1ad0ff543542701cf58816ff9a7451d89b71e9aa23c95a8d39fccc600c3f6411

Analysis

max time kernel
1s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
Size

1.1MB
MD5

8fad5909fa55c7230235da604a6ea6b2
SHA1

4b8959103aad431f95e425431a14205999d5514e
SHA256

1ad0ff543542701cf58816ff9a7451d89b71e9aa23c95a8d39fccc600c3f6411
SHA512

525b3398460ec92cdb8b483eb215442a047bcbb93505914496045444ec87b731ae1249c8e6f6fcc0d3c0984704ac7dba799529fbc15c943a0773c415981a2ba4
SSDEEP

24576:sSi1SoCU5qJSr1eWPSCsP0MugC6eTFt/sBlDqgZQd6XKtiMJYiPU:ES7PLjeTn/snji6attJM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
3464	alg.exe
4812	DiagnosticsHub.StandardCollector.Service.exe
4680	fxssvc.exe
4440	elevation_service.exe
756	elevation_service.exe
4528	svchost.exe
3384	msdtc.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d991d8134d74bb6b.bin	alg.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	svchost.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	456	2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
Token: SeAuditPrivilege	4680	fxssvc.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-09_8fad5909fa55c7230235da604a6ea6b2_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:4528

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:1336

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4548

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2932

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:5336
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:2912
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:5356

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:3644

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
PID:5012

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
PID:628

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
PID:4680

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:4840

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:2152

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
PID:4596

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:784

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:756

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
79KB

MD5
9331eccfeb449d101cf374012c488f63

SHA1
04f2163867bdbe19d72f3761c133e59f11623805

SHA256
3370305303f865012addde772d32148f593a1d88f7c7c7a8fe43b0637b9f8e50

SHA512
54e447500321b10995c25c560deb58c44607f543498bbc0734efe99622317838b7b8a86ef3b85058fa3c0e3d206d5696dab04a2779523a9f14f4d74a65fd027f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
51KB

MD5
266dd88907f2547f30c6a188003b8ee9

SHA1
796e812855c81b177ac9a50d9cdebaaa0d61e469

SHA256
7e2d2e50ed580a658a64e9ee960ac562cc13c4ecb0184313ed3e064b4119e51e

SHA512
40c28ceeba2f177e8489cac5419d60a51f8e265e92638e43b83e4e6ea1f6ba29e258ffa79625823e85575d8a63b36ad7846827f94c4c61485a9751e7aef7abfa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
160KB

MD5
ffc8b844743b23a8575b6d6cd98db68b

SHA1
ab244a886981e75aadc68ad16b99e09cadfdbe52

SHA256
7b2db1b9d1807252beb981e94e0b44f28500dc93f8e0682b6ac8ee140c0955e1

SHA512
663951f0a4409c030808ea45949c3ceef1b9d1ae1ad1c90d0078f0e1bbc750bec74fdbb95a80079ccdf9d5c3fef95dd30c41881be937109eaeb68a999b830414

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
124KB

MD5
3db7c7413b4d9e36e77920fb8ad4dacd

SHA1
a69ed803b31a0fcd527f77f9bd69590b56d7938b

SHA256
37b26bfc7acf063b6a4f1039c4dd32d908d0a28100f6bca825f9aee15e6f702a

SHA512
c904b26181736b2b0768dad9190b3bc5210911be359da1bc80d0d56dca625d46c5831212176956090e91bc2d6c7f91ff6bb5a1266b35fc78a89cb515e446e398

Download Submit
C:\Windows\System32\Locator.exe

Filesize
42KB

MD5
65b9cedc7b218b0b1104bbf27c73e809

SHA1
5e805d01f7fbf37770809fb821d4cf68ba7f2314

SHA256
af07304b5a7ff27a4c5fbb74ca05cf0f330d10870d1105f47dd747e5d1c0f669

SHA512
b181976eafa037ac1b8415d5b8eeda2b2e3297355cbf9ac895ccd2222a609217009a5290122b878cdbdf9746d6e01d4325d50fdb8b877211fc6d29c651925cfb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
9KB

MD5
5d6d3ba5649366ea9deb19d3172d802a

SHA1
08fe9c22900aeff247854bd82523c8dd0a16a537

SHA256
b108d20e234862fd1b9354b6858fc6a1bcd6c9c3c792e3f72532966f5025eab6

SHA512
a4a4a5f214055e62c3ff0dfe28a7585a2a32495e05b17e518214d4ac851ad9287c48a0a6f1c4254a02c98ea5258e83423915ee84f2836587ba6ce9a4dea0bd01

Download Submit
C:\Windows\System32\alg.exe

Filesize
143KB

MD5
d197513f630bd7ede2459942041096a3

SHA1
1adf09beed465f29ea5ad5f631ddc7e1ddf68fd1

SHA256
e983d79d465875bd06ad87c0e9194976df2b9a863f127d1d9e0f3e0ac7ca440b

SHA512
0363ab2537b2db208317a7403653c44bec1b835e0c616711afbb98a37cb91a5d50edf6ae8739534f07261a8fb5eb1cba4edb09d536e188b1dc5ae1b8bad4df9f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
71KB

MD5
9fff01fc98a57dd2c662a28c76270465

SHA1
57271aac64b5ea9f2499d79d1088be2a45ccbd36

SHA256
6a1063b9b04f5ba93099608232c45fc67eb59d00a9768668d1534aabad38a0e9

SHA512
4ef67ed4a9811bc4506ffefb2165f3aac9d2733b0ea3f0425ef1b8c36f44d90b07c160a19b7d3c08eabd9ca11712c9fa0be18469b4060d7af0f62fd335bcbfd2

Download Submit
memory/456-0-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/456-1-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/456-7-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/456-63-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/628-201-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/628-210-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/628-269-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/756-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/756-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/756-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/756-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/784-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/784-113-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/784-172-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1336-208-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/1336-198-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1336-141-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/1336-134-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1784-244-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1784-251-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1784-499-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2152-145-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2152-213-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2152-154-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2932-277-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2932-271-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3276-162-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3276-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3276-169-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3384-160-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3384-101-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3384-93-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3384-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3464-74-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3464-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3464-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3464-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3644-227-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3644-240-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3644-239-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3644-234-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4440-58-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4440-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4440-52-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4440-123-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4528-87-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4528-89-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4528-76-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4528-83-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4528-75-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4548-256-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4548-264-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4596-184-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4596-125-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4596-131-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4680-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4680-255-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4680-44-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4680-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4680-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4680-193-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4680-186-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4680-48-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4812-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4812-25-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4812-33-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4812-91-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4812-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4840-242-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4840-182-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4840-174-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5012-281-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5012-214-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5012-221-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5204-291-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5204-284-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5336-296-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5336-304-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/5356-506-0x000001B5E9BC0000-0x000001B5E9BD0000-memory.dmp

Filesize
64KB

Download
memory/5356-510-0x000001B5E9BD0000-0x000001B5E9BE0000-memory.dmp

Filesize
64KB

Download