Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 10:36
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe
Resource
win7-20240319-en
General
-
Target
2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe
-
Size
1.8MB
-
MD5
fa8e1be240924e506e79d468a917d168
-
SHA1
6cf82a7c8abafcbaa63b070f3da3ad5ac3c1ac73
-
SHA256
9dc0426d14aec9386968d8db3403a824c15a0767f18587c7053a0dbf80bb46fa
-
SHA512
d2d414dee4a19c92b6bb7a75dc61f3a283c7a505789df3333cc013f27b3c96edad96afb7b4e5cd1d63fe08619ec8d4d24fcfa02bd36c847e9edfaeb9b0557f9c
-
SSDEEP
49152:CKfuPS3ELNjV7IZxEfOflgwf04gDUYmvFur31yAipQCtXxc0H:Fm9sZxjghU7dG1yfpVBlH
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 468 Process not Found 2156 alg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\alg.exe 2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\1b872afbcea407a.bin alg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2144 2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2144 wrote to memory of 2892 2144 2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe 28 PID 2144 wrote to memory of 2892 2144 2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe 28 PID 2144 wrote to memory of 2892 2144 2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fa8e1be240924e506e79d468a917d168_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2144 -s 3362⤵PID:2892
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
644KB
MD594b3710d448752123cc3d33f809d0ee9
SHA124e55f4e4380c69db0b93e33386d56ab2becf9dc
SHA256c4a6af8472f0c21f7fa675277b6c1fac68ac905e20768855532307093447963a
SHA512a853c8ff4dbee7bb31d550685d525babf94ec6a4734aef66d1bda925dd7f3bd339391a0e8691a6729cb4a3294248efda221b13635a0d5e7493b642fb6df0a504