ea8357b33d938b891dadf6136f5d04923405c96ae1e1a098a050cbe71612798f

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/02/2024, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
Size

6.1MB
MD5

b97cf6deefb3713ecdee4a548fb09236
SHA1

e7c9a370756e2fb5633cc55bda405a6631d8e705
SHA256

ea8357b33d938b891dadf6136f5d04923405c96ae1e1a098a050cbe71612798f
SHA512

ee5ef3007e42b7f5bba0362a6851857fda3bc73da5ef2c5a8c243d2aa78504a95162598879a6370d48561d240ea7fe034a0032d363fae25c9b0de5b349be7317
SSDEEP

196608:KkgQ7pN6o63z2G1yBo1qaBgjAkzDkWMqBeEDVgJ0tjM:p7pEo6yIxqaGBDkFxoM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	mybot2.exe

Loads dropped DLL 8 IoCs

pid	Process
1708	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
2572	Process not Found
2484	mybot2.exe
2484	mybot2.exe
2484	mybot2.exe
2484	mybot2.exe
2484	mybot2.exe
2484	mybot2.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files\windows\nircmd.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File opened for modification	C:\Program Files\windows\system.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File opened for modification	C:\Program Files\windows\zlib1.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File created	C:\Program Files\windows\dpp.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File opened for modification	C:\Program Files\windows\libsodium.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File opened for modification	C:\Program Files\windows\libssl-1_1-x64.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File created	C:\Program Files\windows\MyBot2.exe	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File opened for modification	C:\Program Files\windows\MyBot2.exe	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File created	C:\Program Files\windows\opus.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File created	C:\Program Files\windows\zlib1.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File opened for modification	C:\Program Files\windows	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File created	C:\Program Files\windows\__tmp_rar_sfx_access_check_259427977	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File created	C:\Program Files\windows\libcrypto-1_1-x64.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File opened for modification	C:\Program Files\windows\libcurl.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File created	C:\Program Files\windows\libssl-1_1-x64.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File opened for modification	C:\Program Files\windows\opus.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File created	C:\Program Files\windows\system.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File opened for modification	C:\Program Files\windows\dpp.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File opened for modification	C:\Program Files\windows\libcrypto-1_1-x64.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File created	C:\Program Files\windows\libcurl.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File created	C:\Program Files\windows\libsodium.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
File opened for modification	C:\Program Files\windows\nircmd.dll	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2484	1708	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe	28
PID 1708 wrote to memory of 2484	1708	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe	28
PID 1708 wrote to memory of 2484	1708	2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-27_b97cf6deefb3713ecdee4a548fb09236_ryuk.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files\windows\mybot2.exe
  "C:\Program Files\windows\mybot2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\windows\dpp.dll

Filesize
2.2MB

MD5
10f8a73681001d1050279b1eb08e6bec

SHA1
00927079e0bd057703331e89ad892f34e1eaeece

SHA256
88c88bb206d5d7f68f8de1c0c391eb0612e915cdd83b4d1a49ea5e7ec1779779

SHA512
1e0e2534534efbf878d6270e3f692ce14f1dc30ce46d856c886ac9ee2cf256bb6de490694b9b73e58879b5a47d4e3223bd3042b6f2bffec29167e621aab6a8a8

Download Submit
C:\Program Files\windows\libcrypto-1_1-x64.dll

Filesize
449KB

MD5
157a0c1c66c751193f625d6837bce589

SHA1
96b5b38801af1dbd0781db107aea434396d5f244

SHA256
e2734331457d9448b0ae765d890e1cb152d2c68d406cdbdf198cd7f9251a3cbe

SHA512
05269341de6c3c2f6b1e9b2ae577b40539cda8cf61ada826dae5595391356b1cc14a517ccc59810a249d270b55d66979878b8e93476d846e88e948b9ae29ab06

Download Submit
C:\Program Files\windows\libsodium.dll

Filesize
141KB

MD5
a34adc885bf64a83d7c9aefd01dcc78c

SHA1
f137a4b7a283e377d477873a4005e1c3d7e187aa

SHA256
52dabf1ccd906f55dd3f1869dbfca81e2b51183185dc2b7aad6a2c98f1ba85b5

SHA512
a47e21aa466ed1ed592d92bd58df9245291b106ae6062131cb1066e782df3a3f1b4ab1d5139997837211f2b685f7190ab807944c43d6741f98ef693c88b1a8eb

Download Submit
C:\Program Files\windows\libssl-1_1-x64.dll

Filesize
458KB

MD5
31bfa6f39573a2641ae0aa8367ef2e40

SHA1
032e1ffe2808ca562da0580bbe727087f7138651

SHA256
fca660b7a0bc8d39c764ee9ec582aa05c8772733f375d03a7632e5817942282b

SHA512
aeb22154b251122e19e3bde6506d949eecbe17b879b82afa7afa2a20054aa0e4e6257643f900d48f473362286f73594da0fa6b3a98b1eff4e979e11b0c87a7c7

