Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.2023-...JC.exe

windows7-x64

10

NEAS.2023-...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2023, 21:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.2023-09-05_2356fb2385810d3d38ab438830843003_ryuk_JC.exe

  • Size

    20.8MB

  • MD5

    2356fb2385810d3d38ab438830843003

  • SHA1

    1f94cbdcea8d883d618a14af3fb9e822767b9427

  • SHA256

    25bcc469bb6cfbfa8ac29620ed013c37a5ab0ee6278faecf83d553a21af32cb5

  • SHA512

    1ab6313d8a2151c74da07dedc255e5cc7f1f117fc61f7f969451f63c54b01e1bef00d521d374df269cbe91ac5d879efc64f3343dfe9ac9b0206c127e0138442d

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMc:9nwngnwnBRt

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Renames multiple (108) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_2356fb2385810d3d38ab438830843003_ryuk_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-05_2356fb2385810d3d38ab438830843003_ryuk_JC.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:3272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3125601242-331447593-1512828465-1000\desktop.ini.exe
    Filesize

    20.8MB

    MD5

    68a476c25cf40eefe0e5704687bc56b7

    SHA1

    7eed9df4d9b90183a4297b0ea8a07e4557a075cf

    SHA256

    784ae2037279a2c74851395ea18c332b28dac21d77038356451a3aed694ddfe8

    SHA512

    653a83e9429aef3cbb851c2731df1bd8793004801732e20a2bca95b2add048cb365bfbf8d6334d5e11d64e11ce3d200e42d8614faa1901e68e211afe7f58555c

    Download Submit

  • C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
    Filesize

    21.6MB

    MD5

    a91516fafd2b2e7fb21f6bfb320a2ae7

    SHA1

    90c95a2ebb856a48bf64373d31849d331a9a4feb

    SHA256

    edb32e5012f3c4d6cf5d62d286a568757b645cce8f4eab4c0bc4be25e4f797ef

    SHA512

    9c5b8982501009c01f79ffa7f40dcd79e1977f6f464c885a6070d1ce338e9e418746c522724f5aa408dfbab3ffe0843b79458b55b9b3c94920de7e07fc96e8e8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    c3e3c71afcb4b02f6bb625c33c35897a

    SHA1

    d1e8efdc07c28cfc7f820309ae67c1c5c2c83ddb

    SHA256

    b82ebe0584aa25225c0470724dadfea1d2c0151c6b364f9e99cae98702ed5960

    SHA512

    8e89cba16935aa675b71b5ccec658652ecf07e7a34bddcadcb663701357bbc830f54a14f71d75758cc14e03d7e1b6a8c5cc62cbe0ad1481f502983e0ead578e7

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • memory/3272-0-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/3272-1-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/3272-2-0x0000000002210000-0x0000000002211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3272-7-0x0000000002210000-0x0000000002211000-memory.dmp

    Filesize

    4KB

    Download