183eafdf781034205c75b2d5d734722ee7bdcc31593a3e069f6b72b333ae83be

Analysis

max time kernel
129s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 09:29

Target

2024-02-12_1c4e86043b2c80c4ed7641c607215a36_ryuk.exe
Size

2.1MB
MD5

1c4e86043b2c80c4ed7641c607215a36
SHA1

22f114dffd165624dadf61901f5b39d476b92561
SHA256

183eafdf781034205c75b2d5d734722ee7bdcc31593a3e069f6b72b333ae83be
SHA512

74a48010a9d3dd432eeabcd3c9e107f505a20bd49f0d5825c785ef2fed49c71781b3413e7f7e8223f9f8ced5251a71be55fe30fe85ed5f0562368ea73ea77d34
SSDEEP

49152:mXWtcDco9YXPtSjeJgEjTmucQgDUYmvFur31yAipQCtXxc0H:mSAYXPwtEjEJU7dG1yfpVBlH

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
480	Process not Found
2420	alg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\981bbceee738cb9d.bin	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-02-12_1c4e86043b2c80c4ed7641c607215a36_ryuk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1644	2024-02-12_1c4e86043b2c80c4ed7641c607215a36_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2220	1644	2024-02-12_1c4e86043b2c80c4ed7641c607215a36_ryuk.exe	28
PID 1644 wrote to memory of 2220	1644	2024-02-12_1c4e86043b2c80c4ed7641c607215a36_ryuk.exe	28
PID 1644 wrote to memory of 2220	1644	2024-02-12_1c4e86043b2c80c4ed7641c607215a36_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-12_1c4e86043b2c80c4ed7641c607215a36_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_1c4e86043b2c80c4ed7641c607215a36_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1644 -s 332
  2⤵
  PID:2220

\Windows\System32\alg.exe

Filesize
644KB

MD5
2ee0ec22660929c5fd2bcc7f24242726

SHA1
444305378a8750e66aac1238430153121dc6aac8

SHA256
c2e0440feef0f8296adc3aaa4cc976c5abc2ae30de137c241884d4f5c934e4f5

SHA512
4de87c7c13bf12e45c2e4b1c9020730ba55f791bc7ccb25f5e2d7adce8d6957cead74ddd4b52fd161923f7fd14a14cff8f491a0992b465e3de008742f9a9c941

Download Submit
memory/1644-1-0x0000000140000000-0x0000000140222000-memory.dmp

Filesize
2.1MB

Download
memory/1644-0-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1644-7-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1644-8-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1644-24-0x0000000140000000-0x0000000140222000-memory.dmp

Filesize
2.1MB

Download
memory/2420-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2420-15-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2420-21-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2420-25-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download