Overview

overview

7

Static

static

3

2024-05-21...uk.exe

windows7-x64

1

2024-05-21...uk.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-21_cae43b3b0f46e5ce313c67fecc91e66b_ryuk.exe

  • Size

    2.2MB

  • MD5

    cae43b3b0f46e5ce313c67fecc91e66b

  • SHA1

    8a68f980effe23f783b1758fbcce3d46029f1719

  • SHA256

    4246837bcfaed5915c5fd1a3b62016148559a06dbcf3db6b255c51b65900d71b

  • SHA512

    ea7daa5969e2c5e410f9d7af3c01a4f1c77ae2ab9a788945e081552c8d4e8b240bea8b4a0f3f5411be05ca00c28d8b9a553c902e27016af16d7113aeb1318c25

  • SSDEEP

    49152:VOOh3aN4kuLbegmtG7ksDM2jh3BqS7YtGL/Als:1U4ku/ctj6MMQS7kGLws

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-21_cae43b3b0f46e5ce313c67fecc91e66b_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-21_cae43b3b0f46e5ce313c67fecc91e66b_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:5064
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    PID:1960
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4424
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:4896
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3912
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2304
    • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2208
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:1092
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:3052
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4760

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
        Filesize

        2.2MB

        MD5

        19131b1037a8b76335bfac08ec25bbf5

        SHA1

        55f16122f60a6f06eab2150787bf0d647f8b938f

        SHA256

        3695e7eb5f8a7470511751aaf84da7d9853c06687bd1a15ecb997c325c5b37d6

        SHA512

        53e3088749829c1a1828e0027964d3ae0d8a93c6bb68e7383a0e8f3e599894667192479158719b57a9a14765a6635b342019178e9926729d31b59d1ee7824e4f

        Download Submit

      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        Filesize

        1.4MB

        MD5

        0ba083a721edf0009f2fd2dc1df3cd9f

        SHA1

        1979cea9f215745239e651f3fdbba1c8f320d5e3

        SHA256

        35bf946f993243e4a95eba7451a95f14b1c5271204801af72a71a0917c58522d

        SHA512

        f528638d617853c5c32c2ab6125c17155dcbfdb3cc3e88696fda28bbc14f1badd38f942368985125b29c6303582a07d16392e0a167dfe69c46fcaa20536957c8

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
        Filesize

        1.4MB

        MD5

        921baed13177b0ad64dc82d0e76313d4

        SHA1

        a3292e11b496da6a412b0dbbd03e2ea355f377bd

        SHA256

        194fd544d3631492d455d8f4dd93e626756cfbceb2d5095462bc0ddbb629de47

        SHA512

        ae4127ec7e235a2726c6de5519a3a5a33365fb851e958edfc90fbcb57b41139f714e70505e362501205abf99983a576579b3dc2f82aad4b1526c0ad870b02521

        Download Submit

      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        Filesize

        2.1MB

        MD5

        4ba33ef5933561f3e375a1bc720857eb

        SHA1

        fe538797baf2d600e260972c5f8693ac35b2c71b

        SHA256

        9c9e9ffbc757c97c77435b357ef783b27b906b2cdca70c01d9a30f5f11f89f25

        SHA512

        0918061a2934729016a03703605b8ff546d5af5b30e9a0858d0db28189f0a684309569b3a2c8f693953d8d42bd67ba5ed3daf369105eb84de8cabb4a32b2ede8

        Download Submit

      • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
        Filesize

        1.2MB

        MD5

        35eb6238237c56bbdfdd31254ec0c05e

        SHA1

        db8e71c2ee3466c563e136ef71662dcbb39edc4e

        SHA256

        33a41a281a9e7f3f4d93b026abc7351f26d81b22e278e66ad246ffcc8495ac2f

        SHA512

        2d9b5e70d6237bf7ce6a1a7323ac479f9bf54fc9da6071af11d77404c8774e98111cf659b791424f42c7508f3a8eac563ef3918bea6edc6a071a5b19b772b141

        Download Submit

      • C:\Windows\System32\FXSSVC.exe
        Filesize

        1.2MB

        MD5

        3ad42ea91365748361aae518a1730c84

        SHA1

        967670a75b4aea7434e9179100caab7548a4b909

        SHA256

        b66af08c47103bfd80ad5233495f7642df03e5f8abf73732cfe4e8081209b5c8

        SHA512

        26687e4d6c2e9ab29100f7dcc259aa66b5c9590518c36ead9bfc9b80748e84a9ecc90334d44b2a8a62058e983bdea86255bdcbe9b78090569825a4b76cb0d2fc

        Download Submit

      • C:\Windows\System32\alg.exe
        Filesize

        1.2MB

        MD5

        055ccf640d55075da33ad15b6dafbab1

        SHA1

        22b23629381bc70ba1caca39d8e297ec32703be3

        SHA256

        2a2e2b091c27916872c24bd0de4f7da2b89e53546c8934fd3de1fa28de4d192e

        SHA512

        bdb7073c9c19655ffb6cc8bcafa744983c64767f6809082f9a9ce5a0021281a05b69ece09e4b182cfd266186a0888c1b56fc5b73ed24b0626163f8a6fed1811d

        Download Submit

      • C:\Windows\system32\AppVClient.exe
        Filesize

        1.3MB

        MD5

        737043ef67e15f290e24a2b8c83af2ce

        SHA1

        b031e1d2de0167fd4aa67bd7d66abe98d83abec1

        SHA256

        42a50efdd53efece00d45c72e8ca9b86528fc9291283f506e72f4a618176e6fc

        SHA512

        0fece49fa86ccb922174b2e9f596219e010ecb6ecbd4c0dffce814995610eb0ced2ddb6599d45b759fca755b9aee8b6b25955225fbf108b49e3eaa66fd14b8e0

        Download Submit

      • memory/1092-74-0x0000000140000000-0x0000000140164000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1092-72-0x00000000015E0000-0x0000000001640000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1092-61-0x00000000015E0000-0x0000000001640000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1092-67-0x00000000015E0000-0x0000000001640000-memory.dmp

        Filesize

        384KB

        Download

      • memory/1092-69-0x0000000140000000-0x0000000140164000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1960-118-0x0000000140000000-0x0000000140143000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1960-13-0x0000000140000000-0x0000000140143000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2208-56-0x0000000000990000-0x00000000009F0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2208-205-0x0000000140000000-0x0000000140245000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2208-58-0x0000000140000000-0x0000000140245000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2208-50-0x0000000000990000-0x00000000009F0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2304-34-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2304-38-0x0000000000D50000-0x0000000000DB0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2304-195-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2304-44-0x0000000000D50000-0x0000000000DB0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3052-76-0x0000000000420000-0x0000000000480000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3052-82-0x0000000000420000-0x0000000000480000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3052-84-0x0000000140000000-0x0000000140169000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3052-212-0x0000000140000000-0x0000000140169000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3912-31-0x0000000140000000-0x0000000140135000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3912-30-0x0000000140000000-0x0000000140135000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4424-25-0x0000000140000000-0x0000000140142000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4424-26-0x00000000006B0000-0x0000000000710000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4424-17-0x00000000006B0000-0x0000000000710000-memory.dmp

        Filesize

        384KB

        Download

      • memory/5064-9-0x0000000000850000-0x00000000008B0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/5064-6-0x0000000140000000-0x0000000140248000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/5064-0-0x0000000000850000-0x00000000008B0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/5064-46-0x0000000140000000-0x0000000140248000-memory.dmp

        Filesize

        2.3MB

        Download