Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26/04/2023, 03:50
Static task
static1
Behavioral task
behavioral1
Sample
2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
Resource
win10v2004-20230220-en
General
-
Target
2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
-
Size
3.1MB
-
MD5
d0cceb5de3b6abf673d4939e7383d129
-
SHA1
12f9befb0b50b188c5c6067b3f0079864ae16c56
-
SHA256
9673fd7dd5945f643996dd58e2ff4a178f536a8f69ad17d29b47319728a8ec67
-
SHA512
44b63cc1a990385e54676f428d944fe2cb9b8accde7e887103279f809950cefd975cc561365cec59846905497b15c4cd436cd8cf8de50e019ff296ecdc8cafff
-
SSDEEP
12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCz:eEtl9mRda12sX7hKB8NIyXbacAfY
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\E: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\H: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\I: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\J: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\P: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\F: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\S: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\W: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\Q: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\Y: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\Z: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\A: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\K: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\L: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\M: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\N: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\V: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\X: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\B: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\G: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\O: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\T: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened (read-only) \??\U: 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AUTORUN.INF 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File opened for modification C:\Windows\SysWOW64\HelpMe.exe 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe File created C:\Windows\SysWOW64\notepad.exe.exe 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1988 2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2023-04-24_d0cceb5de3b6abf673d4939e7383d129_ryuk.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD56fe46c989f9126973565ef006dd1013a
SHA13c8ff335c3775c2ea7fbf4c070cd6949044ec4a1
SHA2566f26c9fb38eec34daed94cc8ed02b7b1193694c8fa4d3d23d16ee12daeedbdf1
SHA5120a81674ce02ed585d72f6f6d62375875ecd9cae6a15313931b028273585b36a13f9467336f15610e031292b28a05cb98eb812f74330c9ad25b95190028c97b77
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
3.9MB
MD5e726be3e0db1907cd681b4570066063e
SHA1130b1e4bc66f5ffbe7f820fb0fc3d7a02d23daa0
SHA2568df37308d1d3369d3f1ed362cf1a600c7bf0acf0d9cedd1d5c42ec44f36b4102
SHA512b4163a6e041a7f4ae55c4c9ff2f9952b20aa107e840e7cf26994e6f99762b08f28d98beb52ae3cc821f88f9f894dfc30660e9dd93f22ab1de7fcf828face6f83
-
Filesize
1KB
MD5dcc40f9ec19d5839e03c53a64174f255
SHA135860cfcd66dce069fd1033a375f545f054437d9
SHA2569d027c2833264e5e69cb73c3cace5b8667cf5857da44256fd0f2cdf823a1a868
SHA51206a2b94b56a9720ce2868fce8c14fffdfd81ac091f17be638c8761dbcb444281a51c71d4c65a473bb8182c0c908f5275819d5d61222f576e4e9ff733ece2e5b1