2e692319eed788934cb5c246d888e0aeed1a24cddd9d57e20e348d9f48fc6668

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 09:49

Target

2024-04-23_28f0eacdd412e160d360cded8d80e3aa_ryuk.exe
Size

1.8MB
MD5

28f0eacdd412e160d360cded8d80e3aa
SHA1

efe62939546c877dd83adac18dbbb2f1e6ed9a50
SHA256

2e692319eed788934cb5c246d888e0aeed1a24cddd9d57e20e348d9f48fc6668
SHA512

5e29a10cc0c85b79efd3e8b12af4108a9badcb81548bc7fc79bdee880fdd7b21795e43a3f8a6071258147c39e892d0002bbf96453059453334620403dc66a490
SSDEEP

49152:FKfuPS3ELNjV7IZxEfOfOgwf0CgDUYmvFur31yAipQCtXxc0H:Om9sZxwgnU7dG1yfpVBlH

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
480	Process not Found
2504	alg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-23_28f0eacdd412e160d360cded8d80e3aa_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ca06871faad3ae89.bin	alg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2684	2024-04-23_28f0eacdd412e160d360cded8d80e3aa_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2912	2684	2024-04-23_28f0eacdd412e160d360cded8d80e3aa_ryuk.exe	28
PID 2684 wrote to memory of 2912	2684	2024-04-23_28f0eacdd412e160d360cded8d80e3aa_ryuk.exe	28
PID 2684 wrote to memory of 2912	2684	2024-04-23_28f0eacdd412e160d360cded8d80e3aa_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-23_28f0eacdd412e160d360cded8d80e3aa_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_28f0eacdd412e160d360cded8d80e3aa_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2684 -s 328
  2⤵
  PID:2912

\Windows\System32\alg.exe

Filesize
644KB

MD5
1376be27775cd64ac7a6f646b2b0eb35

SHA1
014ba2f2eadd7a0c65bdca528020350971d689e7

SHA256
6926168fe12d43cd09df6782753064ff1275657ec1dff50d20e9d92e79fd2931

SHA512
04327989a86d7083f971f971d6f8a0f23722889f39e8135de51fff4686af9a59bf419cbf14e3afa4a0b71fbb88e8469aa578fd3ec943e45b33bfa5bf708f2eb2

Download Submit
memory/2504-14-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2504-15-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2504-21-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2504-22-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2504-26-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2684-0-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download
memory/2684-1-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2684-7-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2684-8-0x00000000003F0000-0x0000000000450000-memory.dmp

Filesize
384KB

Download
memory/2684-25-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download