048c960b0e1264c05393beb6d71f6e1c101d252d23d260c66d54f5f7d4044e6c

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 01:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
Size

5.0MB
MD5

46da0dc6a5c1b0682cc30a004d57ce2a
SHA1

0f4f11830e3b5aaa7ca5d9c3ffbfefc36bc3f620
SHA256

048c960b0e1264c05393beb6d71f6e1c101d252d23d260c66d54f5f7d4044e6c
SHA512

4d635500d9fe08a652310f74313ad2d83708631d961aae60762e2d26012df0ae2178b15bfe881ff5e2a670b1b708e251cd2545fa1235cba9a737d77a3de72566
SSDEEP

98304:0UfMOmrHQktlw2Kce26t+JhVWn2xxjsgIzsWu+X3yyYRNNENt:0c23tlKXqXWnAfIzzuEWN

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 11 IoCs

pid	Process
2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	2732	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2732	844	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe	29
PID 844 wrote to memory of 2732	844	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe	29
PID 844 wrote to memory of 2732	844	2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\AppData\Local\Temp\2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-02-21_46da0dc6a5c1b0682cc30a004d57ce2a_ryuk.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI8442\_bz2.pyd

Filesize
87KB

MD5
4079b0e80ef0f97ce35f272410bd29fe

SHA1
19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

SHA256
466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

SHA512
21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8442\_hashlib.pyd

Filesize
38KB

MD5
c3b19ad5381b9832e313a448de7c5210

SHA1
51777d53e1ea5592efede1ed349418345b55f367

SHA256
bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

SHA512
7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8442\_lzma.pyd

Filesize
251KB

MD5
a567a2ecb4737e5b70500eac25f23049

SHA1
951673dd1a8b5a7f774d34f61b765da2b4026cab

SHA256
a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

SHA512
97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8442\_socket.pyd

Filesize
74KB

MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8442\_ssl.pyd

Filesize
120KB

MD5
d429ff3fd91943ad8539c076c2a0c75f

SHA1
bb6611ddca8ebe9e4790f20366b89253a27aed02

SHA256
45c8b99ba9e832cab85e9d45b5601b7a1d744652e7f756ec6a6091e1d8398dd4

SHA512
019178eecb9fb3d531e39854685a53fa3df5a84b1424e4a195f0a51ca0587d1524fd8fbd6d4360188ea9c2f54d7019c7d335ec6dc5471128159153c2287b0e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8442\base_library.zip

Filesize
766KB

MD5
f9832636785ae16a11b5f852d5436a56

SHA1
41c10f273a1dc95c068014a4940e595c9f3e0227

SHA256
0760ee6d2ec488eecd04bff5650cbd87837c797045cf532b9668b270d0c01a80

SHA512
08b99d2b1c5f01b322ee4cdc1c0b3f9382d10dc5fcb15b052dc4fc8db06f5522a8dc0fb157b5ed678aa5f01e280ee9f04cc51ecca6ff96c297abbd3bdba53554

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8442\libcrypto-1_1-x64.dll

Filesize
2.4MB

MD5
022a61849adab67e3a59bcf4d0f1c40b

SHA1
fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

SHA256
2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

SHA512
94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8442\libssl-1_1-x64.dll

Filesize
517KB

MD5
4ec3c7fe06b18086f83a18ffbb3b9b55

SHA1
31d66ffab754fe002914bff2cf58c7381f8588d9

SHA256
9d35d8dd9854a4d4205ae4eafe28c92f8d0e3ac7c494ac4a6a117f6e4b45170c

SHA512
d53ee1f7c082a27ace38bf414529d25223c46bfae1be0a1fbe0c5eab10a7b10d23571fd9812c3be591c34059a4c0028699b4bf50736582b06a17ae1ef1b5341e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8442\python37.dll

Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8442\select.pyd

Filesize
26KB

MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8442\test.exe.manifest

Filesize
1KB

MD5
8c2fbb009cc3823763d0694003d3b881

SHA1
947618c56a16c37ea5731b0a151664eac41abaad

SHA256
61004926a6154602b377eeac3d327b572f0ec64574d066f3d5eea413402b1667

SHA512
a7089458142e1730b45623a30510be5718c95f4c4b557ecaa5ea2e1e595468cbffd0de78863bc939456cc51f002889099f79b02aca30f0c14dab40dec91e78d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8442\unicodedata.pyd

Filesize
1.0MB

MD5
7d1f105cf81820bb6d0962b669897dde

SHA1
6c4897147c05c6d6da98dd969bf84e12cc5682be

SHA256
71b13fd922190081d3aeec8628bd72858cc69ee553e16bf3da412f535108d0e4

SHA512
7546c3afb0440dc0e4c0f24d7b145a4f162cda72068cc51f7dc1a644454b645c0b3c954920c489b0748ba4c1ea2c34e86ba2565770e08077c2fdd02fd237f9d3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI8442\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit