Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/10/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe
-
Size
14.0MB
-
MD5
fc98f5d0bc1552483a44c85d53384a6e
-
SHA1
d696097fec437d4f31739d1460b180e67795b9d6
-
SHA256
33a32609cb5acf54abeef9eed08d24a03dfd138ddd4b6132c8add72d8232b43a
-
SHA512
5b3f9769de97b61568611ed852efcdcb52d9d2371026dc434aeab2f42197cc6a876a24c1132ec0861bd6895c7c9ca164370da9ae63009bd4432ef8ed9dddefa4
-
SSDEEP
393216:IxhOGfw/zTNVC2bH2McKpqeTP91UIU537BEBE/P:aIoszT7C2KMzg537iBEH
Malware Config
Signatures
-
An open source browser data exporter written in golang. 2 IoCs
resource yara_rule behavioral1/files/0x0004000000019586-154.dat family_hackbrowserdata behavioral1/memory/1496-216-0x000000013F2C0000-0x000000014074E000-memory.dmp family_hackbrowserdata -
HackBrowserData
An open source golang web browser extractor.
-
Executes dropped EXE 1 IoCs
pid Process 1496 hack-browser-data.exe -
Loads dropped DLL 2 IoCs
pid Process 1056 cmd.exe 1056 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
pid Process 2892 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
pid Process 464 timeout.exe 2648 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1852 powershell.exe 2892 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2364 2260 2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe 30 PID 2260 wrote to memory of 2364 2260 2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe 30 PID 2260 wrote to memory of 2364 2260 2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe 30 PID 2364 wrote to memory of 2264 2364 WScript.exe 31 PID 2364 wrote to memory of 2264 2364 WScript.exe 31 PID 2364 wrote to memory of 2264 2364 WScript.exe 31 PID 2264 wrote to memory of 1056 2264 cmd.exe 33 PID 2264 wrote to memory of 1056 2264 cmd.exe 33 PID 2264 wrote to memory of 1056 2264 cmd.exe 33 PID 1056 wrote to memory of 1496 1056 cmd.exe 34 PID 1056 wrote to memory of 1496 1056 cmd.exe 34 PID 1056 wrote to memory of 1496 1056 cmd.exe 34 PID 2264 wrote to memory of 464 2264 cmd.exe 36 PID 2264 wrote to memory of 464 2264 cmd.exe 36 PID 2264 wrote to memory of 464 2264 cmd.exe 36 PID 2264 wrote to memory of 1852 2264 cmd.exe 37 PID 2264 wrote to memory of 1852 2264 cmd.exe 37 PID 2264 wrote to memory of 1852 2264 cmd.exe 37 PID 2264 wrote to memory of 2892 2264 cmd.exe 38 PID 2264 wrote to memory of 2892 2264 cmd.exe 38 PID 2264 wrote to memory of 2892 2264 cmd.exe 38 PID 2264 wrote to memory of 2648 2264 cmd.exe 39 PID 2264 wrote to memory of 2648 2264 cmd.exe 39 PID 2264 wrote to memory of 2648 2264 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ha.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\cmd.execmd /c "start "" .\toboot\hack-browser-data.exe -f json --dir res --zip"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe.\toboot\hack-browser-data.exe -f json --dir res --zip5⤵
- Executes dropped EXE
PID:1496
-
-
-
C:\Windows\system32\timeout.exetimeout /t 44⤵
- Delays execution with timeout.exe
PID:464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Compress-Archive -Path ".\res" -DestinationPath .\res.zip -CompressionLevel Fastest -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -file "HBDSend.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\system32\timeout.exetimeout /t 44⤵
- Delays execution with timeout.exe
PID:2648
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206B
MD5161010715d0c362173bf20c28c2fd9b7
SHA1f80849d90d3a9843a658e5560f000f97fc4d8d01
SHA256de309dabda86493c2e3260c1e17dd794211789121ffbd93a291909d48a5697e7
SHA512c7599a1d21226e3fb73e669a9451b14dfc6d0d9ce6866bc382e32c645f79671f6457b15cf5e377006bc14f3cd8dd7754a5ff1e4496c1bb4129d7d271ff2293c4
-
Filesize
390B
MD54802a57c6fccba23e67bc66c31356d4f
SHA1fc030aa0f325b17643f58c2659c0742890d9f3d7
SHA2565578ae9942d3aeba7898924a489752dd6c209d4b22cbbdb2eb5f946c61d0df35
SHA5129c2843455b90f14393ff1f6e7b0736607ba16a0e89eef4a9f0d6b7affd3430b2b6dcf87d588758f99d3ae29fcb365e584e40d760024dd1ea2108b3d9190d0b0a
-
Filesize
333KB
MD5068616c682ecf110e197df944c8e91a5
SHA134e6742941f8c169e0748d24a1b250bdaebc8fe3
SHA256c26e61d6f32eba06f51d8bf7dc51fa8b5092d95141696e0d38909ae611675cc0
SHA5127b352babd9abd73c7b9857b08a245d4971cda801e6fb0e215cb5f1b588a42573faf526bfa750a18430c329bc517d61c0deec42ff0dd88022b32bd6b20cd3a30f
-
Filesize
338B
MD5fddf7e3115d866f57c8ee7c39faba7c7
SHA1380fd6c70888e59b3e6422b482bd993a1c6f4092
SHA25658eba8234f52ee4f5cb65bcc38f612fcd0025fbfaaa092f994aa0af02c2623cd
SHA5123efc29aab85d86e83f533baadd275b4692eef50cf1cd600fc6bd27f110bfc0494353ed99679e9e93e3cdc119ea05161cb35906855ad8dedcf6f2324f87041d55
-
Filesize
51B
MD58cb717954c207bc5d1866f0b91f3705b
SHA1bb2eb348bbaae1c03f0e8a69fe632acf3654906d
SHA2565098540013c04d7a204e5ccd000d0342e2724b2a5747c6cde3423c33670e7125
SHA51228671621ebc6b0e2ef08d910770463935f484b3a2bbf2f2d902436856ca63dfefb1d4c5c57bb0eb84d973295bf7dccf4767a72ed26b62f9b7476c5ac51b858bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f43d80a30a7b0b576b1a75b79451ba6d
SHA12bdc955a39946779f0c40e1c86d7416565f0f3a6
SHA25697081cd1ff330ea118f919e4a6fa81ff8cf82ea1d0ec69ee8c0928a3702210b8
SHA5123ca728b8047fad191cb126c8249200ac9c92299675d2d5c04f5754baf56b41e332bbfb751062f45e8d882bbee9451d4d84ecd73fcc5e5346ad235d5178968484
-
Filesize
20.9MB
MD56c66514d0e3b4cf5a2e4c2844efcb1f3
SHA1682d46485ce44e719309f80483221d82011c3779
SHA2567374c9b387000b813be75e10c2b988bf8d892985de63eb7446e11ceb225312e8
SHA5124ca2657b47f145db2b162428ed057b52260a0db6758bf21803d75c6451914918f6392a4f8eb4216929e9feac1da70c161bd5ff61878d328863c9267c798c81a5