Overview

overview

7

Static

static

3

2024-04-22...uk.exe

windows7-x64

1

2024-04-22...uk.exe

windows10-2004-x64

Analysis

  • max time kernel
    82s
  • max time network
    85s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2024, 11:51

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-22T11:53:29Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_28-dirty.qcow2\"}"
Report Analysis Logs

General

  • Target

    2024-04-22_e7307e22e6e60efb1fd84b991d025fc5_ryuk.exe

  • Size

    2.2MB

  • MD5

    e7307e22e6e60efb1fd84b991d025fc5

  • SHA1

    3917ceda7bb300564a2c6344cad7e8786ef29a0a

  • SHA256

    e62da17620e8d25068ae4ce3be665a30aef832aca31186c758585322986e964a

  • SHA512

    fe0f0ebdb7a5654bd054d91bb712eda1055c9bcbd4d12b6d5eba89c82c821fa14c1b28de1930dcd67f09281a0bba861b20f491aba07d272a8f78ad11ca69ce67

  • SSDEEP

    49152:VNl7soq7sQCc1kyG2xHywRfHIO2Ts4bvDTblI7a8K2mFhbrr:dD2311kaxp9qXlI7K2mF9

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-22_e7307e22e6e60efb1fd84b991d025fc5_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-22_e7307e22e6e60efb1fd84b991d025fc5_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3284
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1448
  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3200
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:4372
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:3308
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:1244
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:4312
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:212
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4972
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:4524
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:4800
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:4400
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:404
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:2528
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:1276
    • C:\Windows\system32\spectrum.exe
      C:\Windows\system32\spectrum.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:4232
    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      C:\Windows\System32\OpenSSH\ssh-agent.exe
      1⤵
      • Executes dropped EXE
      PID:4436
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
      1⤵
        PID:792
      • C:\Windows\system32\TieringEngineService.exe
        C:\Windows\system32\TieringEngineService.exe
        1⤵
        • Executes dropped EXE
        PID:4300

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
              Filesize

              2.1MB

              MD5

              785742f727ec569712a1cf0b0faf3372

              SHA1

              5a6dadff49e92f310b3dae7c178332e0cc0f3898

              SHA256

              07bc0ca213cc159ed7bcd681f010e1b33821dadc7b7cbb3e0672acb4f8ac9c73

              SHA512

              df4537e0720f1a8bfaee4cf90a6ea31418eb6b18e3b19bac02c299a3f2c524a01dd5a1222d83498bdb5a1de86b68b48369f4fdebf738d1f8b48b680e848dfe9b

              Download Submit

            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
              Filesize

              1.4MB

              MD5

              5a6f66a8b1b1e8a854e655635b70ca24

              SHA1

              015ce46c03a5d7a7cbbeb2fa915fe336f0836a8b

              SHA256

              74c035f56b3447116327a35a85d65df1b16dfd3445f1f3f17f9a2bbfc60efbb8

              SHA512

              090307a7c2884905ea62e6ebcc1ab80c5aa3ee89ef5254069fbf11724bd789ac51ce7038a32c27a7d4296bd250848584526a267bafac5a24a8366fd77a6e02c6

              Download Submit

            • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
              Filesize

              1.4MB

              MD5

              ed180bf757568a95d88d49cd3d73994a

              SHA1

              64f4e5cecb3e67626528502a4f720558c4e03802

              SHA256

              8e4074138aa93191f5028998e448d3f180434f1f9e8d6ee870ed5d0bcd122601

              SHA512

              fa3a9e1c94a033b673db24913aadf694508f412447fd1911f9b5ca0d3a742b9f6b9207251c1b46e8cb44e968dc1a962bf3069ea60c04ed031812fce1d4f47fc3

              Download Submit

            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
              Filesize

              2.2MB

              MD5

              1ba913622d6e9ee490b6e8f8a2109f26

              SHA1

              e73080cf02985c6b5fe057be664933c3c690c059

              SHA256

              1255de9f9d5679ec4ddbdc9da332e8698a47c852602c80cf72da1d3d8d819422

              SHA512

              539a795365ff6795ad5970261404355b00aacdd660ce10cf59d1708ca88dfeea2c425656b15b34cf3c41a119ef557810a38db3b1081245d54ac4a199a512b7f7

