1a842bb17cfa107129ab512f57bfcae04184e0c45eca854851e6c90f78ca1c96

Analysis

max time kernel
153s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
Size

1.8MB
MD5

36c38f539c1c6a730ca4f57a89fb9263
SHA1

6612ed380911cdd2f88e1c0d00b63c388352c513
SHA256

1a842bb17cfa107129ab512f57bfcae04184e0c45eca854851e6c90f78ca1c96
SHA512

230fbdabcdb20c35f560c71bbe3024dff0e31a970ea2ea251372b794908c30a305acd5b9ceabc34c3b54145500deb97b55c54dafb22482eaf4f10b4718210f5a
SSDEEP

49152:TKfuPS3ELNjV7IZxEfOfOgwf0R/snji6attJM:Am9sZxwghEnW6at

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
1100	alg.exe
3432	DiagnosticsHub.StandardCollector.Service.exe
4892	fxssvc.exe
1840	elevation_service.exe
4628	elevation_service.exe
2492	maintenanceservice.exe
1472	OSE.EXE

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f6855aaab3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2548	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
Token: SeAuditPrivilege	4892	fxssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3380	2548	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe	95
PID 2548 wrote to memory of 3380	2548	2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe	95

C:\Users\Admin\AppData\Local\Temp\2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_36c38f539c1c6a730ca4f57a89fb9263_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2548 -s 632
  2⤵
  PID:3380

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1100

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2088

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4628

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2492

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
1b04ff2d8f3db4be8b9da7159da04f45

SHA1
eca70543ac9d9c837c7c95f325c2bb4fadb582ce

SHA256
1b1b8172a25d051b2cba0681d2ed6596aeef28cadb5a60e976ced6ce3abf146b

SHA512
ddc94e2850ba7df6ce08d17442add105a0849881a64fad0f0b07918139b430f9114c6ae6d9b07291fe35acb106dda1b71c75f233b45b2c2b58e2083f39177bf9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
8305f3e746f098fd0937152ba4f79ceb

SHA1
8966bd6b478e8a48cce4959f06763039c0b677c3

SHA256
25ec0c6b0653b4019e963ad059ff79ca99760ad4e377c221cbff2368d306125a

SHA512
7b2d1ef9d8efca149d39a4e9895bec13df6128b7b6fc5f3a93c86a414ecfbf8e2c95c6c47c55ac4f9d5ecc67fa3da16a1a2d257e2987cc78f676860c97bbed2d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bc5c8c1f970b1155a07385a4853352eb

SHA1
79b21d28e594022d4ce59ebb4cfa5646a6b53ef4

SHA256
248eed0c47356779efad8b0039e6225affc798bef32b5a033fae2191920a8699

SHA512
95dca1442aa911d1cad300260fb8a9e6ffaa4b0e63172278f1c8f394a617933112f5eee227913bb1c68b231d00e385160e255501e728382efefcc4719d4d0749

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7dc87d9157967dcc5224d522cd361c3d

SHA1
b83684e4b0343b15338bb017734e9f6f56773068

SHA256
7e84aec920b72ca35ac1fea6a1dba328e4cc8b8e84c81697d69ea9f90c85a608

SHA512
1e07e68e4504e456dae4f7110f95f6242bf8da242a72a8eb4c1d43188eeb0f73a70b7459575e380fdcd1336e29a1c9acf054679ffe27fcc518d3c7ab40b4c0ac

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7ccda88552cb10039a55dcf58834efa0

SHA1
5ea2cea7967a932821440c4af6a7f93b4bb93669

SHA256
ce354c08638323515c205e69c7bfe816eced482d708703f88af9ba1a50d9dac7

SHA512
7561401002b27bf0ac1da85a3cfcfe84560aeed2ed3a4752e67a0c639ba4c40bbf883ce17db3d02195d943f152ee19753c6e9af9ea3065c3dbff04a91a8c7885

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8d4f891737ef409117dd1b1a23a20bc9

SHA1
dc69e72dab7bd07ce0cb699c0cca7801a320c5fa

SHA256
131fecdb1e6467db1695c13279f1191509aba035a5a1cb9edf4c8120fc51c171

SHA512
7f556a14f585903800f511b1b03a5b30490fcf572d64e5fdadd01e7a8d7b010f0444729b65d470b05be995ef249c7760a853fd7b2f68d988aa35d5e07cb34389

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7c0a5f1d28a183fa5c89bed43c2391ca

SHA1
2ad55af2865b53a4b691e5812c0a4d855b8069c6

SHA256
6a02d1340874c6b040aa432de9b337aa82272bcea4aa139d8d69680f8e663a50

SHA512
ba88cee94d158f3a47dfcbab2de933c77f183632ea8c70772ddaffe213eb1f08af56ac4ba0c459865b4afc680fea2c62b856eec9cdd1ee3a241d8b8d2a91603e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1241721e583ccba9915b611e5d94d2e3

SHA1
c3a691ead968d3cb94a2ff01fdce26431f7bffc5

SHA256
9d0282608d435b9b3509a6b6ef82f5936af9d9b1ee121b583806c4520eaafabe

SHA512
7b3219f43a3d934eb7af68463f11e046c77b41c30df0d2cc31b91a014f83441b427ab7442fa03de726ffce69ee583bd5f1e0d10a8a1cefaf5f3d53bb26c9f5ae

Download Submit
memory/1100-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1100-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1100-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1100-60-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1472-98-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1472-97-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1472-106-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1472-175-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1840-52-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1840-63-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1840-59-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1840-53-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2492-83-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2492-82-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2492-94-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2492-92-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2492-89-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2548-68-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download
memory/2548-1-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2548-7-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2548-0-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download
memory/2548-45-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download
memory/3432-62-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3432-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3432-25-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3432-32-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3432-33-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4628-70-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4628-78-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4628-71-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4628-124-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4892-44-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4892-48-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4892-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4892-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4892-38-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download