99d0791c8bc23165abc11834d7aac846296bbedbf38ae8f5c59cb5eeb5a9776b

Analysis

max time kernel
13s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 05:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-01-01_bb894850128845ef719aea7f96ed1904_ryuk.exe
Size

4.0MB
MD5

bb894850128845ef719aea7f96ed1904
SHA1

224f7d7c6f630f6c973806ca5cccfe329d3e22c5
SHA256

99d0791c8bc23165abc11834d7aac846296bbedbf38ae8f5c59cb5eeb5a9776b
SHA512

adba113fb2e09bb35c9ca61b8503d187524f3480532ebbd093d88f44677d4fcc91d206cd6172e2e52bbb6d4e02609a30aa3fcac439b997ee7dcc41d1b28c2014
SSDEEP

49152:NcPtqs99XdSM+rCw0sebEmBmLBRHVCmWMeNtYW5l6VT1azclNI3tZnNs4T3Bet2p:qfZ1sea1gtY0l6V1C1x1KGJC

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4736	Ztv0i0vC.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4736-6-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/files/0x0008000000023211-5.dat	upx
behavioral2/memory/4736-44-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ztv0i0vC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Ztv0i0vC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1584	2024-01-01_bb894850128845ef719aea7f96ed1904_ryuk.exe
1584	2024-01-01_bb894850128845ef719aea7f96ed1904_ryuk.exe
1584	2024-01-01_bb894850128845ef719aea7f96ed1904_ryuk.exe
1584	2024-01-01_bb894850128845ef719aea7f96ed1904_ryuk.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4736	Ztv0i0vC.exe
4736	Ztv0i0vC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 4736	1584	2024-01-01_bb894850128845ef719aea7f96ed1904_ryuk.exe	98
PID 1584 wrote to memory of 4736	1584	2024-01-01_bb894850128845ef719aea7f96ed1904_ryuk.exe	98
PID 1584 wrote to memory of 4736	1584	2024-01-01_bb894850128845ef719aea7f96ed1904_ryuk.exe	98
PID 4736 wrote to memory of 2868	4736	Ztv0i0vC.exe	103
PID 4736 wrote to memory of 2868	4736	Ztv0i0vC.exe	103
PID 4736 wrote to memory of 2868	4736	Ztv0i0vC.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-01-01_bb894850128845ef719aea7f96ed1904_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-01_bb894850128845ef719aea7f96ed1904_ryuk.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Public\Downloads\PMo7w0AD\Ztv0i0vC.exe
  "C:\Users\Public\Downloads\PMo7w0AD\Ztv0i0vC.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\PMo7w0AD\Edge.jpg

Filesize
358KB

MD5
b912a845740113c09382e5bdb264afd8

SHA1
5cc8960d4df571b22e732a2c98492b3fe51cca7f

SHA256
223c11609b372f2ccdf31141ad57697e55559fc193f5bba9216f2da6c4a5da0f

SHA512
f3e6f9ac6d25d6ec694d85802f404148dcec907378e6473f85b2489f6ef955a5daaa1947be40fe3ae12519729831cc85c2aad440ac540de7e0962fbd36c87222

Download Submit
C:\Users\Public\Downloads\PMo7w0AD\Ztv0i0vC.dat

Filesize
5KB

MD5
9596f4d143be7ccff6ce324234715e15

SHA1
d81c2bfcbeb12d1f48adae518b3ecea7f67b75d9

SHA256
4ae3caf270548cac1a74078cae4b704583bdd58aebb590b1aa51f9451ea71f5b

SHA512
88db1a8c70b12a60648a79802fdd166314e4bd2d25a60d9c8ea2203549fff3be41cb2fa8827287e13f210b9023734173b351d902d86768869d9fabf79f06a71c

Download Submit
C:\Users\Public\Downloads\PMo7w0AD\Ztv0i0vC.exe

Filesize
21KB

MD5
838ea30157632959b47ddc93a82856f3

SHA1
077ef86169480f6c4c86742d82d4c3b6652c4bcd

SHA256
e82b27dd209c1cc48423ccf7a23d5e722d13b92961c63e0c8630355d2f49392d

SHA512
4bf6c49c1e4bd58daad1faa2ab19b0f8bd38323d0e76f48a8760b368c8cf392dffa8661a73d9c397ef06b0982e8785b2bab54c7c373815bbd94688147c323bbc

Download Submit
C:\Users\Public\Downloads\PMo7w0AD\edge.xml

Filesize
53KB

MD5
d569577d8247791b3d861b220a01e8d5

SHA1
e6c0082fefa6da45df90cec88f28e04c2252e82e

SHA256
edf575a66fa51fcee814d4f5e565c5cea39890354cad23b3e60f40d3e571f357

SHA512
b371749a47ed499e078a179fa29dd952cd3ff9eb92a06c4b249801e21d0db0892f0a0e77584debe307d85017ca89143a87f4d2f2ee15cfa7995460a7ba634fea

Download Submit
memory/4736-6-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4736-28-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4736-32-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/4736-30-0x00000000037C0000-0x00000000037D2000-memory.dmp

Filesize
72KB

Download
memory/4736-44-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download