5437ce490adf0457d1cc89169737421d34a4679a1714e99ed1f323bec2867a8a

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-04-2024 12:19

Target

2024-04-21_8cd4c1801bc0fc123d7ee3d7d92d321d_ryuk.exe
Size

1.7MB
MD5

8cd4c1801bc0fc123d7ee3d7d92d321d
SHA1

f49a83531f7d089997eb417a16259ea4348aca4b
SHA256

5437ce490adf0457d1cc89169737421d34a4679a1714e99ed1f323bec2867a8a
SHA512

f7a92526fc9758d434081f7fd0dc6757c2058263265101bc5a8431e28badf399e2dd27a4823e4e45a18a177680efc9a38cf78455ea06000ddb13fe600d857f36
SSDEEP

24576:g4fE5tzcTDpuJn8NMHcyUQAobb0QvqUC1SkQ/7Gb8NLEbeZ:g4f65cTlG8NMHcn3obb0PwkQ/qoLEw

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
480	Process not Found
3036	alg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_8cd4c1801bc0fc123d7ee3d7d92d321d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\24d8986f78a61a12.bin	alg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2372	2024-04-21_8cd4c1801bc0fc123d7ee3d7d92d321d_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2772	2372	2024-04-21_8cd4c1801bc0fc123d7ee3d7d92d321d_ryuk.exe	28
PID 2372 wrote to memory of 2772	2372	2024-04-21_8cd4c1801bc0fc123d7ee3d7d92d321d_ryuk.exe	28
PID 2372 wrote to memory of 2772	2372	2024-04-21_8cd4c1801bc0fc123d7ee3d7d92d321d_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-21_8cd4c1801bc0fc123d7ee3d7d92d321d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_8cd4c1801bc0fc123d7ee3d7d92d321d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2372 -s 272
  2⤵
  PID:2772

\Windows\System32\alg.exe

Filesize
644KB

MD5
7c46ac845f89086d222168cf12dcddc0

SHA1
1b13d5c31700b83aea5215ebdd19944e94464aea

SHA256
1517bcc1745a0f82a6115b7a1288e5185069002c89fe5a9e28527d89c7989389

SHA512
c61bb726dc7b8d5cd08c0adb04ec023a62683b4c74412db10b836106a30c4e12d5149915162ef3c639ac70900f4e73d61543db2813fdc2556a433185fc26d017

Download Submit
memory/2372-0-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2372-1-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/2372-7-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2372-8-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2372-25-0x0000000140000000-0x00000001401CF000-memory.dmp

Filesize
1.8MB

Download
memory/3036-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/3036-15-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3036-21-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3036-22-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3036-26-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download