e82729c43fc322484f20402c292e4ba43a825f25d1b715d03939af3188c9b497

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 13:53

Target

2024-02-14_4d99784aa40a6534d547d59ee27c2a17_cobalt-strike_ryuk.exe
Size

796KB
MD5

4d99784aa40a6534d547d59ee27c2a17
SHA1

fee94e7bea64a0768aa369062c129ad1c5594b4b
SHA256

e82729c43fc322484f20402c292e4ba43a825f25d1b715d03939af3188c9b497
SHA512

8c33b09414a1b0842ecd13fa0579d4bfcb09dd61e034caa6f543ac8c0f086cfe4e94e9342ba9bc1ddd1a8c34828c2706b089ed4bb117c6ec449d6038e6075576
SSDEEP

24576:4ANw243c+L6VMRCPU6CENltmVVdpx7fLrQWd:4ew2e6ZU6CENlc7dpJLrQWd

Score

5^/10

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-02-14_4d99784aa40a6534d547d59ee27c2a17_cobalt-strike_ryuk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3020	2024-02-14_4d99784aa40a6534d547d59ee27c2a17_cobalt-strike_ryuk.exe

memory/3020-0-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3020-1-0x0000000002320000-0x0000000002380000-memory.dmp

Filesize
384KB

Download
memory/3020-8-0x0000000002320000-0x0000000002380000-memory.dmp

Filesize
384KB

Download
memory/3020-12-0x0000000002320000-0x0000000002380000-memory.dmp

Filesize
384KB

Download
memory/3020-13-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download