820cd3b78eaabe80f07bbf6c1f3358b9c341bc97f6d9c24f77c7fc7995c0fbf4

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 22:45

Target

2024-04-21_8ff9409566051964983f0a71f8265077_cobalt-strike_ryuk.exe
Size

946KB
MD5

8ff9409566051964983f0a71f8265077
SHA1

ee4be54a510ab54fe24699ba909a849e16dd686b
SHA256

820cd3b78eaabe80f07bbf6c1f3358b9c341bc97f6d9c24f77c7fc7995c0fbf4
SHA512

cd598d0a8514ea109ea4e060a4043a22f8f64b97fb921d9997081d79381faf08346b49db152d81754c807551c5cf7812982581256dc7efb28c19994f855c3c75
SSDEEP

12288:clLMLTHAXoUpkdJAdGyKmqmFrfBCgiw4bivhqGoj85sVPL5qw+DS:fTgnpwJ+R9qMrfUgYbkhqfj8uqw

Score

5^/10

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_8ff9409566051964983f0a71f8265077_cobalt-strike_ryuk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3000	2024-04-21_8ff9409566051964983f0a71f8265077_cobalt-strike_ryuk.exe

memory/3000-0-0x0000000002310000-0x0000000002370000-memory.dmp

Filesize
384KB

Download
memory/3000-7-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download
memory/3000-6-0x0000000002310000-0x0000000002370000-memory.dmp

Filesize
384KB

Download
memory/3000-9-0x0000000002310000-0x0000000002370000-memory.dmp

Filesize
384KB

Download
memory/3000-11-0x0000000140000000-0x00000001400F6000-memory.dmp

Filesize
984KB

Download