7303bc1f33c.exe

  • Size

    150KB

  • MD5

    b490d304dae26ddc3af849ec4a820abd

  • SHA1

    1a66f0ade41ae203217177c1be1cea0017d33aec

  • SHA256

    23bc676a012c7fda532cbfc0d41ecd0bdda9b1cdd261e2923a03a7303bc1f33c

  • SHA512

    6a849674fbc350f4f5ebefb5ee39483b5cdac93e3b81c5b5c098ad6a78bbcaafa27de668a31bb227a91407ea01712776405cb7c8b16fc3633c53a4def088d809

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 1FRNVupsCyTjUvF36GxHZrvLaPtY6hgkTm Ryuk No system is safe
Wallets

1FRNVupsCyTjUvF36GxHZrvLaPtY6hgkTm

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1360
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Drops file in Program Files directory
      PID:1252
    • C:\Users\Admin\AppData\Local\Temp\23bc676a012c7fda532cbfc0d41ecd0bdda9b1cdd261e2923a03a7303bc1f33c.exe
      "C:\Users\Admin\AppData\Local\Temp\23bc676a012c7fda532cbfc0d41ecd0bdda9b1cdd261e2923a03a7303bc1f33c.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\23bc676a012c7fda532cbfc0d41ecd0bdda9b1cdd261e2923a03a7303bc1f33c.exe" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:900
        • C:\Windows\system32\reg.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\23bc676a012c7fda532cbfc0d41ecd0bdda9b1cdd261e2923a03a7303bc1f33c.exe" /f
          3⤵
          • Adds Run key to start application
          PID:540

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/956-55-0x000007FEFC2A1000-0x000007FEFC2A3000-memory.dmp

      Filesize

      8KB

    • memory/1252-56-0x000000013F6B0000-0x000000013FA39000-memory.dmp

      Filesize

      3.5MB

    • memory/1252-57-0x000000013F6B0000-0x000000013FA39000-memory.dmp

      Filesize

      3.5MB