Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10/05/2022, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
db4de2955b598cecad9db79578569f99e13736b952a1c4a5ee31bd395814da30.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
db4de2955b598cecad9db79578569f99e13736b952a1c4a5ee31bd395814da30.exe
Resource
win10v2004-20220414-en
General
-
Target
db4de2955b598cecad9db79578569f99e13736b952a1c4a5ee31bd395814da30.exe
-
Size
3.0MB
-
MD5
e80284f5842d668c222765fc56540b7b
-
SHA1
30d3bafbd5919524895c6c274f758a8ca2a38a2d
-
SHA256
db4de2955b598cecad9db79578569f99e13736b952a1c4a5ee31bd395814da30
-
SHA512
0b138ba88c1540f1fd5889c7b96f5eb624d128ba0b40dd55a817d5b16b7ae5d1dfa0bdb907a81989efe516201f708536fc5f50da875c0b00046465774dd0a2d9
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\nsf8F47F.tmp\eula_part.6.txt
ryuk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Executes dropped EXE 1 IoCs
pid Process 2368 uninst.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation db4de2955b598cecad9db79578569f99e13736b952a1c4a5ee31bd395814da30.exe -
Loads dropped DLL 2 IoCs
pid Process 1452 db4de2955b598cecad9db79578569f99e13736b952a1c4a5ee31bd395814da30.exe 1452 db4de2955b598cecad9db79578569f99e13736b952a1c4a5ee31bd395814da30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1452 wrote to memory of 2368 1452 db4de2955b598cecad9db79578569f99e13736b952a1c4a5ee31bd395814da30.exe 87 PID 1452 wrote to memory of 2368 1452 db4de2955b598cecad9db79578569f99e13736b952a1c4a5ee31bd395814da30.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\db4de2955b598cecad9db79578569f99e13736b952a1c4a5ee31bd395814da30.exe"C:\Users\Admin\AppData\Local\Temp\db4de2955b598cecad9db79578569f99e13736b952a1c4a5ee31bd395814da30.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\uninst.exe"C:\Users\Admin\AppData\Local\Temp\uninst.exe" C:\Users\Admin\AppData\Local\Temp\start.vbs2⤵
- Executes dropped EXE
PID:2368
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146KB
MD577a26c23948070dc012bba65e7f390aa
SHA17e112775770f9b3b24e2a238b5f7c66f8802e5d8
SHA2564e4e429ecf1c49119a21c817899f64152b03b41b036fc1d92aee335043364c43
SHA5122e7ffa4ed5c97f555e1b0d6f55ffcfd53cd28302fc77d95fdaea89e0b6b42e67e366331e52358e78e8266d079cc2ca3ea4c909197fb38a5b4c8151c7678d0065
-
Filesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
Filesize
343B
MD5e619092cba82e43e4e527221f5863fad
SHA13b6c1e077e067f8efaf0d1bc7ff56223fe3ba756
SHA256d49cf18b4c11a59d4a2d8f1167a445caab2405761227fb642bf8325c6d7e9d06
SHA51293d032ca0bea36d0eb3a3fde915f2d51e7563c23186752a855f5cb9f62750bb86e4fd4d7b4e19e7ddcac587f086e1c9f9af114fdcb6a9fde511953b92d997a5a
-
Filesize
162KB
MD5f5e5df6c9d62f4e940b334954a2046fc
SHA1267d05ce8d10d97620be1c7773757668baeb19ee
SHA25647cacd60d91441137d055184614b1a418c0457992977857a76ca05c75bbc1b56
SHA512f9a0425ab09706ff070a82b214eabe3f396c427f3ee486dd729b65af370112dde10d2bfe8d4670e44e72607bd5881fdeceabef74b9d79709b007d5eff82726a5
-
Filesize
162KB
MD5f5e5df6c9d62f4e940b334954a2046fc
SHA1267d05ce8d10d97620be1c7773757668baeb19ee
SHA25647cacd60d91441137d055184614b1a418c0457992977857a76ca05c75bbc1b56
SHA512f9a0425ab09706ff070a82b214eabe3f396c427f3ee486dd729b65af370112dde10d2bfe8d4670e44e72607bd5881fdeceabef74b9d79709b007d5eff82726a5