              Download Submit

            • C:\Windows\SysWOW64\perfhost.exe
              Filesize

              1.2MB

              MD5

              6317ff1eafbb62df64ceba05e73c176e

              SHA1

              933652de163d17b10ef6d50d04fd9e7463b02c5e

              SHA256

              6816d73fb6af8ca27e1c171010d7494ea65f4e58ab747e6603350dc6d75d601e

              SHA512

              98a63db5d58c2dff6d8f69e9926628986187a8f05cec9c93531a5b1aee2d47f610081aaa50e9ea6fb8489a7dfbd92abb9b642fc4764866fdfd33c61b83cafb5a

              Download Submit

            • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
              Filesize

              1.3MB

              MD5

              47fad994907d0fd60523553aeba1b138

              SHA1

              9c81ec78c1767c325c099cb422e8609d5741c8af

              SHA256

              f339449b684c7044f928196a4f521472136d22267bc72f250e112f78ab0fad44

              SHA512

              6997aefdb3daef6d16fa9fc84481b261089056926191186d462853a3526922dcfc83679e964809da94b07841108ab64bbfdb86aac975970768d2d1f987316e8c

              Download Submit

            • C:\Windows\System32\FXSSVC.exe
              Filesize

              1.2MB

              MD5

              83c4726f4b6ea9f5bb27eb19157e8da3

              SHA1

              3f652c3d747553561cf2ec260ef20e81cf738153

              SHA256

              bddb29de00cf24a76fb21873e7f07d53935c988338fa285fe0c1287dfa7a484c

              SHA512

              afa4dc42f16a8b9ce4c493ce51374b1a290460497d66cbff448a877c9fa61cfcde3e6ceaa5cc02e27d1fa5652be633a00595ff3ee8f7c101ede5563b731e8628

              Download Submit

            • C:\Windows\System32\Locator.exe
              Filesize

              1.2MB

              MD5

              97d641c7b1dcab244d2a4207ff365033

              SHA1

              ec7d03180bf29b0f93de0d8a97df47c9b531be89

              SHA256

              48c250da80c19759485260149d62889a8cb3b75eee95922859bf96b6d053a364

              SHA512

              b739f13ccf18bb51d1423a4197895cca8f4e7fb8d2065a4dd8cac73184e7b32bdd56baadbdb12ea13aeaa0473c131148563db8096bcc8a15d3e06c493313b31f

              Download Submit

            • C:\Windows\System32\OpenSSH\ssh-agent.exe
              Filesize

              1.6MB

              MD5

              806cfd6ae2bbe30b32f130a6317dc851

              SHA1

              261469df015132f31e6a08c7b98da71fbf11854b

              SHA256

              ac084bf06d7341db51c862ea2e4e8a6ca9eb8ddfd61c0df5494bae97ef3e2b07

              SHA512

              228644c80da14ab5ee6de92419bb30a2129fcc75ab236eb3b78314f75d98c140c0f546ca7a9e21acb2a074ed14d624bda36806f8b2bf547f2553b4cd2e1cdbc6

              Download Submit

            • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
              Filesize

              1.3MB

              MD5

              25616cb633dada5ef298eeb91d43493b

              SHA1

              d4a4e7d40f55271a9fb383cc4fc24af61241f9b2

              SHA256

              9c73fb74fface26e2b298d677a6a1e9f3c7beea56c08202a0aab62c7d03a0531

              SHA512

              54b53470d1c569f4e70e9074e9abf76dff122020fe49ea3d2640a0f85bf0debb6239b1f2969462be933fcdb43d7a2d770260ef4e206513709d72690bed6ea549

              Download Submit

            • C:\Windows\System32\SensorDataService.exe
              Filesize

              1.8MB

              MD5

              46c81476b451e12a3113a96912b28148

              SHA1

              89fe9a586afd3dd4a45bc19b733f4011e79dfa49

              SHA256

              e8d308ef70b385482e213d0947eeffe3932ffdfd35698506c85b2e06b6dbb3da

              SHA512

              365438380506cc0df16b1d2ec570ad16de822b0b622d46f32fa684634c4d1616516cbd85b2e82824385d4f6e0aaccc21e33597ac1f65b9151d6468972f0d6a89

