Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2024, 03:38

General

  • Target

    2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe

  • Size

    70.2MB

  • MD5

    8f032f34569c3c9e99562a22dfd78a57

  • SHA1

    2e014a220d6767924c6f9e669ae8deb8bd42383e

  • SHA256

    78604a5813861a7dd652b6d2f151bcf8215f0c700b4a1a8f28986fee220b1a59

  • SHA512

    34a2e6c8f0131f305b0a8eaa385e780fe1da5e21c6977324ecb3249e53460d9c3a5caea9675a3c0120c5982e980c9029706b1c1999cff616cf5febc3df82722d

  • SSDEEP

    1572864:HklDCjxMgp23PnpSRxxhaz/+df11/GgzBGQIj5Oi:Eh+9unkRxDw/Mf/pBGRj5

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:3660
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" -f C:\ProgramData\smLS9.xml
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      PID:1956
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\5v927.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:2992
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:4836
      • C:\Windows\system32\reg.exe
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
        3⤵
        • UAC bypass
        PID:3824
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\p2U5j\YzTqB@m8\v+C:\ProgramData\p2U5j\YzTqB@m8\b C:\ProgramData\p2U5j\YzTqB@m8\libhttpd.dll
      2⤵
        PID:4588
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x470 0x328
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3944
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe -Embedding
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3340
      • C:\ProgramData\p2U5j\YzTqB@m8\apache.exe
        "C:\ProgramData\p2U5j\YzTqB@m8\apache.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3108
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ipconfig /all
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5052
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig /all
            4⤵
            • System Location Discovery: System Language Discovery
            • Gathers network information
            PID:2196
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe -Embedding
      1⤵
      • Suspicious behavior: SetClipboardViewer
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\ProgramData\win32-67-quickq.exe
        "C:\ProgramData\win32-67-quickq.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\p2U5j\YzTqB@m8\PX.txt

      Filesize

      179KB

      MD5

      7254eb9aa277475d42598ce82aeb380a

      SHA1

      a4c35e30c008bb859f40c5596ae73e2666596645

      SHA256

      3ef71bcb0b97d2d8e28c733863a4094810cdc816f810e3adc028d5e640f247c4

      SHA512

      ef9d769abeb7129277d144740461ac9074b989e29a4ca37153c0a65295f2436111518b24b0861a12fe00e7681144fdb35061ecd62471e78db6c67588e9acb43f

    • C:\ProgramData\p2U5j\YzTqB@m8\apache.exe

      Filesize

      20KB

      MD5

      eb4e26ad3a0e681c2faabbacb0691a34

      SHA1

      55781c8ed0dc76e4edfb91ee01267783ed2434f5

      SHA256

      f2acdf171e603203f422ba64bfe2644a8e125657c96dd626cfd323e9f87c88d1

      SHA512

      d177bfd6433207e2dcec3a05749a28693b891674b5f6c0dd9438bc75b5e6ee7c13d483ecd5bda9d8097f105d7976cbcf16612c53c8df6932f8d3aafb4435562f

    • C:\ProgramData\p2U5j\YzTqB@m8\b

      Filesize

      1.0MB

      MD5

      7307f5afe4856d5afac9552d5dd6638d

      SHA1

      7fea813ce35f85acdc780b2afcaacce14a7d5eb5

      SHA256

      1c3192682831081d56276c10235a8f181566f473942ebfbd3d2a34de2043c8c9

      SHA512

      dd1a51a733cef317abb64212da7d3d9689a3688cbd974def96be94bea93f104964716806a7c28daba733a7085528619b0a8df6fe6de0d1710173358799503eab

    • C:\ProgramData\p2U5j\YzTqB@m8\libapr-1.dll

      Filesize

      136KB

      MD5

      1f2438d15d4434da44dd7d8de4159685

      SHA1

      485ee0456584372ed290cf2c4cce23acd0365738

      SHA256

      a469f6528855b68fa5736ac5d17d4bfcc334ddb7b0302925d172e51a1c8f9825

      SHA512

      2a14c66fbd447fb2a92ecc9ad7ef6203a1ad05517a8bc0fa154e99a57aa97fcef7c8830576eb8de81062527c18c40b0c1c1affa2115a27ac21c9b83e82912798

    • C:\ProgramData\p2U5j\YzTqB@m8\libapriconv-1.dll

      Filesize

      36KB

      MD5

      19f4219c97ef015d0078432c2597cfc0

      SHA1

      0137739696289ff2905e5cfcde1cfc7d39e2e94b

      SHA256

      0e65f8c77bb83505075ebccc9b0ee3c3c4790817967a7fe6a37bb2dd57e35016

      SHA512

      0825a2d669f60ab6df30453856836a04b64f558efb47f619fce61e64f66297702125f1cccb1d4c6081f7f6079281d5de236d1069737487160d060275e48553d3

    • C:\ProgramData\p2U5j\YzTqB@m8\libaprutil-1.dll

      Filesize

      188KB

      MD5

      509edf80bbd3f6e6af60ceaf17026666

      SHA1

      702ccd2c3bd4c1c9f2cf0d4ce33bf8b0e6aac7a0

      SHA256

      6e8c0aa983b81f977809ca8beb050c33f5bcda741a736f7f2055b5a064b4e59e

      SHA512

      d28f0f79b1718edbbcfbf75dfc74c8023968f31760e2a99fb5c8ba7c87c3efd171b6d4b3c99ddc5c6e6857bdf72dd9f5b04449f1136aa22d9f7bea7e688a75ef

