Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-03-19...uk.exe

windows7-x64

10

2025-03-19...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2025, 02:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe

  • Size

    1.0MB

  • MD5

    6f1f60d754943d430fc0972d80250baa

  • SHA1

    adf06a5a69d5baf86e78f43e239ad4e0e8f25315

  • SHA256

    768e033c269b8035a23a73c3b31be5d659daa626daa08c17a3b302cc07fe2348

  • SHA512

    bd4e2ce0cf5a86d538e815efce24062155b6026ffa2b03564a001f0eaccf39c02b2b17a6fe5676b338bb6ac8e73df160a9e9e2af80cdb6821aba72764386e522

  • SSDEEP

    24576:TR+cl7X1BRnI6hmebOe1gmx2Jg+DTcTugiIwsQhlRv9x/9K4CfFiEr0CJ:l+clb1BRntmeSKHStRv9xFK1gEr0E

Score
10/10
badrabbitmimikatzdefense_evasiondiscoveryransomware

Malware Config

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Badrabbit family
    badrabbit
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Manipulates Digital Signatures 1 TTPs 3 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Payload decoded via CertUtil.

    defense_evasion
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 5 IoCs
    ransomware
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 6 IoCs
    defense_evasion
  • Modifies Control Panel 5 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-19_6f1f60d754943d430fc0972d80250baa_cova_ryuk.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe
      "C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\79D3.tmp\79D4.tmp\79D5.bat C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
        3⤵
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5844
        • C:\Windows\SysWOW64\mode.com
          MODE CON: COLS=100 LINES=25
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1264
        • C:\Windows\SysWOW64\mode.com
          MODE CON: COLS=100 LINES=25
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4572
        • C:\Windows\SysWOW64\certutil.exe
          certutil -decode "Image.bin" "Encrypted.jpeg"
          4⤵
          • Manipulates Digital Signatures
          • Deobfuscate/Decode Files or Information
          • System Location Discovery: System Language Discovery
          PID:3592
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2652
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2856
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:1452
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:3728
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:3964
        • C:\Windows\SysWOW64\wscript.exe
          wscript "0.vbs"
          4⤵
          • Checks computer location settings
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          PID:4708
          • C:\Windows\SysWOW64\RUNDLL32.EXE
            "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5388
        • C:\Windows\SysWOW64\wscript.exe
          wscript "0.vbs"
          4⤵
          • Checks computer location settings
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          PID:4384
          • C:\Windows\SysWOW64\RUNDLL32.EXE
            "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2772
        • C:\Windows\SysWOW64\wscript.exe
          wscript "0.vbs"
          4⤵
          • Checks computer location settings
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          PID:2288
          • C:\Windows\SysWOW64\RUNDLL32.EXE
            "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4256
        • C:\Windows\SysWOW64\wscript.exe
          wscript "0.vbs"
          4⤵
          • Checks computer location settings
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          PID:3740
          • C:\Windows\SysWOW64\RUNDLL32.EXE
            "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4748
        • C:\Windows\SysWOW64\wscript.exe
          wscript "0.vbs"
          4⤵
          • Checks computer location settings
          • Sets desktop wallpaper using registry
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          PID:3492
          • C:\Windows\SysWOW64\RUNDLL32.EXE
            "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5148
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 4
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:3976
        • C:\Windows\SysWOW64\wscript.exe
          wscript "m.vbs"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5380
        • C:\Windows\SysWOW64\mode.com
          MODE CON: COLS=100 LINES=25
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3556
    • C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
      "C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5712
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5372
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Delete /F /TN rhaegal
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5492
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /F /TN rhaegal
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2677162815 && exit"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2677162815 && exit"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:3440
        • C:\Windows\SysWOW64\cmd.exe
          /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:52:00
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:52:00
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:3692
        • C:\Windows\82BD.tmp
          "C:\Windows\82BD.tmp" \\.\pipe\{91998CAF-D4F4-4712-AFFB-5C1290359E7A}
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4632
    • C:\Users\Admin\AppData\Local\Temp\FMLN.exe
      "C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:6092
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\79C4.tmp\79C5.tmp\79C6.bat C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Windows\system32\mode.com
          mode con: cols=170 lines=45
          4⤵
            PID:348

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\0.vbs
      Filesize

      383B

      MD5

      e8ac1f187bb02b76ff45f3a3977c6669

      SHA1

      a6246d99d7f0347e246399576342e7e118d6cb2a

      SHA256

      8b163a7e7bc1048d74b3b0298b85bc453cf349c9adb53d76adf391ef0491db26

      SHA512

      f7f67854fdd19718a5fe8aaf99cf722ffb73a8151c8d3f214e89b44b0c4cba24c5fbfd390246e9cb2423919d0b4f694117c09b7697853168156d77efbb83397b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\10497_30168.bat
      Filesize

      127B

      MD5

      71f2ece5d6de26f528ff0e1c9382f1c9

      SHA1

      12b4fe9e4f1d4e0ea494393282baeb58f5991c8e

      SHA256

      648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01

      SHA512

      0236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\79C4.tmp\79C5.tmp\79C6.bat
      Filesize