              Download Submit

            • C:\Windows\System32\Spectrum.exe
              Filesize

              1.4MB

              MD5

              3eb4432a17a8427edd0cbb87751d155b

              SHA1

              3c16397b51ac3a137747adfc7f0ac89b4e044d00

              SHA256

              48b9072ccb694a305139f50c59bcd06a1bc1219ccf4a63fb3a039d806b36c649

              SHA512

              54a0268f7f5f8732a9f6862eb301d437ad11442a9ff96a3ab3600ecc99e341aeeaef7f03cc9344922699205da274049300b3013d0edee6ca1f795c5bf19907b5

              Download Submit

            • C:\Windows\System32\TieringEngineService.exe
              Filesize

              1.5MB

              MD5

              b7db0df6ac58f4b012b80afee6a4ca8b

              SHA1

              b94d417f1f4a6fd7a078ea0e396f0e1c796c9e98

              SHA256

              4192a19cbe859c2296393e41381492fedd411d1644c91852d04de58882ce7ad1

              SHA512

              9299fc72476287d6b5384c6498daf64f93eb84ea964d04b031a84069b1c7e7bfb505bf8613c401957f940eaa1992faaf45c88960fe3d623f2c8575f9b7d32915

              Download Submit

            • C:\Windows\System32\alg.exe
              Filesize

              1.3MB

              MD5

              14b9f9f308d54487196627cd27c268a7

              SHA1

              7e95b2b2befa00f5faaf17e9ec61155ec498ff10

              SHA256

              870383397903db49bb24eb04a148ef3ebd7cbf547ff150cacb2d236ac3561080

              SHA512

              29ad3499804307becd4fabb562f99db7923d735e6f05b20d4acd8862abab02e7d9b161ea6d12aa54e07b16f5dce7b4c13a9d813ec9a371559dd6b4f660c6fbe5

              Download Submit

            • C:\Windows\System32\msdtc.exe
              Filesize

              1.3MB

              MD5

              ad07d1aea777c13db441602de5f485d1

              SHA1

              27a742838a7a7213597e9242f1fb70e01c19eb92

              SHA256

              9614651d4053141f3534c6a6a00ccec4c80a9b6641a0e8e2fee16b0dfb6bbdd5

              SHA512

              55d271b7a6d0a14d5e4ec5c8722760be50eca138d710d66a47b541f6332f2c43084adae81c2fdbe29720f871a8a3820cd47f3b84a2f95ee856fd28f49f66f967

              Download Submit

            • C:\Windows\System32\snmptrap.exe
              Filesize

              1.2MB

              MD5

              c0c1e6f0bcf51024066049a00762afd9

              SHA1

              d58d984614b65d26a1ad77b8d822bbb21b03a2d1

              SHA256

              d6ba0d8c14687c078e2dc75e4d33eba7114ddcf8b0b50c0bb6134b69aac4a652

              SHA512

              8a6c8fda92b1394ec28ae8f56f27be84f60bcee9422883bbb975a7dcd06dfaef7898945e41281168af84ecbcab28d2283519d419f461c73c00001ec50f3f4ff9

              Download Submit

            • memory/404-303-0x0000000140000000-0x00000001401D8000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/404-311-0x00000000007C0000-0x0000000000820000-memory.dmp

              Filesize

              384KB

              Download

            • memory/404-367-0x0000000140000000-0x00000001401D8000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/1244-236-0x0000000140000000-0x0000000140212000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/1244-65-0x0000000140000000-0x0000000140212000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/1244-64-0x00000000004F0000-0x0000000000550000-memory.dmp

              Filesize

              384KB

              Download

            • memory/1244-71-0x00000000004F0000-0x0000000000550000-memory.dmp

              Filesize

              384KB

              Download

            • memory/1276-337-0x0000000000740000-0x00000000007A0000-memory.dmp

              Filesize

              384KB

              Download

            • memory/1276-328-0x0000000140000000-0x00000001401D9000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/1448-22-0x00000000006E0000-0x0000000000740000-memory.dmp

              Filesize

              384KB

              Download

            • memory/1448-225-0x0000000140000000-0x00000001401ED000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/1448-16-0x0000000140000000-0x00000001401ED000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/1448-15-0x00000000006E0000-0x0000000000740000-memory.dmp

