Overview

overview

7

Static

static

3

2024-01-10...uk.exe

windows7-x64

5

2024-01-10...uk.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    161s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2024 05:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-01-10_fda3b583f9ce8e11896b603a1fbd2b6e_ryuk.exe

  • Size

    1.7MB

  • MD5

    fda3b583f9ce8e11896b603a1fbd2b6e

  • SHA1

    8186d3d9599f9fab538ce25b0e86d4d15ab2f64c

  • SHA256

    42c884f1595cdf0b00760519c9a63c404f628f8e773e3173f2a47e4393452b1a

  • SHA512

    80fa14a42897f9120fc315743d8c2ece59577f65ea4a38bce7b015b4997213b0f71e23c76ab6211216a3cfbd8a81c38d3bf3172ca80c6359e32e3dd04f64f329

  • SSDEEP

    49152:T4f65cTlG8mMHcn3obb0P8/snji6attJM:TSG8mM8wEnW6at

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-01-10_fda3b583f9ce8e11896b603a1fbd2b6e_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-01-10_fda3b583f9ce8e11896b603a1fbd2b6e_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1128
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    PID:1376
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:1296
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1136
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3216
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3004
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3220
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:3828
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:4720

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      2.1MB

      MD5

      05233a328f660a8c419bd18b44571d70

      SHA1

      f43d53cae6edb091fc2c2bdd473da95a6e824f38

      SHA256

      65c6caae15f2de283e7b4ddeb7fa727443e40cc12aaf575df08899ad141fa67b

      SHA512

      8d27e69a6b90debda94688e0347c945303ad031cd86ec27e034fe16698a6e781f7b4d2878ddcd9515b7eed963389c88b0650dcc7f1a4e2e3f911198a8746e5d7

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      1.3MB

      MD5

      d3bc9f3c599ecc23eda66cae9c449fd1

      SHA1

      cc09954b6cec48eaea25599978244b764a2d30e1

      SHA256

      3ca49266ae1372be899d2e654779b70eb1def02543f1c21e57ff7b6b5288c316

      SHA512

      7102f2ee3ba2b1c24c4c1310e25aff760e4297d75b9cf64b51b6771d82166bb51a87cc21c2d56ee333acb868b57a1fbb02993e122cefa3ea80b17ef80d824c72

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
      Filesize

      1.3MB

      MD5

      4ce41645f05bd9b0b51925264586ec93

      SHA1

      f0d31eab5f229084a5915172c78d67ccbe887449

      SHA256

      2ec5e32edfba7272f710f7c52cb9562bbfad4e970418f1d9bb7076ef58a993ac

      SHA512

      943147276a5794c7c0816ba0bdaf4e300a3a653b3952679dbc6e7ee97b777a5a246b17b953b6a3982bd56b74b2e4da0ea0ea228e39af25cc5161ad8e4e904566

      Download Submit

    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      Filesize

      2.1MB

      MD5

      76dd801178d394f2c71ebeccc8904561

      SHA1

      56371d6c07ae5082d26133990fcaedea9ba6d39c

      SHA256

      b3517375902f2d6a4405b5fb787666cebe2b31f301e7a2c2b03a58b940e32a86

      SHA512

      16fc33aaada96dfd0a2826250f0ac6375b4a922c4f64886ce559b148332bd66cb3f1da4d3332ae1b0e6464f7ca555d0c04e2843fd687758e5934cf4c52d9c7dd

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      1.2MB

      MD5

      45865c33dbd7e483a6c9a6a88bff9b1b

      SHA1

      5acf4d1449f676dae3c8a6460dc94940937a8c95

      SHA256

      d7ea7d6844d1fbb8e603c9822a8ecd9b3f78ca665ef7b4cc08c1a2f1c2c1804d

      SHA512

      d2f052705e01262f1e67ac44325c82e71ff1f32f08fdf710463dfa05436147ac36b6b65b17a0d7e616f5edf8d68b26fa58565f0aa5aebc054ab01ba0a864200f

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.2MB

      MD5

      669c38489b96b523ddd674d7e242ea4a

      SHA1

      bab85c0fad5b7194e72b268d2233660a2c2bcced

      SHA256

      9460cc06b04133d43f08248f4cb0c136438428295663d37bfe99674707897e8c

      SHA512

      96c7cfd048e6a6493e152e5910aab8ce6c043d57b7a4268601b96a3ff4a8b34941692718e32ad1a49a56cd072c006ccff9522032aaed14f8f9eba957ca37165b

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      1.2MB

      MD5

      63cba65b27787b942501886552357add

      SHA1

      f88b016936d4a96100ce68d0ac3cc13dd0076429

      SHA256

      f8783604c4c7f3908a9af443040ea3cc4d7a6a5e19d43b9b4d19e191372af7ba

      SHA512

      8ca6619b78c1fe8a92d4cb96f7a2872c4d4d751cac06ce6f18bbed8b1ae583e3558c618cf188c588945e774ec91004c6f826710af124a6f3d16c2962dce9e0b4

      Download Submit

    • C:\Windows\system32\AppVClient.exe
      Filesize

      1.3MB

      MD5

      e583296a4091e41ae85acabc72a4bde0

      SHA1

      5bf11737218dac06ba1ba97f00474ca69e6fa8b7

      SHA256

      494483ca594bb0fb3f99db6e6c5d867a885eb9410f8e80469dc27bf9d32d6d6a

      SHA512

      6e9ffaf74f1943d0e1e7d7518e05f13eecbac7ecbff056c6c5eb28ce57286c27221089b94d841f53394a6d7e9255b2e7ec0206149e90d4f4c78a2845e74f9fc3

      Download Submit

    • memory/1128-7-0x0000000000710000-0x0000000000770000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1128-8-0x0000000000710000-0x0000000000770000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1128-1-0x0000000000710000-0x0000000000770000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1128-39-0x0000000140000000-0x00000001401CF000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1128-56-0x0000000140000000-0x00000001401CF000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1128-0-0x0000000140000000-0x00000001401CF000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1296-34-0x00000000006C0000-0x0000000000720000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1296-26-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1296-62-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1296-27-0x00000000006C0000-0x0000000000720000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1376-51-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1376-14-0x0000000000740000-0x00000000007A0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1376-20-0x0000000000740000-0x00000000007A0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1376-13-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3004-60-0x0000000000CB0000-0x0000000000D10000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3004-59-0x0000000140000000-0x0000000140237000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3004-68-0x0000000000CB0000-0x0000000000D10000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3004-114-0x0000000140000000-0x0000000140237000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3216-38-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3216-50-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3216-48-0x0000000000EA0000-0x0000000000F00000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3216-46-0x0000000000EA0000-0x0000000000F00000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3216-40-0x0000000000EA0000-0x0000000000F00000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3220-73-0x0000000140000000-0x000000014022B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3220-79-0x00000000001A0000-0x0000000000200000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3220-72-0x00000000001A0000-0x0000000000200000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3220-118-0x0000000140000000-0x000000014022B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3828-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3828-85-0x0000000140000000-0x0000000140156000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3828-90-0x0000000000CD0000-0x0000000000D30000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3828-93-0x0000000000CD0000-0x0000000000D30000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3828-95-0x0000000140000000-0x0000000140156000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4720-99-0x0000000140000000-0x000000014015B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4720-98-0x00000000007D0000-0x0000000000830000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4720-106-0x00000000007D0000-0x0000000000830000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4720-120-0x0000000140000000-0x000000014015B000-memory.dmp

      Filesize

      1.4MB

      Download