Overview

overview

10

Static

static

3

2024-02-01...uk.exe

windows7-x64

10

2024-02-01...uk.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    5s
  • max time network
    5s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 13:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-01_35b13a59b337817d0dd970851a787ebe_ryuk.exe

  • Size

    212KB

  • MD5

    35b13a59b337817d0dd970851a787ebe

  • SHA1

    2c76b02c2c1b84bad236a89b7a2021694901ac8d

  • SHA256

    146a9cad779f2ded42d1254c7c722742fb25d3871babe0dc76555ee28b65a6f8

  • SHA512

    0c4c542a96e177284bec34295cf03122df88847c750d036bc577b62b75c0b4d58756b21500a01018855dd307c57a6238bb866345a3bab1be9dc76b6403fedce2

  • SSDEEP

    3072:skoemwJEECCvcVbQQFrUoR19V6To0Hqs3WvS1:ZEECCElQk3wqF+

Score
9/10

Malware Config

Signatures

  • Detects command variations typically used by ransomware 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-01_35b13a59b337817d0dd970851a787ebe_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-01_35b13a59b337817d0dd970851a787ebe_ryuk.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\System32\net.exe
      "C:\Windows\System32\net.exe" stop "spooler" /y
      2⤵
        PID:2320
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "spooler" /y
          3⤵
            PID:4048
        • C:\Windows\System32\net.exe
          "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
          2⤵
            PID:4720
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "audioendpointbuilder" /y
              3⤵
                PID:3768
            • C:\Windows\System32\net.exe
              "C:\Windows\System32\net.exe" stop "samss" /y
              2⤵
                PID:2836
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop "samss" /y
                  3⤵
                    PID:1824
              • C:\Windows\system32\sihost.exe
                sihost.exe
                1⤵
                  PID:2556

                Network

                MITRE ATT&CK Matrix

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/2556-0-0x00007FF640A50000-0x00007FF640DE7000-memory.dmp

                  Filesize

                  3.6MB

                  Download

                • memory/2556-1-0x00007FF640A50000-0x00007FF640DE7000-memory.dmp

                  Filesize

                  3.6MB

                  Download