df972a50bf4d9ddb61697d129496dbcfac2af10b6d0dd7d443673916985d4c4d

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 00:43

Target

2024-04-20_439d2ff28bab3b14b0b57f77920fd03b_cobalt-strike_ryuk.exe
Size

796KB
MD5

439d2ff28bab3b14b0b57f77920fd03b
SHA1

d89a720ad76faacdb6fc028baf67cf71d7b3f03d
SHA256

df972a50bf4d9ddb61697d129496dbcfac2af10b6d0dd7d443673916985d4c4d
SHA512

c881e5c84d9c681b4a38348eb6acd70da04f62a24a2c4920a69bd21e118156c37dfb514ead78ad75e24dc89f4ca6e965a8928c704af2cb3a7ce3a29f88859ecc
SSDEEP

24576:pANw243u1N3RUDHNmdPCAaq8Nozgi/rE0TOj:pew2D8HNUPCAaq8Wdo0

Score

5^/10

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_439d2ff28bab3b14b0b57f77920fd03b_cobalt-strike_ryuk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2336	2024-04-20_439d2ff28bab3b14b0b57f77920fd03b_cobalt-strike_ryuk.exe

memory/2336-0-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2336-1-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2336-7-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2336-8-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2336-10-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2336-12-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download