Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-02-2024 02:35

General

  • Target

    2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe

  • Size

    9.6MB

  • MD5

    cd52eee363f347b388150800c63e1611

  • SHA1

    e6bdaa0e94b1e2fca5294d859480d65560828c47

  • SHA256

    5e630ec0b4b2a9e5127a888d72c5b20e121a46a26026c29d8d314f77bf243a25

  • SHA512

    749335fb88a8c8198f50cd7a22df3d3089fcd29f7313fd5cd04f4bfdd526f4662bdb180d51315766b570fa077cab1761359ded7917da3be057b996245f6442fa

  • SSDEEP

    196608:4slZIyrQ1wsMbT3AjSsSAQVHd51YyABGNWPbEEfYyrJZGQg1r:ZncwskTwjSwyHd5qPb/wwZGV1

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\python311.dll

    Filesize

    5.5MB

    MD5

    1fe47c83669491bf38a949253d7d960f

    SHA1

    de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

    SHA256

    0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

    SHA512

    05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

  • \Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe

    Filesize

    14.0MB

    MD5

    fa11e891181f71292e874762e54c309e

    SHA1

    6222e37af40fa08c4418d2170df3cb327e1821cc

    SHA256

    f68ea8983c06306b36e0407d02e0df667edf628bf390f334b44a61b4ec5321d7

    SHA512

    7e84a2773e29500a39db9fff5950b244bdde51a16574d24f61696c6877371765eb78a8d23e5a937b671861b3a84e1602d3da8d98554f5ab60c3f4db3eae2611e