Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10/05/2022, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
ed2eb398aacab149d9866f4ec09de6a0a50df147667885746517e2cefa88e611.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ed2eb398aacab149d9866f4ec09de6a0a50df147667885746517e2cefa88e611.exe
Resource
win10v2004-20220414-en
General
-
Target
ed2eb398aacab149d9866f4ec09de6a0a50df147667885746517e2cefa88e611.exe
-
Size
3.0MB
-
MD5
17f95ac4e4d7558cec31bbb8c1fca3ff
-
SHA1
1e24ae99ebc5335ac82a05d5bfd97ea6028401c3
-
SHA256
ed2eb398aacab149d9866f4ec09de6a0a50df147667885746517e2cefa88e611
-
SHA512
7cd7ae945ef491ea3739e2d6f018631ef83d76f51845971f1cdf3b436c5de0893a94973ca86412bc8ea7464db456629860b97f748cd6f486067a0a2d67eb98d8
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\nsf8F47F.tmp\eula_part.1.txt
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 1 IoCs
pid Process 4672 uninst.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ed2eb398aacab149d9866f4ec09de6a0a50df147667885746517e2cefa88e611.exe -
Loads dropped DLL 2 IoCs
pid Process 4236 ed2eb398aacab149d9866f4ec09de6a0a50df147667885746517e2cefa88e611.exe 4236 ed2eb398aacab149d9866f4ec09de6a0a50df147667885746517e2cefa88e611.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4236 wrote to memory of 4672 4236 ed2eb398aacab149d9866f4ec09de6a0a50df147667885746517e2cefa88e611.exe 83 PID 4236 wrote to memory of 4672 4236 ed2eb398aacab149d9866f4ec09de6a0a50df147667885746517e2cefa88e611.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed2eb398aacab149d9866f4ec09de6a0a50df147667885746517e2cefa88e611.exe"C:\Users\Admin\AppData\Local\Temp\ed2eb398aacab149d9866f4ec09de6a0a50df147667885746517e2cefa88e611.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\uninst.exe"C:\Users\Admin\AppData\Local\Temp\uninst.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs2⤵
- Executes dropped EXE
PID:4672
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146KB
MD577a26c23948070dc012bba65e7f390aa
SHA17e112775770f9b3b24e2a238b5f7c66f8802e5d8
SHA2564e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43
SHA5122e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065
-
Filesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
Filesize
343B
MD5e619092cba82e43e4e527221f5863fad
SHA13b6c1e077e067f8efaf0d1bc7ff56223fe3ba756
SHA256d49cf18b4c11a59d4a2d8f1167a445caab2405761227fb642bf8325c6d7e9d06
SHA51293d032ca0bea36d0eb3a3fde915f2d51e7563c23186752a855f5cb9f62750bb86e4fd4d7b4e19e7ddcac587f086e1c9f9af114fdcb6a9fde511953b92d997a5a
-
Filesize
162KB
MD5f5e5df6c9d62f4e940b334954a2046fc
SHA1267d05ce8d10d97620be1c7773757668baeb19ee
SHA25647cacd60d91441137d055184614b1a418c0457992977857a76ca05c75bbc1b56
SHA512f9a0425ab09706ff070a82b214eabe3f396c427f3ee486dd729b65af370112dde10d2bfe8d4670e44e72607bd5881fdeceabef74b9d79709b007d5eff82726a5
-
Filesize
162KB
MD5f5e5df6c9d62f4e940b334954a2046fc
SHA1267d05ce8d10d97620be1c7773757668baeb19ee
SHA25647cacd60d91441137d055184614b1a418c0457992977857a76ca05c75bbc1b56
SHA512f9a0425ab09706ff070a82b214eabe3f396c427f3ee486dd729b65af370112dde10d2bfe8d4670e44e72607bd5881fdeceabef74b9d79709b007d5eff82726a5