Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_eef3f77a51cedff224a7e7f8f1c1170a_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_eef3f77a51cedff224a7e7f8f1c1170a_ryuk.exe
-
Size
2.1MB
-
MD5
eef3f77a51cedff224a7e7f8f1c1170a
-
SHA1
ed5fd13366a5a5394f0739cce059f3866b6abc2f
-
SHA256
39afdf1e879a87ccd26eb6a1977391482929f6b0c0236e621ca34572345d9f28
-
SHA512
077acc9e7f2706893094b36a6b64f2d56ef8213db64b0d140073e856a15ed30c8349877785eba6e79fb938b69adb77ec8fe3a3ec9c700a588727b2573599ba58
-
SSDEEP
49152:0XWtcDco9YXPtSjeJgEjTmucUgDUYmvFur31yAipQCtXxc0H:0SAYXPwtEjEVU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 480 Process not Found 2700 alg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-04-03_eef3f77a51cedff224a7e7f8f1c1170a_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\872d2b23aad3ae89.bin alg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2168 2024-04-03_eef3f77a51cedff224a7e7f8f1c1170a_ryuk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2596 2168 2024-04-03_eef3f77a51cedff224a7e7f8f1c1170a_ryuk.exe 28 PID 2168 wrote to memory of 2596 2168 2024-04-03_eef3f77a51cedff224a7e7f8f1c1170a_ryuk.exe 28 PID 2168 wrote to memory of 2596 2168 2024-04-03_eef3f77a51cedff224a7e7f8f1c1170a_ryuk.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_eef3f77a51cedff224a7e7f8f1c1170a_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_eef3f77a51cedff224a7e7f8f1c1170a_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2168 -s 3282⤵PID:2596
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
644KB
MD59480676965280a793e45beb6d6480cf9
SHA1ac58af047353459e33bbb770615ed18d225abfd6
SHA2565f8cfcb125b0c4d67a0b0dd8651a269465e2e74c3d43d9d96c7993d73fcd1ebf
SHA512dd9b5094d97be808fa8d39c4d9f494ef8244147e7790223ded08126c995e2f54a9c60669461089e0d61f7af762cd2da822f634896c1bac47af9234b71b401761