1a842bb17cfa107129ab512f57bfcae04184e0c45eca854851e6c90f78ca1c96

Analysis

max time kernel
147s
max time network
154s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21-04-2024 11:03

Target

2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
Size

1.8MB
MD5

36c38f539c1c6a730ca4f57a89fb9263
SHA1

6612ed380911cdd2f88e1c0d00b63c388352c513
SHA256

1a842bb17cfa107129ab512f57bfcae04184e0c45eca854851e6c90f78ca1c96
SHA512

230fbdabcdb20c35f560c71bbe3024dff0e31a970ea2ea251372b794908c30a305acd5b9ceabc34c3b54145500deb97b55c54dafb22482eaf4f10b4718210f5a
SSDEEP

49152:TKfuPS3ELNjV7IZxEfOfOgwf0R/snji6attJM:Am9sZxwghEnW6at

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
476	Process not Found
2144	alg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\de03932256fe8faa.bin	alg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2348	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2852	2348	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe	28
PID 2348 wrote to memory of 2852	2348	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe	28
PID 2348 wrote to memory of 2852	2348	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2348 -s 340
  2⤵
  PID:2852

\Windows\System32\alg.exe

Filesize
644KB

MD5
f98f48726f96bc1b0a8c4afe8e399e65

SHA1
cb7354fc81b6f30ca36a4d9e7bd04401f1bdbfc2

SHA256
c94c74fc54e9575d6183bf14be09b0d2e026842162bee03f64da0372936e9be6

SHA512
f3a90c28349a1ad12122742ac46af0b128bf21d35b618dda882fe48376faf41ba90935ff596102772769231a7952150430e9b7c5671771e989867e8c20ad2704

Download Submit
memory/2144-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2144-15-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2144-21-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2144-25-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2348-0-0x0000000001C20000-0x0000000001C80000-memory.dmp

Filesize
384KB

Download
memory/2348-1-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download
memory/2348-7-0x0000000001C20000-0x0000000001C80000-memory.dmp

Filesize
384KB

Download
memory/2348-8-0x0000000001C20000-0x0000000001C80000-memory.dmp

Filesize
384KB

Download
memory/2348-24-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download