Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 23:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe
-
Size
4.9MB
-
MD5
00c6b4db19a30896da570331ea3fd119
-
SHA1
cf2a2b0284473815efc6cb9ecd72b4e22cad5c2c
-
SHA256
562079bb202157ab3a797f62c6c0b47fbcd8c559b5a00270f02f7f2e839bf81f
-
SHA512
b6d446508d6a38c1d8f5713651611fb4d77259a9ac3df71bc09622c9eea898f21a6f802b5f70f8ccf53df6fb9e4549d80d64c7dba1ca619ba04cad8fbfc38ad3
-
SSDEEP
98304:PfTi8bQRknxqpBPIWcsLktc/sW5K35JrXH4d9RHmJn:PfZnxEBPIWD6PW8pJz4vRH
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe -
Deletes itself 1 IoCs
pid Process 2748 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe -
Executes dropped EXE 1 IoCs
pid Process 2748 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe -
Modifies registry class 2 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGMRU 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2184 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 2184 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe Token: SeSecurityPrivilege 2184 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe Token: SeShutdownPrivilege 2184 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe Token: SeBackupPrivilege 2748 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe Token: SeSecurityPrivilege 2748 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe Token: SeShutdownPrivilege 2748 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2184 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe 2748 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2748 2184 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe 28 PID 2184 wrote to memory of 2748 2184 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe 28 PID 2184 wrote to memory of 2748 2184 2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe"1⤵
- Modifies firewall policy service
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe"2024-03-26_00c6b4db19a30896da570331ea3fd119_ryuk.exe"2⤵
- Modifies firewall policy service
- Deletes itself
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD563167dbb70348b04efe5ea6fa0def24e
SHA14d6269c0e84b200a14d7eae5f70ed9fd8d7e3726
SHA25604b4c2b721054628362070abbbf12844150cc457afdf9bf9bc1150e85d104765
SHA512079ca19c103475f44eee6411509e0d5b61b0c9f287694851761b96b0c45fb7e8cefab2339097b427e19b9e8caf1018462c7985993225c9325b5f76fd280e4408
-
Filesize
1.8MB
MD58484f95e364c475b7c41e6b178c7868b
SHA1e860dd00ca257f9f545a79f5bcf102f6b13bfc2e
SHA256e12d6d268987a13a05b06525b4e9fb5045c50de3b7a824ef344f34a9f03c64bd
SHA512300578dfb83a6d4ab84267ebfacd144d672186d7d72c3ea0b453cc53050ce33e4cfb9b4f53a7d9d1dcc362c327098a52568ba6837598ff2c48e0ddef04bd4dea
-
Filesize
12B
MD535f4c78ddcf2808dd67d5a20617fd7f0
SHA1da9a8c19f1e539aee9dd0160b3f06c499f993b8f
SHA25699eacd1d0c50ee8d0be66fe334ce0cb0a24bbfddf0b2f24360ffdfc1e0151b08
SHA512a1d64d98e3d361ad223d0b0d402bc632e475cb35064e798736be88a63f3c5e50f69f40d7980bdcff09c74a5cfb9ea8a31c6f9139f8ddef2d5eb56ef44187089a