Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.2023-...JC.exe

windows7-x64

10

NEAS.2023-...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2023, 21:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.2023-09-05_2356fb2385810d3d38ab438830843003_ryuk_JC.exe

  • Size

    20.8MB

  • MD5

    2356fb2385810d3d38ab438830843003

  • SHA1

    1f94cbdcea8d883d618a14af3fb9e822767b9427

  • SHA256

    25bcc469bb6cfbfa8ac29620ed013c37a5ab0ee6278faecf83d553a21af32cb5

  • SHA512

    1ab6313d8a2151c74da07dedc255e5cc7f1f117fc61f7f969451f63c54b01e1bef00d521d374df269cbe91ac5d879efc64f3343dfe9ac9b0206c127e0138442d

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMc:9nwngnwnBRt

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Renames multiple (93) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_2356fb2385810d3d38ab438830843003_ryuk_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_2356fb2385810d3d38ab438830843003_ryuk_JC.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2084844033-2744876406-2053742436-1000\desktop.ini.exe
    Filesize

    20.8MB

    MD5

    11fcad034f0cb6707c593a391caedf93

    SHA1

    64752afe05b9e42053a7e43987fe586aaa23c9f1

    SHA256

    79f8b35fa67c86bee3c28ef1b05d39850ca2b78639c416d7ec9f6d1516b71618

    SHA512

    b97d6fbdc00a4ad9dec1d70d2723a2af0b9265bebd3db037ab135fd56cca9532c16080abc93cba21a51edac7f28f0559708fd3d2369f1f9dd58fff383aae47c7

    Download Submit

  • C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
    Filesize

    21.6MB

    MD5

    9796ef277366f1903b57643a0728076f

    SHA1

    71c5660a5bb8ed49c86a44be589f0ee9162982e5

    SHA256

    69fdb455981f0b3f654ee1326fc976ab1e5a258a190f3b32585d76cea5b4a0a3

    SHA512

    aa07903ea6b7b913fc96982c70b9d076ade71e67ce07cb415eab95173fee1a7f8fecfd02b68553d9c3bd8e8f0835169ee279b179d34b1f6811913750f456b327

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    bf9ae28793dcdd18455130f6f6bebce4

    SHA1

    9ae15875d36fe2be230d585b18f2bfb006ff802f

    SHA256

    b37c1aeda07cf6da8825a2f705b3a201a4a16685ce381ccaf7bf1c1f48d43ba5

    SHA512

    eee2f80d5212a1a042a0bbbc367a33f687c9506d724ba2f70eeb1f3459d8b4cbbbbf4961a628c3d9820b52f9fd6ecc41915aceaa8522c2299de7e38821e48d3b

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • memory/2164-0-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2164-1-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-70-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2164-75-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB

    Download