Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2024, 03:56

General

  • Target

    2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe

  • Size

    14.0MB

  • MD5

    fc98f5d0bc1552483a44c85d53384a6e

  • SHA1

    d696097fec437d4f31739d1460b180e67795b9d6

  • SHA256

    33a32609cb5acf54abeef9eed08d24a03dfd138ddd4b6132c8add72d8232b43a

  • SHA512

    5b3f9769de97b61568611ed852efcdcb52d9d2371026dc434aeab2f42197cc6a876a24c1132ec0861bd6895c7c9ca164370da9ae63009bd4432ef8ed9dddefa4

  • SSDEEP

    393216:IxhOGfw/zTNVC2bH2McKpqeTP91UIU537BEBE/P:aIoszT7C2KMzg537iBEH

Malware Config

Signatures

  • An open source browser data exporter written in golang. 2 IoCs
  • HackBrowserData

    An open source golang web browser extractor.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\System32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ha.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\system32\cmd.exe
          cmd /c "start "" .\toboot\hack-browser-data.exe -f json --dir res --zip"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1056
          • C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
            .\toboot\hack-browser-data.exe -f json --dir res --zip
            5⤵
            • Executes dropped EXE
            PID:1496
        • C:\Windows\system32\timeout.exe
          timeout /t 4
          4⤵
          • Delays execution with timeout.exe
          PID:464
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Compress-Archive -Path ".\res" -DestinationPath .\res.zip -CompressionLevel Fastest -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1852
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -ep bypass -file "HBDSend.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2892
        • C:\Windows\system32\timeout.exe
          timeout /t 4
          4⤵
          • Delays execution with timeout.exe
          PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\.git\logs\refs\remotes\origin\HEAD

    Filesize

    206B

    MD5

    161010715d0c362173bf20c28c2fd9b7

    SHA1

    f80849d90d3a9843a658e5560f000f97fc4d8d01

    SHA256

    de309dabda86493c2e3260c1e17dd794211789121ffbd93a291909d48a5697e7

    SHA512

    c7599a1d21226e3fb73e669a9451b14dfc6d0d9ce6866bc382e32c645f79671f6457b15cf5e377006bc14f3cd8dd7754a5ff1e4496c1bb4129d7d271ff2293c4

  • C:\Users\Admin\AppData\Local\Temp\HBDSend.ps1

    Filesize

    390B

    MD5

    4802a57c6fccba23e67bc66c31356d4f

    SHA1

    fc030aa0f325b17643f58c2659c0742890d9f3d7

    SHA256

    5578ae9942d3aeba7898924a489752dd6c209d4b22cbbdb2eb5f946c61d0df35

    SHA512

    9c2843455b90f14393ff1f6e7b0736607ba16a0e89eef4a9f0d6b7affd3430b2b6dcf87d588758f99d3ae29fcb365e584e40d760024dd1ea2108b3d9190d0b0a

  • C:\Users\Admin\AppData\Local\Temp\chromiumKey

    Filesize

    333KB

    MD5

    068616c682ecf110e197df944c8e91a5

    SHA1

    34e6742941f8c169e0748d24a1b250bdaebc8fe3

    SHA256

    c26e61d6f32eba06f51d8bf7dc51fa8b5092d95141696e0d38909ae611675cc0

    SHA512

    7b352babd9abd73c7b9857b08a245d4971cda801e6fb0e215cb5f1b588a42573faf526bfa750a18430c329bc517d61c0deec42ff0dd88022b32bd6b20cd3a30f

  • C:\Users\Admin\AppData\Local\Temp\ha.bat

    Filesize

    338B

    MD5

    fddf7e3115d866f57c8ee7c39faba7c7

    SHA1

    380fd6c70888e59b3e6422b482bd993a1c6f4092

    SHA256

    58eba8234f52ee4f5cb65bcc38f612fcd0025fbfaaa092f994aa0af02c2623cd

    SHA512

    3efc29aab85d86e83f533baadd275b4692eef50cf1cd600fc6bd27f110bfc0494353ed99679e9e93e3cdc119ea05161cb35906855ad8dedcf6f2324f87041d55

  • C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs

    Filesize

    51B

    MD5

    8cb717954c207bc5d1866f0b91f3705b

    SHA1

    bb2eb348bbaae1c03f0e8a69fe632acf3654906d

    SHA256

    5098540013c04d7a204e5ccd000d0342e2724b2a5747c6cde3423c33670e7125

    SHA512

    28671621ebc6b0e2ef08d910770463935f484b3a2bbf2f2d902436856ca63dfefb1d4c5c57bb0eb84d973295bf7dccf4767a72ed26b62f9b7476c5ac51b858bd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    f43d80a30a7b0b576b1a75b79451ba6d

    SHA1

    2bdc955a39946779f0c40e1c86d7416565f0f3a6

    SHA256

    97081cd1ff330ea118f919e4a6fa81ff8cf82ea1d0ec69ee8c0928a3702210b8

    SHA512

    3ca728b8047fad191cb126c8249200ac9c92299675d2d5c04f5754baf56b41e332bbfb751062f45e8d882bbee9451d4d84ecd73fcc5e5346ad235d5178968484

  • \Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe

    Filesize

    20.9MB

    MD5

    6c66514d0e3b4cf5a2e4c2844efcb1f3

    SHA1

    682d46485ce44e719309f80483221d82011c3779

    SHA256

    7374c9b387000b813be75e10c2b988bf8d892985de63eb7446e11ceb225312e8

    SHA512

    4ca2657b47f145db2b162428ed057b52260a0db6758bf21803d75c6451914918f6392a4f8eb4216929e9feac1da70c161bd5ff61878d328863c9267c798c81a5

  • memory/1496-216-0x000000013F2C0000-0x000000014074E000-memory.dmp

    Filesize

    20.6MB

  • memory/1852-221-0x000000001B380000-0x000000001B662000-memory.dmp

    Filesize

    2.9MB

  • memory/1852-222-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

    Filesize

    32KB

  • memory/2892-228-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

    Filesize

    2.9MB

  • memory/2892-229-0x00000000022A0000-0x00000000022A8000-memory.dmp

    Filesize

    32KB