Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 06:04
Behavioral task
behavioral1
Sample
Ripple_Tweaking_utility.exe
Resource
win10v2004-20240221-en
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
main.pyc
Resource
win10v2004-20240221-en
6 signatures
150 seconds
General
-
Target
main.pyc
-
Size
7KB
-
MD5
d99e6d77d16c80995d47ebb7074494ae
-
SHA1
9c2de47ea9ac750b857f30c7c749242e4d87bd3a
-
SHA256
ba4f13b093e7fa8896676cdadb78b4f4c8c0bd798138ea6655de8e9601db5408
-
SHA512
298be58985927e08a637ec8043688b476362b5497fbf2ede7f9d337daed3ef3bd29caa1c75e81241dc0144bdcf54920cd27e6d1d75d740ffa1137e1952dc5564
-
SSDEEP
192:wccRPnDD8M7jWdXwVoHVPBk6JJhwCEPt7Mdws+nw:QH/WuVysO2vhPfw
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\edit\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\.pyc OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\.pyc\ = "pyc_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\open\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\pyc_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4588 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5280 OpenWith.exe -
Suspicious use of SetWindowsHookEx 45 IoCs
pid Process 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe 5280 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5280 wrote to memory of 4588 5280 OpenWith.exe 99 PID 5280 wrote to memory of 4588 5280 OpenWith.exe 99
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc1⤵
- Modifies registry class
PID:4092
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5280 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\main.pyc2⤵
- Opens file in notepad (likely ransom note)
PID:4588
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1984