      54KB

      MD5

      93841169c4264ce13735e8b116d06226

      SHA1

      1ceac2fe01f6bdb37bdeb73ba13cd7ed99d0f608

      SHA256

      82bf8fbb4b79fdd9a21518373ddd57fc2d6c53599458a055f64e20d40dc85f2b

      SHA512

      ce98cac504828ac676d1069f6d0cedc55ff68bf51d2b01df0108ec632bdc0aa1f809ef6ddb000fa1c59ea66723c903cf37412d98f59ff7032777a45b2c72e871

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\79D3.tmp\79D4.tmp\79D5.bat
      Filesize

      33KB

      MD5

      4b42191175209ea23203acc526307c00

      SHA1

      a77abea54f5b2a0084fd1574a1c5b6e1df1df054

      SHA256

      4ce518699c3f97015eb2f81b09325c8f67213d0efaec73bbf924a5bdf3d5152c

      SHA512

      fb35705095153a587a253160a92268c8e03605f87ecbb45dd3a0c4ca59e255046188cb9476d99f8164458506d2e5057e6127f0e0fe7997471e7381cc4a08ec42

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe
      Filesize

      122KB

      MD5

      d6e36f6b145a4601a84835b7e8a0bbc2

      SHA1

      3c7e26433f5f42fe69fbe4b3c2e6d9d7b196697c

      SHA256

      46038db7643482e1d25939e6c7be35a7e7529fd716570e25e4137f6a79a1c316

      SHA512

      e10acbaa6e1cd5cc4350dc789841e2638fb50b152aebc65bee2c07ad94f7e6ae1ce6bd51c5f5f6952f970ee364f2515417608e872c3b97b0cf749bb86fa0b72e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
      Filesize

      431KB

      MD5

      fbbdc39af1139aebba4da004475e8839

      SHA1

      de5c8d858e6e41da715dca1c019df0bfb92d32c0

      SHA256

      630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

      SHA512

      74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\FMLN.exe
      Filesize

      258KB

      MD5

      c87988e35ec34779191f42b6213fdec1

      SHA1

      81036dcf6ea331243f2d512b8ac9611a95a18ea1

      SHA256

      96f3ce153153f922fb18e4722b0348aee2c76022bcdee75fadab97023003fe10

      SHA512

      ba32f9bc18fb187fa4dc03bb1db903255c16af62dc903521ddd8fb120e5599bbccb4fa12255f0195a5e51b6a99ee5228bc0515f299c0ebb1b1a5134e61aab9e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Image.bin
      Filesize

      21KB

      MD5

      f6f72da7cd731682ff5442ba541457e2

      SHA1

      60bddfc609fad2f80c0688905e795e51003d9433

      SHA256

      00a5048d9f74271e4cd5c36cf1434c789a8c16206ff5fca1c785156e01693bc1

      SHA512

      2a09df3df3d89ec413f31f7a20254513db6323e7c7e5e041161f55dfefcc80d22870c512f71aad77e7e9ef775b635a707ddf60b0bb4ef458bff6e15f1e425e5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\README.txt
      Filesize

      564B

      MD5

      df6412cc0f77ce16caf3602c53d7a4be

      SHA1

      aa34421e95cb3a642842a63f5cfd46763e9b9a8c

      SHA256

      51bc53f8dba5178e0063e41e54197c4d7a566df509e67cc40c02137fd7ee2ac6

      SHA512

      335b790a29f91853899eae21d5973c839e5a9edfc49496ce6de909ec20bdfc9841dd14042727dd6b3dec091337fcdbb8ae8f1e44f4d8619723a2e882e50e667b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\m.vbs
      Filesize

      71B

      MD5

      cbaa7c6cb3c383b11dd691b316f2a91b

      SHA1

      0f2d66cea7cc24e0dda9972e05a7b236a9bcbc9e

      SHA256

      5f1ffcde4ee668c3350fdd9730df67adc35c704342ac2224924069c9bae2be95

      SHA512

      fe74a8ccd7875e7bf9588d386fd886810dc0edd01216bf5a886add985fcbb813296a606ec83028a90d30b4df348125827300a98f2ec6081a5d981d09316a44f9

      Download Submit

    • C:\Windows\82BD.tmp
      Filesize

      60KB

      MD5

      347ac3b6b791054de3e5720a7144a977

      SHA1

      413eba3973a15c1a6429d9f170f3e8287f98c21c

      SHA256

      301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

      SHA512

      9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

      Download Submit

    • C:\Windows\infpub.dat
      Filesize

      401KB

      MD5

      1d724f95c61f1055f0d02c2154bbccd3

      SHA1

      79116fe99f2b421c52ef64097f0f39b815b20907

      SHA256

      579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

      SHA512

      f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

      Download Submit

    • memory/5372-77-0x0000000002A00000-0x0000000002A68000-memory.dmp

      Filesize

      416KB

      Download

    • memory/5372-38-0x0000000002A00000-0x0000000002A68000-memory.dmp

      Filesize

      416KB

      Download

    • memory/5372-47-0x0000000002A00000-0x0000000002A68000-memory.dmp

      Filesize

      416KB

      Download