Overview

overview

10

Static

static

3

2024-03-15...uk.exe

windows7-x64

10

2024-03-15...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    7s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2024 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-15_a99a2f180d3394056eda95262dc47bd0_ryuk.exe

  • Size

    9.9MB

  • MD5

    a99a2f180d3394056eda95262dc47bd0

  • SHA1

    08b22ce743e0d61262ab513b907bd80ed9957fae

  • SHA256

    368d86aa86e6d6622b81c27c2b19402096fcecf6108986bf30b0265f86038439

  • SHA512

    8fc499ef707a2e6020613191b06a25c649c78c2a690ef31834aaa469da34e0df0a567136ebced89aa63024002d7bdbc92227bd7f02b800760367e106464c3977

  • SSDEEP

    196608:bgft1KAa9eBaUiO9u5XOU5PYNJAT8UXlVh/iYofG7rYnFkT3uDlQfC:gvj6e0UZ9u8U5QvrUXN/hGaMnWT3u

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Loads dropped DLL 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-15_a99a2f180d3394056eda95262dc47bd0_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-15_a99a2f180d3394056eda95262dc47bd0_ryuk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Local\Temp\2024-03-15_a99a2f180d3394056eda95262dc47bd0_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-03-15_a99a2f180d3394056eda95262dc47bd0_ryuk.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:2588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI29562\VCRUNTIME140.dll
    Filesize

    87KB

    MD5

    0e675d4a7a5b7ccd69013386793f68eb

    SHA1

    6e5821ddd8fea6681bda4448816f39984a33596b

    SHA256

    bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

    SHA512

    cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI29562\_ctypes.pyd
    Filesize

    130KB

    MD5

    bf9d0771209cfbeb520c9e093d105d18

    SHA1

    72551b0f452bb144e528513033cbd755ab3e07ed

    SHA256

    d8b8cd706d524ab152d1f8f44f239487b89ee9c32bc692f6d2bdc84073ba56a0

    SHA512

    a94f99052058c1c2e1e680acae7167d3e5fd9aea18983ab6daac59878c3f7c33205ecf2ac69aa5db25af18654fc0141a569175b0c5c60d5fb469c011c6fb81f2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI29562\base_library.zip
    Filesize

    768KB

    MD5

    b2375eba0bb5ea06015176d0d3ad3bd8

    SHA1

    30ee14ae6887a62edb681b8eb01f727f6c524136

    SHA256

    a6dcd87c96fa61814abc18fba41c1fb68fd9b8a8ebeabaa4cb93f286805698ea

    SHA512

    d1957aef4bd9f2071d0afa23f9e59c9e1b8d7994c2831f49a3331561572b1444d971e66ea910205b0a246f26fe5b59e9634a9ed3943272dd67e4333a7bfb6bdc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI29562\python37.dll
    Filesize

    3.6MB

    MD5

    5d8c22938d89077f64537a9d09cf6fd5

    SHA1

    15971f1b4bc2420eafbd40b0cd3fc4d2af204ec4

    SHA256

    8eb835d88e72e998b82916fb20a252af615d6e641827e013411239d115d5dd69

    SHA512

    dbd1febd18e29eab046b98f6b970e35e040adddead81561c0d165a1353a124d1dc26f3b3f5aa9ef0cb8e813baa8fc706514c0350c6428f25c5e5c050773b7d31

    Download Submit
  • memory/2588-26-0x00000000024D0000-0x0000000002511000-memory.dmp
    Filesize

    260KB

    Download