Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-02-2024 02:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe
Resource
win7-20231215-en
General
-
Target
2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe
-
Size
9.6MB
-
MD5
cd52eee363f347b388150800c63e1611
-
SHA1
e6bdaa0e94b1e2fca5294d859480d65560828c47
-
SHA256
5e630ec0b4b2a9e5127a888d72c5b20e121a46a26026c29d8d314f77bf243a25
-
SHA512
749335fb88a8c8198f50cd7a22df3d3089fcd29f7313fd5cd04f4bfdd526f4662bdb180d51315766b570fa077cab1761359ded7917da3be057b996245f6442fa
-
SSDEEP
196608:4slZIyrQ1wsMbT3AjSsSAQVHd51YyABGNWPbEEfYyrJZGQg1r:ZncwskTwjSwyHd5qPb/wwZGV1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WW13_64.exepid process 2340 WW13_64.exe -
Loads dropped DLL 2 IoCs
Processes:
2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exeWW13_64.exepid process 2352 2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe 2340 WW13_64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exedescription pid process target process PID 2352 wrote to memory of 2340 2352 2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe WW13_64.exe PID 2352 wrote to memory of 2340 2352 2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe WW13_64.exe PID 2352 wrote to memory of 2340 2352 2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe WW13_64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD51fe47c83669491bf38a949253d7d960f
SHA1de5cc181c0e26cbcb31309fe00d9f2f5264d2b25
SHA2560a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae
SHA51205cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4
-
Filesize
14.0MB
MD5fa11e891181f71292e874762e54c309e
SHA16222e37af40fa08c4418d2170df3cb327e1821cc
SHA256f68ea8983c06306b36e0407d02e0df667edf628bf390f334b44a61b4ec5321d7
SHA5127e84a2773e29500a39db9fff5950b244bdde51a16574d24f61696c6877371765eb78a8d23e5a937b671861b3a84e1602d3da8d98554f5ab60c3f4db3eae2611e