Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.2023-...JC.exe

windows7-x64

10

NEAS.2023-...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    23/10/2023, 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe

  • Size

    21.6MB

  • MD5

    036b5cf132e734762af8fbf07faf094a

  • SHA1

    d71e385c7a3e808acfcf63f71291ba74c435b306

  • SHA256

    e301f19720af26914bd818e738f68ce7d1fa7ccdcd1cbe97b867e2bbf7fbe97e

  • SHA512

    bd4f1113e9f161edc2aed4c9816779b367bdb68e637178e37a3d26d7e17991b8872020e232c21dbe83485d3f19c19312a5c8a598dd07941834fc91169db04723

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMW:9nwngnwnBR/

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Renames multiple (93) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_036b5cf132e734762af8fbf07faf094a_ryuk_JC.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2084844033-2744876406-2053742436-1000\desktop.ini.exe
    Filesize

    21.6MB

    MD5

    4ca7f1efd8ed83473fcf92a2e93dc87d

    SHA1

    9ed4fa934699b7123e346af71845c787c2679af6

    SHA256

    e4b7274d963768de8bc9d874fd8f3064aabc9c051f2a61fd3fc48a1f3530b369

    SHA512

    30453d06b4c6f79518073145e8d1b8277601bda14b6bad101679861ed614a1a45550cf2da0c9c633b7564d69bbef2b0da4817cdaaf29f53f3e9e394d76cc4547

    Download Submit

  • C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
    Filesize

    22.4MB

    MD5

    310adcd9d9b2938060bab67aebd303e8

    SHA1

    a348d43e574cbe8ebaa78be4ab04746e91d7ace6

    SHA256

    fa6e1bfd2ea6e6ab1382be52345a7b8170aef926a355b37b626e9d629c8440f3

    SHA512

    fb537cfa411cec9d9eb500b804b99b0405817f8c02149970e75f13039b5eebdbf269c3a58d562eca7a48ac1ae66eafa973ea3314e919fea82f36c08337af85cb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    e022539ba648fda64c1f476f25d01637

    SHA1

    2cd4fbedcdfd9276a1ee6e5830678d7f0487753b

    SHA256

    51d5c96c578a90b9a0cde918a478f84b52a29423bc53c4a11179197bbb565df8

    SHA512

    db17e53d4ad93a50cc52c48804a4b148aad6cbdfb6ecaec308068ae3f2c9d2d66d00e1e19e8b3aa79cf1fddbbfe3f105a1209120e80502703194136778b6ef42

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • memory/1392-0-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1392-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1392-72-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1392-75-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

    Download