Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 15:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe
Resource
win7-20231129-en
windows7-x64
3 signatures
150 seconds
General
-
Target
2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe
-
Size
1.9MB
-
MD5
3794ca78fa40e0d64a6669d1ae58e960
-
SHA1
d2764bbe4c05dcc371657ed67146aabb2d6afb54
-
SHA256
9bbde51af15ab56a1a59819ceae6be37dbb90e41ccd0c0bd6a9b863ab6a7d70b
-
SHA512
d252ac49d6f3ebe2629ede05a830e460fff3603dbaa79cbdf0245188865fba466b41e64da45355aa3755f88d403714a339b2c68a6e3c7881b5ecc772137bf0f8
-
SSDEEP
49152:Drt6hFYkN8qmlouFQDLNiXicJFFRGNzj3:v+N8qkQD7wRGpj3
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exedescription pid process Token: SeTakeOwnershipPrivilege 1684 2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exedescription pid process target process PID 1684 wrote to memory of 2192 1684 2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe WerFault.exe PID 1684 wrote to memory of 2192 1684 2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe WerFault.exe PID 1684 wrote to memory of 2192 1684 2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_3794ca78fa40e0d64a6669d1ae58e960_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1684 -s 2202⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1684-0-0x0000000001C30000-0x0000000001C90000-memory.dmpFilesize
384KB
-
memory/1684-9-0x0000000001C30000-0x0000000001C90000-memory.dmpFilesize
384KB
-
memory/1684-8-0x0000000140000000-0x0000000140205000-memory.dmpFilesize
2.0MB
-
memory/1684-12-0x0000000140000000-0x0000000140205000-memory.dmpFilesize
2.0MB