Overview

overview

10

Static

static

3

2024-02-01...uk.exe

windows7-x64

10

2024-02-01...uk.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    5s
  • max time network
    12s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 13:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-01_4b856a1955455820d78ff42a58a77cd8_ryuk.exe

  • Size

    212KB

  • MD5

    4b856a1955455820d78ff42a58a77cd8

  • SHA1

    738ac3a6503620634fe841aac9a3bdff44efe8db

  • SHA256

    2d90f3ce2c9cb5e3cb5365e5f618e96c80a08133839ff6b29fc4808fe70ddf41

  • SHA512

    d017e766a3ca6f4ef71f137c3b8acd9e4b764ab47c3b5436113c08f1df0e33604b4f2954555edbcd1f3c38d64795a007a627656178c5827661773c45b162ab6f

  • SSDEEP

    3072:skoemwJEECCvcVbQQFrUoR19V6To0Hqs3WvSp:ZEECCElQk3wqFu

Score
9/10

Malware Config

Signatures

  • Detects command variations typically used by ransomware 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:3028
    • C:\Users\Admin\AppData\Local\Temp\2024-02-01_4b856a1955455820d78ff42a58a77cd8_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-02-01_4b856a1955455820d78ff42a58a77cd8_ryuk.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\System32\net.exe
        "C:\Windows\System32\net.exe" stop "spooler" /y
        2⤵
          PID:372
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop "spooler" /y
            3⤵
              PID:4564
          • C:\Windows\System32\net.exe
            "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
            2⤵
              PID:4416
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop "audioendpointbuilder" /y
                3⤵
                  PID:2372
              • C:\Windows\System32\net.exe
                "C:\Windows\System32\net.exe" stop "samss" /y
                2⤵
                  PID:2100
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 stop "samss" /y
                    3⤵
                      PID:964

                Network

                MITRE ATT&CK Matrix

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/3028-0-0x00007FF6B5F20000-0x00007FF6B62B7000-memory.dmp

                  Filesize

                  3.6MB

                  Download

                • memory/3028-1-0x00007FF6B5F20000-0x00007FF6B62B7000-memory.dmp

                  Filesize

                  3.6MB

                  Download