Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/09/2024, 03:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
-
Size
70.2MB
-
MD5
8f032f34569c3c9e99562a22dfd78a57
-
SHA1
2e014a220d6767924c6f9e669ae8deb8bd42383e
-
SHA256
78604a5813861a7dd652b6d2f151bcf8215f0c700b4a1a8f28986fee220b1a59
-
SHA512
34a2e6c8f0131f305b0a8eaa385e780fe1da5e21c6977324ecb3249e53460d9c3a5caea9675a3c0120c5982e980c9029706b1c1999cff616cf5febc3df82722d
-
SSDEEP
1572864:HklDCjxMgp23PnpSRxxhaz/+df11/GgzBGQIj5Oi:Eh+9unkRxDw/Mf/pBGRj5
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe -
Executes dropped EXE 2 IoCs
pid Process 3108 apache.exe 3180 win32-67-quickq.exe -
Loads dropped DLL 7 IoCs
pid Process 3108 apache.exe 3108 apache.exe 3108 apache.exe 3108 apache.exe 3180 win32-67-quickq.exe 3180 win32-67-quickq.exe 3180 win32-67-quickq.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: apache.exe File opened (read-only) \??\K: apache.exe File opened (read-only) \??\O: apache.exe File opened (read-only) \??\S: apache.exe File opened (read-only) \??\T: apache.exe File opened (read-only) \??\G: apache.exe File opened (read-only) \??\P: apache.exe File opened (read-only) \??\U: apache.exe File opened (read-only) \??\B: apache.exe File opened (read-only) \??\E: apache.exe File opened (read-only) \??\J: apache.exe File opened (read-only) \??\L: apache.exe File opened (read-only) \??\V: apache.exe File opened (read-only) \??\W: apache.exe File opened (read-only) \??\X: apache.exe File opened (read-only) \??\Z: apache.exe File opened (read-only) \??\H: apache.exe File opened (read-only) \??\M: apache.exe File opened (read-only) \??\N: apache.exe File opened (read-only) \??\Q: apache.exe File opened (read-only) \??\R: apache.exe File opened (read-only) \??\Y: apache.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win32-67-quickq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apache.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 apache.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz apache.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 3660 ipconfig.exe 2196 ipconfig.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3108 apache.exe 3108 apache.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 5080 mmc.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: 33 3944 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3944 AUDIODG.EXE Token: SeShutdownPrivilege 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe Token: 33 3340 mmc.exe Token: SeIncBasePriorityPrivilege 3340 mmc.exe Token: 33 3340 mmc.exe Token: SeIncBasePriorityPrivilege 3340 mmc.exe Token: SeShutdownPrivilege 3108 apache.exe Token: 33 5080 mmc.exe Token: SeIncBasePriorityPrivilege 5080 mmc.exe Token: 33 5080 mmc.exe Token: SeIncBasePriorityPrivilege 5080 mmc.exe Token: SeDebugPrivilege 3108 apache.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 3340 mmc.exe 3340 mmc.exe 5080 mmc.exe 5080 mmc.exe 3180 win32-67-quickq.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3996 wrote to memory of 228 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 87 PID 3996 wrote to memory of 228 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 87 PID 228 wrote to memory of 3660 228 cmd.exe 89 PID 228 wrote to memory of 3660 228 cmd.exe 89 PID 3996 wrote to memory of 1956 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 90 PID 3996 wrote to memory of 1956 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 90 PID 3996 wrote to memory of 2968 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 97 PID 3996 wrote to memory of 2968 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 97 PID 2968 wrote to memory of 2992 2968 cmd.exe 99 PID 2968 wrote to memory of 2992 2968 cmd.exe 99 PID 2968 wrote to memory of 4836 2968 cmd.exe 100 PID 2968 wrote to memory of 4836 2968 cmd.exe 100 PID 2968 wrote to memory of 3824 2968 cmd.exe 101 PID 2968 wrote to memory of 3824 2968 cmd.exe 101 PID 3996 wrote to memory of 4588 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 104 PID 3996 wrote to memory of 4588 3996 2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe 104 PID 3340 wrote to memory of 3108 3340 mmc.exe 107 PID 3340 wrote to memory of 3108 3340 mmc.exe 107 PID 3340 wrote to memory of 3108 3340 mmc.exe 107 PID 5080 wrote to memory of 3180 5080 mmc.exe 111 PID 5080 wrote to memory of 3180 5080 mmc.exe 111 PID 5080 wrote to memory of 3180 5080 mmc.exe 111 PID 3108 wrote to memory of 5052 3108 apache.exe 112 PID 3108 wrote to memory of 5052 3108 apache.exe 112 PID 3108 wrote to memory of 5052 3108 apache.exe 112 PID 5052 wrote to memory of 2196 5052 cmd.exe 113 PID 5052 wrote to memory of 2196 5052 cmd.exe 113 PID 5052 wrote to memory of 2196 5052 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:3660
-
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" -f C:\ProgramData\smLS9.xml2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1956