Download Submit
C:\Program Files\windows\opus.dll

Filesize
166KB

MD5
01e2f06436f0778bc29c4c804803b37b

SHA1
b03a24956fdfb6cbaf9acb32c3a21ea68cf9003a

SHA256
849afee99d26843bc54220c70f41b9542a683bc75dcae44edb7e38a61d548d04

SHA512
d227c053ff1d24768180cd4773fdabb88bcb7ec10223c069c802f707891cbc505c0afff14c6477489e866bc09016b7d9408a5a28e4e44cf0be99f8e8ef9d4156

Download Submit
\Program Files\windows\MyBot2.exe

Filesize
189KB

MD5
8d3ec1d7210735df6442970a76a4b983

SHA1
402ac80bf66fbbd6d541d3bf94797b9e682cd556

SHA256
a7a5afa60b7c4cb0b5cdd510577f3d8eca403f09ce16b8fdba6280e1147ca816

SHA512
e7798b5bc2654d05496760f292e4359d1af74f2c18bf464b977b8c38ac642ed70d849942ccfb582f842f5cc6939053b6d8f6a9a188d63305387f8f01c221eaf5

Download Submit
\Program Files\windows\dpp.dll

Filesize
844KB

MD5
c81a7b7a2256e2c4ebdf16e6f4d0ce87

SHA1
f91af00a5d5a6fc267a0b377ecefd68c8cd72dad

SHA256
30a6af4a5d22b3be6ffdb8f0961c6a815c526d342fca0b8ea0b829480e5ea954

SHA512
e1cddaea38f7557fd69ba4b612d205ad26ee961c11a70924aca53e232491f5e51b165c9f16586e5e3acdf4e144add0654771fe7d878317a40de108c3ec0aaba0

Download Submit
\Program Files\windows\libcrypto-1_1-x64.dll

Filesize
509KB

MD5
d1c11e05a15340caeddcaf5e71578426

SHA1
f0c375811a32b31173c1ba257c07125f35624ffd

SHA256
df49b6c92c8cb34dbcb7f9e6c5c5a915bddbd3b7ce2f2fac138996ac0c5c4fab

SHA512
7355a80fd9a817eeeea91998189fa300c9899914e0a2486e5098793b36267364b320d23cc51447a7fc063f33bab593cfece0ee5ef3536ef9f7bb2c4717d25ab8

Download Submit
\Program Files\windows\libsodium.dll

Filesize
161KB

MD5
c2393f28dec9d85f1ba2a96331cd4fc8

SHA1
6de52c36ff294e795724dcb96cea3cc4d1af8ec2

SHA256
f98e87eca034ff42caf5f892f337eeb378abf38e3aa46f4e3bb768e0ddc2f078

SHA512
b10466d403815c7d95a0ee32e17849d8d31993e5653fc6554b425c0b40f0c3c115842133032ebe24c2348bc6fdf113f93fad5edc2d80d1034e7306527b6c9fcf

Download Submit
\Program Files\windows\libssl-1_1-x64.dll

Filesize
663KB

MD5
0319f2e733188eaee0e4cc2912353165

SHA1
46b3f083dd6e946a7dc861fc6c21d18f833bc0c3

SHA256
4504c1fb9dc50f64a3fe34a85b5cc70583cad947b070f9a84283857cf7473393

SHA512
9bc770633a6594bd89c834de468a30d9d053985c25245b16f2eb8b445422f9e0d2d40552ab01ca30b4d907332f47443338eae5b176f2039af582f01bff177895

Download Submit
\Program Files\windows\opus.dll

Filesize
151KB

MD5
9a7b28a6eba1914e1f7bcb189ab12705

SHA1
8ca4d6b1ba48a345bd74d6f792518a903282d269

SHA256
c701d5b878c102e69f12ed1d6c141a8c9572453f1c906108a7f20aafabda3025

SHA512
c9963d878b09574446dfe10d356455af68be14eb96c6171a77e948801de6d644b1e6ee2c1345011cefe95355956f08cba572c4499327fe016e23a6c3e04cd959

Download Submit
\Program Files\windows\zlib1.dll

Filesize
85KB

MD5
b88fc4d41ac25f367a5fe5ee0286de22

SHA1
124017096d4c571b3f835af4d7e9b158a4abe4cb

SHA256
b98933d985116fd71869b879604347cfb630d1eb4b9eef16454913d251021502

SHA512
824df2a012b18e252a90177d2f3ab5a43272609024b72790bd249f981e7fca4f28291ab3e4cee06c26e189ba42fa2115648fc725f49a91666fae59bc022c68c8

Download Submit
memory/1708-24-0x000000013FA80000-0x000000013FAC6000-memory.dmp

Filesize
280KB

Download
memory/1708-40-0x000000013FA80000-0x000000013FAC6000-memory.dmp

Filesize
280KB

Download
memory/2484-26-0x000000013FA80000-0x000000013FAC6000-memory.dmp

Filesize
280KB

Download