Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02-02-2024 22:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-02_9979e8f23ae6a9489126b4ca90b7b3bb_ryuk_sliver.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2024-02-02_9979e8f23ae6a9489126b4ca90b7b3bb_ryuk_sliver.exe
Resource
win10v2004-20231215-en
General
-
Target
2024-02-02_9979e8f23ae6a9489126b4ca90b7b3bb_ryuk_sliver.exe
-
Size
3.3MB
-
MD5
9979e8f23ae6a9489126b4ca90b7b3bb
-
SHA1
9d47e0c0a919164d8d5c232708304698b8b75e2f
-
SHA256
11b4ff10fc0717386cf56087558904b872c9a1f7ecf44ca7b06dc0b61ce304df
-
SHA512
646f8f5d0ffa314d04d2caf1677f166edbee306dc4fff43b0e1d68e646b29957bc9d2584d5e7c013e73272e7821070467af4f95efca7ff8a8df2ad2c804655fe
-
SSDEEP
49152:UX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85QO:UlRsZ47/QXoHUOfAoj1x6O
Malware Config
Signatures
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1272 2024-02-02_9979e8f23ae6a9489126b4ca90b7b3bb_ryuk_sliver.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3044 wmic.exe Token: SeSecurityPrivilege 3044 wmic.exe Token: SeTakeOwnershipPrivilege 3044 wmic.exe Token: SeLoadDriverPrivilege 3044 wmic.exe Token: SeSystemProfilePrivilege 3044 wmic.exe Token: SeSystemtimePrivilege 3044 wmic.exe Token: SeProfSingleProcessPrivilege 3044 wmic.exe Token: SeIncBasePriorityPrivilege 3044 wmic.exe Token: SeCreatePagefilePrivilege 3044 wmic.exe Token: SeBackupPrivilege 3044 wmic.exe Token: SeRestorePrivilege 3044 wmic.exe Token: SeShutdownPrivilege 3044 wmic.exe Token: SeDebugPrivilege 3044 wmic.exe Token: SeSystemEnvironmentPrivilege 3044 wmic.exe Token: SeRemoteShutdownPrivilege 3044 wmic.exe Token: SeUndockPrivilege 3044 wmic.exe Token: SeManageVolumePrivilege 3044 wmic.exe Token: 33 3044 wmic.exe Token: 34 3044 wmic.exe Token: 35 3044 wmic.exe Token: SeIncreaseQuotaPrivilege 3044 wmic.exe Token: SeSecurityPrivilege 3044 wmic.exe Token: SeTakeOwnershipPrivilege 3044 wmic.exe Token: SeLoadDriverPrivilege 3044 wmic.exe Token: SeSystemProfilePrivilege 3044 wmic.exe Token: SeSystemtimePrivilege 3044 wmic.exe Token: SeProfSingleProcessPrivilege 3044 wmic.exe Token: SeIncBasePriorityPrivilege 3044 wmic.exe Token: SeCreatePagefilePrivilege 3044 wmic.exe Token: SeBackupPrivilege 3044 wmic.exe Token: SeRestorePrivilege 3044 wmic.exe Token: SeShutdownPrivilege 3044 wmic.exe Token: SeDebugPrivilege 3044 wmic.exe Token: SeSystemEnvironmentPrivilege 3044 wmic.exe Token: SeRemoteShutdownPrivilege 3044 wmic.exe Token: SeUndockPrivilege 3044 wmic.exe Token: SeManageVolumePrivilege 3044 wmic.exe Token: 33 3044 wmic.exe Token: 34 3044 wmic.exe Token: 35 3044 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1272 wrote to memory of 3044 1272 2024-02-02_9979e8f23ae6a9489126b4ca90b7b3bb_ryuk_sliver.exe 29 PID 1272 wrote to memory of 3044 1272 2024-02-02_9979e8f23ae6a9489126b4ca90b7b3bb_ryuk_sliver.exe 29 PID 1272 wrote to memory of 3044 1272 2024-02-02_9979e8f23ae6a9489126b4ca90b7b3bb_ryuk_sliver.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-02_9979e8f23ae6a9489126b4ca90b7b3bb_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-02_9979e8f23ae6a9489126b4ca90b7b3bb_ryuk_sliver.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044
-