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\5v927.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F3⤵
- UAC bypass
PID:2992
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F3⤵
- UAC bypass
PID:4836
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F3⤵
- UAC bypass
PID:3824
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\p2U5j\YzTqB@m8\v+C:\ProgramData\p2U5j\YzTqB@m8\b C:\ProgramData\p2U5j\YzTqB@m8\libhttpd.dll2⤵PID:4588
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x470 0x3281⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\ProgramData\p2U5j\YzTqB@m8\apache.exe"C:\ProgramData\p2U5j\YzTqB@m8\apache.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2196
-
-
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\ProgramData\win32-67-quickq.exe"C:\ProgramData\win32-67-quickq.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3180
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179KB
MD57254eb9aa277475d42598ce82aeb380a
SHA1a4c35e30c008bb859f40c5596ae73e2666596645
SHA2563ef71bcb0b97d2d8e28c733863a4094810cdc816f810e3adc028d5e640f247c4
SHA512ef9d769abeb7129277d144740461ac9074b989e29a4ca37153c0a65295f2436111518b24b0861a12fe00e7681144fdb35061ecd62471e78db6c67588e9acb43f
-
Filesize
20KB
MD5eb4e26ad3a0e681c2faabbacb0691a34
SHA155781c8ed0dc76e4edfb91ee01267783ed2434f5
SHA256f2acdf171e603203f422ba64bfe2644a8e125657c96dd626cfd323e9f87c88d1
SHA512d177bfd6433207e2dcec3a05749a28693b891674b5f6c0dd9438bc75b5e6ee7c13d483ecd5bda9d8097f105d7976cbcf16612c53c8df6932f8d3aafb4435562f
-
Filesize
1.0MB
MD57307f5afe4856d5afac9552d5dd6638d
SHA17fea813ce35f85acdc780b2afcaacce14a7d5eb5
SHA2561c3192682831081d56276c10235a8f181566f473942ebfbd3d2a34de2043c8c9
SHA512dd1a51a733cef317abb64212da7d3d9689a3688cbd974def96be94bea93f104964716806a7c28daba733a7085528619b0a8df6fe6de0d1710173358799503eab
-
Filesize
136KB
MD51f2438d15d4434da44dd7d8de4159685
SHA1485ee0456584372ed290cf2c4cce23acd0365738
SHA256a469f6528855b68fa5736ac5d17d4bfcc334ddb7b0302925d172e51a1c8f9825
SHA5122a14c66fbd447fb2a92ecc9ad7ef6203a1ad05517a8bc0fa154e99a57aa97fcef7c8830576eb8de81062527c18c40b0c1c1affa2115a27ac21c9b83e82912798
-
Filesize
36KB
MD519f4219c97ef015d0078432c2597cfc0
SHA10137739696289ff2905e5cfcde1cfc7d39e2e94b
SHA2560e65f8c77bb83505075ebccc9b0ee3c3c4790817967a7fe6a37bb2dd57e35016
SHA5120825a2d669f60ab6df30453856836a04b64f558efb47f619fce61e64f66297702125f1cccb1d4c6081f7f6079281d5de236d1069737487160d060275e48553d3
-
Filesize
188KB
MD5509edf80bbd3f6e6af60ceaf17026666
SHA1702ccd2c3bd4c1c9f2cf0d4ce33bf8b0e6aac7a0
SHA2566e8c0aa983b81f977809ca8beb050c33f5bcda741a736f7f2055b5a064b4e59e
SHA512d28f0f79b1718edbbcfbf75dfc74c8023968f31760e2a99fb5c8ba7c87c3efd171b6d4b3c99ddc5c6e6857bdf72dd9f5b04449f1136aa22d9f7bea7e688a75ef
-
Filesize
2.0MB
MD5e9fe83497bc0ecf0eca8095cbc3636c3
SHA19c76eaff3ac4156b462dd05c8c76272995c8d513
SHA256171d37105e828ee641b0e6a386dd3fb131857ac9b3ba0246566bc4b0f78d7752
SHA5127232145954e0fe59ad24a9329ba885df8038666d49e1bd442adc5b32f82f903a44b0338fb18460764a651fde75de244f725787bc1fa2fee90e06896259f72e77
-
Filesize
4.2MB
MD5f32077df74efd435a1dcdf415e189df1
SHA12771393d56ff167275bf03170377c43c28ee14e1
SHA25624bb6838defd491df5460a88bed2d70b903a2156c49fb63e214e2c77251eca71
SHA512fb708e0949854998fb80635138c80ac05d77dca3089d3e5974663ddf2376d6a03535dae1a068514c3b58bc06c8e4078b37cfb6bc90f080f7f31fefc972a34850
-
Filesize
411KB
MD5e3c817f7fe44cc870ecdbcbc3ea36132
SHA12ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA5124fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
1.0MB
MD50de13eb50b1a642533afc617a7fae29a
SHA1133e8262bd162a9d52d5042e3db9742e709e0944
SHA256da9283fd5b388d90e90c6f82f7c20a1093ffa30f136f3bdf2f3f685a01bb1f0a
SHA512bb1123fc60a0b6ed71a65b2594175c4eebe5061f0cafd072223f021edf9985e88e944f5b96e63ae86a970eaf04d678f478ab200ea8d1ce8cf696b6453f3a4994
-
Filesize
14KB
MD58d5a5529462a9ba1ac068ee0502578c7
SHA1875e651e302ce0bfc8893f341cf19171fee25ea5
SHA256e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790
SHA512101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462
-
Filesize
5KB
MD577ff758c10c66937de6d86c388aa431c
SHA114bd5628eaf8a12b55cd38f9560c839cb21ce77a
SHA2566a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008
SHA512319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda
-
Filesize
11KB
MD5b0c77267f13b2f87c084fd86ef51ccfc
SHA1f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e
-
Filesize
679B
MD5550e60129ee78872e398e705f08f41df
SHA166e57b902416e9b88e6525f8e2e76f5fc5761a5e
SHA2567c7acf7c1382913545b821588d0c1a77eb72f90de2364305b52894b1b76a9bf6
SHA51219bc93030d8a9db8bc5b55aa174e08b0c80b84e80602705ae9f6702de489a468eb00d6594647939fa6888eac63a040daa7ab13110cb87f692a0f97da3b22af6e
-
Filesize
392B
MD530d6eb22d6aeec10347239b17b023bf4
SHA1e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1
SHA256659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08
SHA512500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76