Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 05:46
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe
-
Size
3.6MB
-
MD5
a259fc34b22d352805b9f4d635b85fb6
-
SHA1
6fe1befb5519afc4bdc4298cfaa5b0ffb6ab7c2c
-
SHA256
05a0fb3e46f20ae833fc9d85e4a9f529095eb509e8204eeea7b55ff4621ae8e7
-
SHA512
8617dfca092438734099d6f09ba31cc2c0305358f725b346873992db9ad196de73da313cb0e441b73d4920001aabcddbeb659d9043a19c7888d241e4fc36f640
-
SSDEEP
24576:bw317sPycp8nCB3C+u7u/Q4uqiM4wDeEJlUcwmf2Z7agXWn2NXdndBhTC3bc22rr:bByPnI+rvmfKuYndbTQi6r
Malware Config
Extracted
meduza
109.107.181.162
-
anti_dbg
true
-
anti_vm
true
-
build_name
592
-
extensions
none
-
grabber_max_size
1.048576e+06
-
links
none
-
port
15666
-
self_destruct
true
Signatures
-
Meduza Stealer payload 9 IoCs
resource yara_rule behavioral1/memory/2328-5-0x0000000140000000-0x000000014013E000-memory.dmp family_meduza behavioral1/memory/2328-8-0x0000000140000000-0x000000014013E000-memory.dmp family_meduza behavioral1/memory/2328-10-0x0000000140000000-0x000000014013E000-memory.dmp family_meduza behavioral1/memory/2328-11-0x0000000140000000-0x000000014013E000-memory.dmp family_meduza behavioral1/memory/2328-6-0x0000000140000000-0x000000014013E000-memory.dmp family_meduza behavioral1/memory/2328-3-0x0000000140000000-0x000000014013E000-memory.dmp family_meduza behavioral1/memory/2328-4-0x0000000140000000-0x000000014013E000-memory.dmp family_meduza behavioral1/memory/2328-25-0x0000000140000000-0x000000014013E000-memory.dmp family_meduza behavioral1/memory/2328-26-0x0000000140000000-0x000000014013E000-memory.dmp family_meduza -
Meduza family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe -
Deletes itself 1 IoCs
pid Process 2648 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 6 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2500 set thread context of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2648 cmd.exe 2828 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2828 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2328 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2328 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe Token: SeImpersonatePrivilege 2328 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 PID 2500 wrote to memory of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 PID 2500 wrote to memory of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 PID 2500 wrote to memory of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 PID 2500 wrote to memory of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 PID 2500 wrote to memory of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 PID 2500 wrote to memory of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 PID 2500 wrote to memory of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 PID 2500 wrote to memory of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 PID 2500 wrote to memory of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 PID 2500 wrote to memory of 2328 2500 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 31 PID 2328 wrote to memory of 2648 2328 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 33 PID 2328 wrote to memory of 2648 2328 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 33 PID 2328 wrote to memory of 2648 2328 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe 33 PID 2648 wrote to memory of 2828 2648 cmd.exe 35 PID 2648 wrote to memory of 2828 2648 cmd.exe 35 PID 2648 wrote to memory of 2828 2648 cmd.exe 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2024-11-07_a259fc34b22d352805b9f4d635b85fb6_ryuk.exe"3⤵
- Deletes itself
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2828
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1