878ee0d81844daa05f06e098e16eabb1dec5d02b307d4108419d1797eedf2d51

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 23:45

Target

2024-01-25_64f399a4ebcf8f12d8d0860478b38c4b_cobalt-strike_ryuk.exe
Size

796KB
MD5

64f399a4ebcf8f12d8d0860478b38c4b
SHA1

efc9c9ddabea3400a4473eb8e0057784032395b7
SHA256

878ee0d81844daa05f06e098e16eabb1dec5d02b307d4108419d1797eedf2d51
SHA512

88e9afc9f237672b2b406fef41ef1a3f531aa04304e0eaf5808c9a6c34b62d31bebb8fe7028821dfb1a0bf353db40fd6ff12ad96f478578d1a496b9977bf602b
SSDEEP

24576:SANw2438gXe4i7ojhsP5Lgrk1TWb4AN5:Sew2ke30jaNf1TWbdz

Score

1^/10

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2724	2024-01-25_64f399a4ebcf8f12d8d0860478b38c4b_cobalt-strike_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_64f399a4ebcf8f12d8d0860478b38c4b_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_64f399a4ebcf8f12d8d0860478b38c4b_cobalt-strike_ryuk.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

memory/2724-0-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2724-1-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2724-10-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2724-8-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2724-12-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2724-7-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download