16872163a5ee4c33d4f711da61ce54efd67a5eded974a7beed0a19843c2c009a

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05/01/2024, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_375aebba4a4fe70e87e73deb7f12afa5_ryuk.exe
Size

1.8MB
MD5

375aebba4a4fe70e87e73deb7f12afa5
SHA1

cb1e00ea7c35c6fd3d29bf7d4dbaea01b361ef9b
SHA256

16872163a5ee4c33d4f711da61ce54efd67a5eded974a7beed0a19843c2c009a
SHA512

c09bfdeda828cc914f2042d30d9e446ef274cd098039a8bf658cd989458af79a1220d5dd8a2491baeb698249514b754314109abdc9dcf19a5167330fca12df19
SSDEEP

49152:/KfuPS3ELNjV7SZxEfOflgwf0eCks7R9L58UqFJjskU:km9OZxjguC17DVqFJU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
464	Process not Found
2188	alg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ed27ad7b223c682a.bin	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-01_375aebba4a4fe70e87e73deb7f12afa5_ryuk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2976	2024-01-01_375aebba4a4fe70e87e73deb7f12afa5_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2928	2976	2024-01-01_375aebba4a4fe70e87e73deb7f12afa5_ryuk.exe	15
PID 2976 wrote to memory of 2928	2976	2024-01-01_375aebba4a4fe70e87e73deb7f12afa5_ryuk.exe	15
PID 2976 wrote to memory of 2928	2976	2024-01-01_375aebba4a4fe70e87e73deb7f12afa5_ryuk.exe	15

C:\Users\Admin\AppData\Local\Temp\2024-01-01_375aebba4a4fe70e87e73deb7f12afa5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_375aebba4a4fe70e87e73deb7f12afa5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2976 -s 336
  2⤵
  PID:2928

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\alg.exe

Filesize
109KB

MD5
1039f8868f93f243d5dbfe3025768e4e

SHA1
79ebc8315d96a3ef5e383ab3db7fab678c1f9199

SHA256
fc79cda946318cca93b39de9bd6b9384e781592bd09ddbfed164933c42d75f40

SHA512
75fd8f5b6b46a89d0c35909cdfe586579e06f782605b08ca7fce19ee9b56ecd9ebc2b0c8e980b16dc3b0cc4941aa4cec1f4df98ffa59e6a575cdc9cbc176fbea

Download Submit
\Windows\System32\alg.exe

Filesize
60KB

MD5
5f74063529ebbe20cfac26ce5ccf2ad2

SHA1
2f7988605d01aa8ac3a0d3617b629d42b45f2876

SHA256
37808019f2625d3f17bde51e0867d7ec324505f0167600655639e9cc30504c7b

SHA512
e5adf7407180c43342e178b4ca50e90448222453d025fa47c85fe800f44162813088008b16df8200d7b9c76bcf6656eda08a9466f76b8895a44ee6ac1140b687

Download Submit
memory/2188-14-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2188-13-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2188-21-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2188-20-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2188-25-0x0000000100000000-0x0000000100184000-memory.dmp

Filesize
1.5MB

Download
memory/2976-7-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2976-1-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download
memory/2976-0-0x00000000001D0000-0x0000000000230000-memory.dmp

Filesize
384KB

Download
memory/2976-24-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads