Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 10:28
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_e43635f48f64f6d6a1b6c80b63c36ec3_ryuk.exe
Resource
win7-20240220-en
General
-
Target
2024-04-03_e43635f48f64f6d6a1b6c80b63c36ec3_ryuk.exe
-
Size
1.8MB
-
MD5
e43635f48f64f6d6a1b6c80b63c36ec3
-
SHA1
990b2503070a770da9d673d263c5b8e6313552dd
-
SHA256
5af66372e4eb5fcc9ab55c166891b2a586543124f05fc7e8c2360e9c20e0ef5b
-
SHA512
0249df63bd0b0b7639c41107178ca57752785259835c92e305df418d243945cd63cff6fc024c28554eb7b073e23ef1be049d063daa858e4d647b323cc9604d68
-
SSDEEP
49152:qKfuPS3ELNjV7yZxEfOfOgwf0WDmg27RnWGj:Nm92ZxwgGD527BWG
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 480 Process not Found 2960 alg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-04-03_e43635f48f64f6d6a1b6c80b63c36ec3_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\38ca12683d2ec148.bin alg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2208 2024-04-03_e43635f48f64f6d6a1b6c80b63c36ec3_ryuk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2124 2208 2024-04-03_e43635f48f64f6d6a1b6c80b63c36ec3_ryuk.exe 28 PID 2208 wrote to memory of 2124 2208 2024-04-03_e43635f48f64f6d6a1b6c80b63c36ec3_ryuk.exe 28 PID 2208 wrote to memory of 2124 2208 2024-04-03_e43635f48f64f6d6a1b6c80b63c36ec3_ryuk.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_e43635f48f64f6d6a1b6c80b63c36ec3_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e43635f48f64f6d6a1b6c80b63c36ec3_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2208 -s 3322⤵PID:2124
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5d73f2695d636998b275eb544e2a444e2
SHA16083552e7e3f995b4319e643dbd8c0135fef8d27
SHA256969ebda24ceac9f10ef342f2d8ab62d7e6d1b2a7c822aef6a3e8424727ce5d06
SHA5124b87d93cee441ae723a6c9515e9b011db83ee1547df6a41e3117b151307def9647dc8863c837afb60133fd76743f9b5b00011437f40fef3cbb84bf575c15017b