    • C:\ProgramData\p2U5j\YzTqB@m8\libhttpd.dll

      Filesize

      2.0MB

      MD5

      e9fe83497bc0ecf0eca8095cbc3636c3

      SHA1

      9c76eaff3ac4156b462dd05c8c76272995c8d513

      SHA256

      171d37105e828ee641b0e6a386dd3fb131857ac9b3ba0246566bc4b0f78d7752

      SHA512

      7232145954e0fe59ad24a9329ba885df8038666d49e1bd442adc5b32f82f903a44b0338fb18460764a651fde75de244f725787bc1fa2fee90e06896259f72e77

    • C:\ProgramData\p2U5j\YzTqB@m8\mfc100u.dll

      Filesize

      4.2MB

      MD5

      f32077df74efd435a1dcdf415e189df1

      SHA1

      2771393d56ff167275bf03170377c43c28ee14e1

      SHA256

      24bb6838defd491df5460a88bed2d70b903a2156c49fb63e214e2c77251eca71

      SHA512

      fb708e0949854998fb80635138c80ac05d77dca3089d3e5974663ddf2376d6a03535dae1a068514c3b58bc06c8e4078b37cfb6bc90f080f7f31fefc972a34850

    • C:\ProgramData\p2U5j\YzTqB@m8\msvcp100.dll

      Filesize

      411KB

      MD5

      e3c817f7fe44cc870ecdbcbc3ea36132

      SHA1

      2ada702a0c143a7ae39b7de16a4b5cc994d2548b

      SHA256

      d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

      SHA512

      4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

    • C:\ProgramData\p2U5j\YzTqB@m8\msvcr100.dll

      Filesize

      755KB

      MD5

      bf38660a9125935658cfa3e53fdc7d65

      SHA1

      0b51fb415ec89848f339f8989d323bea722bfd70

      SHA256

      60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

      SHA512

      25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

    • C:\ProgramData\p2U5j\YzTqB@m8\v

      Filesize

      1.0MB

      MD5

      0de13eb50b1a642533afc617a7fae29a

      SHA1

      133e8262bd162a9d52d5042e3db9742e709e0944

      SHA256

      da9283fd5b388d90e90c6f82f7c20a1093ffa30f136f3bdf2f3f685a01bb1f0a

      SHA512

      bb1123fc60a0b6ed71a65b2594175c4eebe5061f0cafd072223f021edf9985e88e944f5b96e63ae86a970eaf04d678f478ab200ea8d1ce8cf696b6453f3a4994

    • C:\Users\Admin\AppData\Local\Temp\nsmD68B.tmp\InstallOptions.dll

      Filesize

      14KB

      MD5

      8d5a5529462a9ba1ac068ee0502578c7

      SHA1

      875e651e302ce0bfc8893f341cf19171fee25ea5

      SHA256

      e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

      SHA512

      101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

    • C:\Users\Admin\AppData\Local\Temp\nsmD68B.tmp\LangDLL.dll

      Filesize

      5KB

      MD5

      77ff758c10c66937de6d86c388aa431c

      SHA1

      14bd5628eaf8a12b55cd38f9560c839cb21ce77a

      SHA256

      6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008

      SHA512

      319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda

    • C:\Users\Admin\AppData\Local\Temp\nsmD68B.tmp\System.dll

      Filesize

      11KB

      MD5

      b0c77267f13b2f87c084fd86ef51ccfc

      SHA1

      f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

      SHA256

      a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

      SHA512

      f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

    • C:\Users\Admin\AppData\Local\Temp\nsmD68B.tmp\ioSpecial.ini

      Filesize

      679B

      MD5

      550e60129ee78872e398e705f08f41df

      SHA1

      66e57b902416e9b88e6525f8e2e76f5fc5761a5e

      SHA256

      7c7acf7c1382913545b821588d0c1a77eb72f90de2364305b52894b1b76a9bf6

      SHA512

      19bc93030d8a9db8bc5b55aa174e08b0c80b84e80602705ae9f6702de489a468eb00d6594647939fa6888eac63a040daa7ab13110cb87f692a0f97da3b22af6e

    • C:\Users\Admin\AppData\Roaming\5v927.bat

      Filesize

      392B

      MD5

      30d6eb22d6aeec10347239b17b023bf4

      SHA1

      e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

      SHA256

      659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

      SHA512

      500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

    • memory/3108-141-0x0000000002330000-0x0000000002399000-memory.dmp

      Filesize

      420KB

    • memory/3108-35-0x0000000002330000-0x0000000002399000-memory.dmp

      Filesize

      420KB

    • memory/3108-33-0x0000000002330000-0x0000000002399000-memory.dmp

      Filesize

      420KB

    • memory/3108-34-0x0000000002330000-0x0000000002399000-memory.dmp

      Filesize

      420KB

    • memory/3108-139-0x0000000002330000-0x0000000002399000-memory.dmp

      Filesize

      420KB

    • memory/3108-37-0x0000000002330000-0x0000000002399000-memory.dmp

      Filesize

      420KB

    • memory/3108-140-0x0000000002330000-0x0000000002399000-memory.dmp

      Filesize

      420KB

    • memory/3108-142-0x0000000002330000-0x0000000002399000-memory.dmp

      Filesize

      420KB

    • memory/3108-143-0x0000000002330000-0x0000000002399000-memory.dmp

      Filesize

      420KB

    • memory/3996-3-0x0000000180000000-0x0000000180467000-memory.dmp

      Filesize

      4.4MB

    • memory/3996-2-0x0000000180000000-0x0000000180467000-memory.dmp

      Filesize

      4.4MB

    • memory/3996-1-0x0000000180000000-0x0000000180467000-memory.dmp

      Filesize

      4.4MB