Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/05/2024, 04:55
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-02_5add5be961e087724cd090e5ef3e9883_ryuk.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-02_5add5be961e087724cd090e5ef3e9883_ryuk.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-05-02_5add5be961e087724cd090e5ef3e9883_ryuk.exe
-
Size
2.3MB
-
MD5
5add5be961e087724cd090e5ef3e9883
-
SHA1
f0030da37b45161dc582f70b37871d3e00d8b833
-
SHA256
9b441f4bc2b5aa2c94fda6b1cd8416f50104fb826b90b27ef3434e4de60c3b90
-
SHA512
2535bcfc4127df2dfde64318cf33f5d16a42c6e2601a2d7bf8b3034d6250a0768ef9c94e0a592eb6a00d700cff80ef78df5c80a8e4e1df609b3b5d433eba19d6
-
SSDEEP
49152:DosQHMmpQAaR824OnqDPqFmhlyjsrrJLp2lUEFP4+Po6kk:X4O2P5JLQlVt4ib
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1336 2024-05-02_5add5be961e087724cd090e5ef3e9883_ryuk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1336 wrote to memory of 2632 1336 2024-05-02_5add5be961e087724cd090e5ef3e9883_ryuk.exe 29 PID 1336 wrote to memory of 2632 1336 2024-05-02_5add5be961e087724cd090e5ef3e9883_ryuk.exe 29 PID 1336 wrote to memory of 2632 1336 2024-05-02_5add5be961e087724cd090e5ef3e9883_ryuk.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-02_5add5be961e087724cd090e5ef3e9883_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-02_5add5be961e087724cd090e5ef3e9883_ryuk.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1336 -s 3642⤵PID:2632
-