2df33743b916009320d26c6f222a868c0f30714202948ff60db344f7ca4c77d4

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_3e91f25fef6c2cc85fdcd19b42c133e0_ryuk.exe
Size

45.7MB
MD5

3e91f25fef6c2cc85fdcd19b42c133e0
SHA1

76dd969facd9f58dd5c0820d5e7bd9448a639eee
SHA256

2df33743b916009320d26c6f222a868c0f30714202948ff60db344f7ca4c77d4
SHA512

877920a37c5bcb2b90be4181a68a16d7bc6d5699059f6ed745fb412ba9f459b76262e1532d32fa61d1b878df82dc7ec271417ea4713362b0ec0d60aefe038082
SSDEEP

786432:FueKh+SVfBDk6X0KseGePAP9Ibq8VWm1TVMqNxb1Gq9vQt/YF07pBmJDAu:F0h+OfB46XlsrBOh71ZMEb4AbuEJDAu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2600	usruho.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	2024-02-12_3e91f25fef6c2cc85fdcd19b42c133e0_ryuk.exe
2600	usruho.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2600	3056	2024-02-12_3e91f25fef6c2cc85fdcd19b42c133e0_ryuk.exe	28
PID 3056 wrote to memory of 2600	3056	2024-02-12_3e91f25fef6c2cc85fdcd19b42c133e0_ryuk.exe	28
PID 3056 wrote to memory of 2600	3056	2024-02-12_3e91f25fef6c2cc85fdcd19b42c133e0_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-12_3e91f25fef6c2cc85fdcd19b42c133e0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_3e91f25fef6c2cc85fdcd19b42c133e0_ryuk.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\onefile_3056_133522157201396000\usruho.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-02-12_3e91f25fef6c2cc85fdcd19b42c133e0_ryuk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_3056_133522157201396000\python311.dll

Filesize
2.4MB

MD5
5eaa9556f840e6ddbc293524adce81c3

SHA1
0dbcafffb2ce8b85ced930d69f8ed67d46e3b51a

SHA256
820660fa9b00a0073f9b2c76fac7f2ddb1b205ffefdd78857f64b366ab17922f

SHA512
dd215cebfe4e63961408b175483549a0c2082218b7e851129fda051660b322b6e6195476af1862aa0036fbb62902ea49fd1e97b1abf9167ac1faa5307741db07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3056_133522157201396000\usruho.exe

Filesize
64KB

MD5
54c01d531b7b448b7f1faad9812c17e7

SHA1
d7d075d0f6397265b40b53724c4e874d1b425150

SHA256
17cb25c1b8cc7549340b774e37c420aaa5de73b1900b3c41b249f89c501d0928

SHA512
f22bb2a967c6ba21c438e1d5e093294b8aecc08798911d42257bc612f31900b8c7e6e7532bdd48176c5baa7ac9859d339df258a3ff363ccd82a8592d66c2948b

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_3056_133522157201396000\python311.dll

Filesize
832KB

MD5
7ee3cc17a10dbb49264b09d6c5b98984

SHA1
99d4d65eeb11d12b751c1383fb269e39bb2dac7a

SHA256
be131dbd781c24260b3824444b62a718dbc7632c5c24d54bf884368517527fd5

SHA512
e0459080e74d7dd214376518cb783d385a199f8caf47869bb0aed2b9e7c54d006faf1ac40b5e1fed348d651e23fe590b8c78f700e5ec756bd0c8dee2fa02a065

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_3056_133522157201396000\usruho.exe

Filesize
2.7MB

MD5
ac726050d15258f3d99eb9276332e735

SHA1
d46b3f2954bbc4758a73db873d999c89f1b0f3dd

SHA256
3318f5997e4fb440e337617d7ab6f1341ef6065958d8a98ff507aaf1f5b59ca7

SHA512
3d5200a10f45937ef77c19a1efa7adde11d69ecaee67397639cc6d9a16aee014f8cc877d0eb34a0cfc0048c4c8a7cb6bc4175b77a50f80e6727ca9b03c550e14

Download Submit