Analysis
-
max time kernel
66s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 23:21
Behavioral task
behavioral1
Sample
2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
Resource
win7-20231129-en
General
-
Target
2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe
-
Size
2.9MB
-
MD5
0f199baaa2378448502c71cc553f0c45
-
SHA1
58cae81efd680ab12624e4afdd36c996ec7ebdf8
-
SHA256
06eeea67da42a6fc54b4f0dc845dba6e86dbc967491741d559506871cb06086b
-
SHA512
5cdfff0aa550d1d0f8713ab444b1337b1025dfaa3d33beea29a996c27fe7ce1ac3ae694e5bca024f77277612b14c874229086681d94fbeb480c6d4f236ea2394
-
SSDEEP
49152:/xziQCveAr+JfGTr25Ohf2s8n/QDHT4TgjIgrajGlkI08:liPveO+QTrp2sLjT49grvOI0
Malware Config
Extracted
stealc
http://89.105.201.132
-
url_path
/c44a765f550f6a2f.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1416 set thread context of 3592 1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe 85 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe 1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe 3592 cmd.exe 3592 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe 3592 cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1416 wrote to memory of 3592 1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe 85 PID 1416 wrote to memory of 3592 1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe 85 PID 1416 wrote to memory of 3592 1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe 85 PID 1416 wrote to memory of 3592 1416 2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe 85 PID 3592 wrote to memory of 3188 3592 cmd.exe 91 PID 3592 wrote to memory of 3188 3592 cmd.exe 91 PID 3592 wrote to memory of 3188 3592 cmd.exe 91 PID 3592 wrote to memory of 3188 3592 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-30_0f199baaa2378448502c71cc553f0c45_ryuk.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵PID:3188
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD5c51a2b61187e792051d9a68757dbc0f1
SHA1bf3c9fe31460dbbdd3964d66af3a3b6eae674799
SHA25648a57aefb468d2b73771d5bae7e364e23d0f5ee633ffcaf139b7d46c766beec8
SHA5121108fccdad0f7512e97ad647abec4323442eb1ca430f9a2f34b5b320b59d1fe9ef2dbae91be0875c0e76148e43afeb4b473682c7c5d2f3fdf744e5439cb16f82