b11f806faf78fc857716965af98c834d4964b5e6d7bff0450daa28df45feecbe

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 13:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-12_8fb8efd25f67d35b5459a4d34fd77362_ryuk.exe
Size

45.7MB
MD5

8fb8efd25f67d35b5459a4d34fd77362
SHA1

8f4214afba9560e931150ffb0f77bf4ec32873ef
SHA256

b11f806faf78fc857716965af98c834d4964b5e6d7bff0450daa28df45feecbe
SHA512

1a1d5b4b349b630bf0850e4afd20d52521ab932f586add68a18be1a68408ede6529384db34f7191f51d315323d9ed0a0cd679c2de6330933363c491a573d70b0
SSDEEP

786432:3tDBWTJWcbzujYkTfJPuMmY2rJxWOdfPSPpU2WvjftzB/v8pZo8DH3SqleK:3vW8ezujY4fJPMY2rrq62Wvj1xvW28z4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2604	ushoru.exe

Loads dropped DLL 2 IoCs

pid	Process
1936	2024-02-12_8fb8efd25f67d35b5459a4d34fd77362_ryuk.exe
2604	ushoru.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2604	1936	2024-02-12_8fb8efd25f67d35b5459a4d34fd77362_ryuk.exe	28
PID 1936 wrote to memory of 2604	1936	2024-02-12_8fb8efd25f67d35b5459a4d34fd77362_ryuk.exe	28
PID 1936 wrote to memory of 2604	1936	2024-02-12_8fb8efd25f67d35b5459a4d34fd77362_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-12_8fb8efd25f67d35b5459a4d34fd77362_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-12_8fb8efd25f67d35b5459a4d34fd77362_ryuk.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\onefile_1936_133522164321526000\ushoru.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-02-12_8fb8efd25f67d35b5459a4d34fd77362_ryuk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1936_133522164321526000\python311.dll

Filesize
512KB

MD5
8ce294a6f07a896d88abbbfb21314017

SHA1
a3da61dd804b98ff8c7084f6feb457c6136eeda0

SHA256
5ddc9450b6238555ebf031b444b00b8bad987df0e2c5f73a1151e4146e0f1787

SHA512
2dc0beb011ee534359a53ed0674472567eef96e0f1f42304cfee01c50ec0c7363c8f6b4db3a65a79ee08d5ac951c1af0a1fd4f7a4fdfd4b0dc36e5c8ffdb98b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1936_133522164321526000\ushoru.exe

Filesize
1.7MB

MD5
cc7147672e6da103c4d8254c08054887

SHA1
d10a6eb5e21a5188bed900f8f25372d7653abc94

SHA256
60afad0e613beac4ad9ded65b079730852f20f717a8d35fce4457d70c41423d6

SHA512
18c9c1271d93c125dad1a0a6b53c1a830d36de21f4504b1be4c3b431973ada382740d912d91defaa031544fe9110a711dedf13a0ef9e2ed3de7e03d9968cdc83

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1936_133522164321526000\python311.dll

Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1936_133522164321526000\ushoru.exe

Filesize
2.4MB

MD5
62b86511774a24989e589ea103c8129e

SHA1
57f2f1f37d6a496a860785e364217dca3f5c2136

SHA256
275f693ece7993487f97aade13f612a851944e26bcb7480d49ad9e8c29ef415a

SHA512
5efe9040105ff4e535dd9471988713285c71354528186e75385ce68436735f5f3703c6173e1df7feab81a41205cde3ae48807ff5063d38d102bff56e47029b1e

Download Submit