0113f764e549f5712f42e4fcb5ce644b73e21847b29da884aaf16be778cfc021

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe
Size

5.2MB
MD5

56e36d7f6f731923be8af9e18126eb9a
SHA1

a619b08f3fd69cfae071148f608a829ff2984b82
SHA256

0113f764e549f5712f42e4fcb5ce644b73e21847b29da884aaf16be778cfc021
SHA512

ae46a2f48b25418c6bf0a283cd992b2b5968e5759064345db4fcc5ffdb4fed0d27308d8ea225647d1d7ce040ce7b85b3fdb1e40129bfc09b07716a06e927a6f1
SSDEEP

98304:tuM9cCfW9KFpDuvdIWXe+q2WWmQNfTBBGzQuKLQ59PzNYM6+MQtDp8N1BUDq5:tuCJe9KfD6d9e+q2WWmQNLBBGZlrOn+u

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2708	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe
2708	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe
2708	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe
2708	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe
2708	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe
2708	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe
2708	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe
2708	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2708	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	2708	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2708	1720	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe	29
PID 1720 wrote to memory of 2708	1720	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe	29
PID 1720 wrote to memory of 2708	1720	2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-02-04_56e36d7f6f731923be8af9e18126eb9a_ryuk.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI17202\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17202\_bz2.pyd

Filesize
87KB

MD5
429ad9f0d7240a1eb9c108b2d7c1382f

SHA1
f54e1c1d31f5dd6698e47750daf48b9291b9ea69

SHA256
d2571d3a553ea586fb1e5695dd9745caef9f0e30ac5b876d1307678360674f38

SHA512
bae51da3560e0a720d45f0741f9992fe0729ead0112a614dba961c50cd6f82ddbdcf7b47aeda4f1093f6654f6db77d767ccddd59d34d2143df54121e9d486760

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17202\_ctypes.pyd

Filesize
130KB

MD5
985d2c5623def9d80d1408c01a8628be

SHA1
317c298cb2e1728f9c7f14de2f7764c9861be101

SHA256
7257178f704cd43e68cd7bc80f9814385b2e5d4f35d6e198ae99dce9f4118976

SHA512
be6a9d3465a5e00e6752a4b681fb8ef75126b132965624d4373b8817d68ed11337b068034ebedcfe59fb9486b86a03e67e81badc29375a776f366bf7f834f0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17202\_pytransform.dll

Filesize
651KB

MD5
351042e7607a4a0ec7075a2849299764

SHA1
ec03af7c8132a6da555ab17599ab635db92cb764

SHA256
c581c500b957cecfa17a115dc9ca9b64f537a8639af531021cd70e219bbd6e1d

SHA512
255dd2077d5db01ba3631016fdc75183529d4fe6323b053aff1ad77b928629930ee4db287822f1181f942b27fd8757bf8054743c14d77cc9ae11bf671d0867f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17202\_socket.pyd

Filesize
74KB

MD5
7c5c5e6e4ed888dd26c7aa063bb9f88e

SHA1
a7a3694739b27c3d34beb1a9730fc3dcbae6744a

SHA256
2bb4e5d711fe521e2c9a80f04d2f745f58561dc35f169e06ea17aabf27d334fe

SHA512
9c49c3fe740464f649a0379bdc6bc474cce6a1331f87d2ba2ab489c4545ad7cb311c757af59e8174bb3c87af438a5d47621bd9b2b4750abe128d189d14d80065

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17202\base_library.zip

Filesize
763KB

MD5
5475fc0686a7e6b1999b6fb43274f690

SHA1
3019331998ca0cd2093b96fa7f6a29ec73163322

SHA256
974dda3c7b9ee7cc4756f4f075cb46f0c60086532d560939bedb99f08c289be6

SHA512
401ea46728796a6bd2fa2c3f561ac5cf30a5941706da58147b9c1fb63173577e7df045c2699ac5a1d96ad8d36f236f183242d94c7e66a985e71fad74c2106d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17202\cook_pass_cook.exe.manifest

Filesize
1KB

MD5
1aa1953f78c8e0ca18dfdca9b74a3e36

SHA1
12d8f03e602c53ac58976addafae67ae690d791c

SHA256
3bc3ee1df757c72de9abf659373adbf7917bb41ac9d12c8fd8c8ec85f36ad78f

SHA512
82fce330e1fc87bdd80d6de524f22a389b7d07cc7e7180fdcede243378c85350ef5677b28e864d5941c604e09fd6d94fb52e2a4135b0f0b62a1a3ca8fba26117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17202\license.lic

Filesize
212B

MD5
2353cbf3f0e56f19ab81b9dd3a160e95

SHA1
3dcca8296e91da135b6c5b9346d02fd06f85900e

SHA256
4636adc8235f6af6d4ca13e77f12a1044e8511184cccef7031c8e24314bd9605

SHA512
27093980d5bb490d1cc828af46f0e40bb46d3a573651be91f4fade6303d2584d79b33ae8d24768b4e04adb1b7814589b2048d332b1716a4b0925275f8136e142

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17202\python37.dll

Filesize
3.6MB

MD5
28f9065753cc9436305485567ce894b0

SHA1
36ebb3188a787b63fb17bd01a847511c7b15e88e

SHA256
6f2f87b74aea483a0636fc5c480b294a8103b427a3daf450c1e237c2a2271b1a

SHA512
c3bbc50afb4a0b625aff28650befd126481018bd0b1b9a56c107e3792641679c7d1bfc8be6c9d0760fff6853f8f114b62490cd3567b06abc76ab7db3f244ab54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17202\pytransform.key

Filesize
476B

MD5
f9f71555bf94378d6d698880771b2d1c

SHA1
7d8eda89b4867fc9c962a12fd2805b7f37c82fda

SHA256
912ec22c40816329e4352bab211a922fd9cecab01622afb1535c44fb60fd8078

SHA512
359bfac33d17ade18e6780d6fca53094bc935464d7e34c4635c8306816174962089b38769c77e3539033888c3e4f05406d51ccae2f8e703c4f476d005c16a0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17202\select.pyd

Filesize
26KB

MD5
1650617f3378c5bd469906ae1256a54c

SHA1
dd89ffd426b6820fd79631e4c99760cb485d3a67

SHA256
5724cea789a2ebc148ce277ce042e27432603db2ec64e80b13d37bcb775aee98

SHA512
89ecbbf156e2be066c7d4e3e0ecd08c2704b6a796079517c91cf4aa6682040ba07460596aaddc5550c6ec588979dfec010fed4b87e049000caceed26e8f86ffe

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17202\_lzma.pyd

Filesize
251KB

MD5
5e7a6b749a05dd934ee4471411420053

SHA1
fcd1e54011b98928edbb3820a5838568b9573453

SHA256
4dcd803319e24ba8c8e3d5ce2e02c209bd14a9ab07a540d6e3ae52f69d01e742

SHA512
ce4c5456308adbef0a9d44064aae67b2bb2a913881405ae2e69127eb7ab00a09882fa5304d80d5b3728942b0ab56d1c99132666b6c0ea8809a21396aeaadd8a2

Download Submit
memory/2708-38-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-57-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-42-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-44-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-36-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-53-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-55-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-40-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-65-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-67-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-69-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-70-0x000007FEF0000000-0x000007FEF0001000-memory.dmp

Filesize
4KB

Download
memory/2708-34-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/2708-33-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2708-75-0x0000000070A00000-0x0000000070AB0000-memory.dmp

Filesize
704KB

Download