              Filesize

              384KB

              Download

            • memory/2528-322-0x00000000004E0000-0x0000000000540000-memory.dmp

              Filesize

              384KB

              Download

            • memory/2528-377-0x0000000140000000-0x00000001401D7000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/2528-314-0x0000000140000000-0x00000001401D7000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/3200-34-0x0000000000810000-0x0000000000870000-memory.dmp

              Filesize

              384KB

              Download

            • memory/3200-27-0x0000000000810000-0x0000000000870000-memory.dmp

              Filesize

              384KB

              Download

            • memory/3200-232-0x0000000140000000-0x000000014024B000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/3200-28-0x0000000140000000-0x000000014024B000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/3284-14-0x0000000140000000-0x0000000140247000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/3284-0-0x0000000000710000-0x0000000000770000-memory.dmp

              Filesize

              384KB

              Download

            • memory/3284-10-0x0000000000710000-0x0000000000770000-memory.dmp

              Filesize

              384KB

              Download

            • memory/3284-7-0x0000000000710000-0x0000000000770000-memory.dmp

              Filesize

              384KB

              Download

            • memory/3284-1-0x0000000140000000-0x0000000140247000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/3308-49-0x0000000140000000-0x0000000140212000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/3308-50-0x00000000015E0000-0x0000000001640000-memory.dmp

              Filesize

              384KB

              Download

            • memory/3308-56-0x00000000015E0000-0x0000000001640000-memory.dmp

              Filesize

              384KB

              Download

            • memory/3308-59-0x00000000015E0000-0x0000000001640000-memory.dmp

              Filesize

              384KB

              Download

            • memory/3308-63-0x0000000140000000-0x0000000140212000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/4232-350-0x00000000007F0000-0x0000000000850000-memory.dmp

              Filesize

              384KB

              Download

            • memory/4232-340-0x0000000140000000-0x0000000140169000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/4300-376-0x0000000000880000-0x00000000008E0000-memory.dmp

              Filesize

              384KB

              Download

            • memory/4300-369-0x0000000140000000-0x0000000140225000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/4312-241-0x0000000140000000-0x00000001401EC000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/4312-309-0x0000000140000000-0x00000001401EC000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/4312-242-0x00000000004C0000-0x0000000000520000-memory.dmp

              Filesize

              384KB

              Download

            • memory/4312-249-0x00000000004C0000-0x0000000000520000-memory.dmp

              Filesize

              384KB

              Download

            • memory/4372-39-0x0000000140000000-0x000000014022B000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/4372-233-0x0000000140000000-0x000000014022B000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/4372-45-0x00000000001A0000-0x0000000000200000-memory.dmp

              Filesize

              384KB

              Download

            • memory/4372-38-0x00000000001A0000-0x0000000000200000-memory.dmp

              Filesize

              384KB

              Download

            • memory/4400-363-0x0000000000400000-0x00000000005DA000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/4400-298-0x0000000000400000-0x00000000005DA000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/4436-364-0x0000000000830000-0x0000000000890000-memory.dmp

              Filesize

              384KB

              Download

            • memory/4436-354-0x0000000140000000-0x0000000140245000-memory.dmp

              Filesize

              2.3MB

              Download

            • memory/4524-335-0x0000000140000000-0x00000001401FC000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/4524-270-0x0000000140000000-0x00000001401FC000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/4524-278-0x0000000000DA0000-0x0000000000E00000-memory.dmp

              Filesize

              384KB

              Download

            • memory/4800-348-0x0000000140000000-0x00000001401EE000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/4800-294-0x0000000000590000-0x00000000005F0000-memory.dmp

              Filesize

              384KB

              Download

            • memory/4800-286-0x0000000140000000-0x00000001401EE000-memory.dmp

              Filesize

              1.9MB

              Download

            • memory/4972-253-0x0000000140000000-0x0000000140135000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4972-254-0x0000000000D70000-0x0000000000DD0000-memory.dmp

              Filesize

              384KB

              Download

            • memory/4972-263-0x0000000000D70000-0x0000000000DD0000-memory.dmp

              Filesize

              384KB

              Download

            • memory/4972-267-0x0000000140000000-0x0000000140135000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4972-268-0x0000000000D70000-0x0000000000DD0000-memory.dmp

              Filesize

              384KB

              Download