Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 10:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe
-
Size
1.8MB
-
MD5
f20e6b22d8e4d9df82aceec26a12aa5f
-
SHA1
5314aae0a4db009eeee53b76c5817e21a65777b2
-
SHA256
e8120cca3243174642aa8c527b2377553aed137547288cfb8079f1ed540b6b59
-
SHA512
4536123e2b8a7c2f9b29626bed7cd0b90f72a4d51256dbd3ae248656b24a5bc140b97ad5a2fad522cdcc13443cbec7a9fbc219fa603a4ab0d9e8ea3cb4fb418d
-
SSDEEP
49152:RKfuPS3ELNjV7IZxEfOfOgwf0FgDUYmvFur31yAipQCtXxc0H:Sm9sZxwgkU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 468 Process not Found 2584 alg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7c1409eeae4ef42b.bin alg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2456 2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2484 2456 2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe 28 PID 2456 wrote to memory of 2484 2456 2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe 28 PID 2456 wrote to memory of 2484 2456 2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2456 -s 2762⤵PID:2484
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
644KB
MD518bae83d85d97c354d3c409095584c69
SHA192a0e087bceb4ed6500900c30d663c8fa4c47dc1
SHA2566474fcfca1a793f4edefa02230a53a3441326a9b33d757c39bdd4178f5735aef
SHA5128ab45cc061a5a9014ea82e9cd7e433eac71d7ac4252d0b41c31b21c75d6fd8840ac144d5772bfa397d354340c453766f5c050157785c5d62cb725be58ecd6419