Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 02:41
Behavioral task
behavioral1
Sample
2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
-
Size
6.2MB
-
MD5
f4557af937f454b597e693045e8525cf
-
SHA1
b2971ee1202d3e13a6bc69bd749c5e0f2c3e858b
-
SHA256
64ecc2284bcab43839a648c3dd87738a466c8585bcb48a1db43bd27c0409d1b9
-
SHA512
9547367ee0009f8998a0d5f69df832ca88bcda62314d088a04a95228ba163d91bebd1ebcd5cc4d2f5601775f823886a0711e6b039608db951ada6109c4a0061b
-
SSDEEP
196608:ZdfuVh+MESeE3L+ZhMBevDdep0Y+s9gQ3SEhO5swtM4:rc+bE3LtUDg6s9gQiuh
Malware Config
Extracted
cobaltstrike
305419896
http://139.155.91.159:21001/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2
-
access_type
512
-
beacon_type
2048
-
host
139.155.91.159,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAAAhQUkVGPUlEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAABJVPTc3OWI2NGUxYTdlZDczN2EAAAACAAAACFBSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
10000
-
port_number
21001
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCC0aD/3GAGXABkhh4WDvMbkoKUca7rtzyTXMhBNZVxo/8zOJ7XId+DTCh8r7lvAbfHfjKuMNk0dPFM4phzgmzoA012/2Y/Vdn+raT3fDQapCICpDCYZWEucKwjLOfD43A556FEv3a5kVEiE4tc+vsSaPJw0cXnhtuMnmxERXpVRwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1520-74-0x00000263A9D60000-0x00000263A9DA0000-memory.dmp INDICATOR_SUSPICIOUS_ReflectiveLoader -
Loads dropped DLL 8 IoCs
Processes:
2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exepid process 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe" powershell.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3264 powershell.exe 3264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exepowershell.exedescription pid process Token: 35 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe Token: SeDebugPrivilege 3264 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.execmd.execmd.execmd.exedescription pid process target process PID 2280 wrote to memory of 1520 2280 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe PID 2280 wrote to memory of 1520 2280 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe PID 1520 wrote to memory of 3756 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe cmd.exe PID 1520 wrote to memory of 3756 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe cmd.exe PID 3756 wrote to memory of 3264 3756 cmd.exe powershell.exe PID 3756 wrote to memory of 3264 3756 cmd.exe powershell.exe PID 1520 wrote to memory of 4512 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe cmd.exe PID 1520 wrote to memory of 4512 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe cmd.exe PID 4512 wrote to memory of 100 4512 cmd.exe cmd.exe PID 4512 wrote to memory of 100 4512 cmd.exe cmd.exe PID 100 wrote to memory of 232 100 cmd.exe schtasks.exe PID 100 wrote to memory of 232 100 cmd.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -c New-ItemProperty -Force -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -name update -value C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c New-ItemProperty -Force -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -name update -value C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c schtasks /create /f /tn update /tr "C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe" /sc ONLOGON /ru SYSTEM3⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\system32\cmd.execmd /c schtasks /create /f /tn update /tr "C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe" /sc ONLOGON /ru SYSTEM4⤵
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\system32\schtasks.exeschtasks /create /f /tn update /tr "C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe" /sc ONLOGON /ru SYSTEM5⤵
- Creates scheduled task(s)
PID:232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI22802\VCRUNTIME140.dllFilesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_ctypes.pydFilesize
129KB
MD5c33c65f70d34aa900e903d7129de24a8
SHA1d4e3f15593ce4e331a851678aad0971e26cfc523
SHA256e4380415eecc99ed387c30fccbe36687c3b3aca1c2d2336cc51705c658229a2e
SHA512272b1d915061d8da1ab3edd3703d23a5340a1673c46235b6501c978712e2673df632ddbe7e822988c92604106372d8680f074166230b97adf4cc78708efca38a
-
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_socket.pydFilesize
74KB
MD50f476bd38eb1d6a79b16c73f48caec17
SHA152184c66c24f3bc477685c78b52a691d6e17b3e6
SHA25609fc679658d08e680db0dc5f0cc733b3459249b8b3135abcc403305edbf6a10d
SHA512e218bb21ab846cd869ba17f0a521d09a8359578dc3014d873edca6a2040120d12f755ef02ea4203e7f5cc9127f68d15c975770b5250363da06c3bd74fc675d3f
-
C:\Users\Admin\AppData\Local\Temp\_MEI22802\base_library.zipFilesize
766KB
MD5238cc490fcb78fd9632b8fbc219fe586
SHA1368dee60f31144ca273541b56c55112d9745bb90
SHA256e75fa68e0bef8f1f48fa6e20910c7e07ca211217fb57d2208a369a8be2547747
SHA5122c103b42cb59493061ff5bc15e9eecd240170aa74316123c111e5c639bb00bd3c2b58ea5f7ba8e886ff82fda80cd788d103750457624237a652256edb9494ec3
-
C:\Users\Admin\AppData\Local\Temp\_MEI22802\python37.dllFilesize
3.6MB
MD522546a966149e4f545e00d0c0c294a53
SHA13d51c13be6cd7f115934bfa9ef8a3ddd3f571949
SHA256b01884bced504e81edb83da4c0e6c3098d87c1512d60bb85e88ecd1a937ed2a0
SHA5121a62a837b42e6ecb149d034826929a9d818571ac7b830b380899bdcf3b72307025d2f47b7d6013cab2725ccbdc1af9ad4b733be75dfe030ecd674d7927b90eac
-
C:\Users\Admin\AppData\Local\Temp\_MEI22802\pywintypes37.dllFilesize
136KB
MD577b6875977e77c4619bbb471d5eaf790
SHA1f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade
SHA256780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6
SHA512783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e
-
C:\Users\Admin\AppData\Local\Temp\_MEI22802\select.pydFilesize
26KB
MD5590a8782bfaab2425672f366cc78a070
SHA1b4535b05b91e72e10c28f59bd042dc174ea71759
SHA2560e537f93a92150483966435e8a102014014cf38c7edb7f7703db3b253108951d
SHA512c1d39dbbf35400423142fb656287b11a309f4fc3f3931a5daf0040c81658c1835103aea540bda75c88c57f739cbd9dc90221659958fde6ca81010a9f5e945ba6
-
C:\Users\Admin\AppData\Local\Temp\_MEI22802\ucrtbase.dllFilesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
C:\Users\Admin\AppData\Local\Temp\_MEI22802\win32api.pydFilesize
130KB
MD5e14680d97acf0bb1be0910f5646f7aba
SHA1f727a73469c03e68175d06245a8dd8aebda1f8ae
SHA256b1ec6335b9bf77829d112b1ac1eb664e7c45fc359e7c8efe86a3a698af4aa715
SHA512bc323a081169c520d1b4ce391448da74f1f4c0dee54d32f7a51a13c55bb7860629b09dc79fd4cf9b6452fbae131d81dc54cacaf9e598fa4fe0fdfc221636585f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w0ckhmzo.rs5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1520-74-0x00000263A9D60000-0x00000263A9DA0000-memory.dmpFilesize
256KB
-
memory/3264-58-0x00007FFFB8EF3000-0x00007FFFB8EF5000-memory.dmpFilesize
8KB
-
memory/3264-59-0x00000240CA150000-0x00000240CA172000-memory.dmpFilesize
136KB
-
memory/3264-69-0x00007FFFB8EF0000-0x00007FFFB99B1000-memory.dmpFilesize
10.8MB
-
memory/3264-70-0x00007FFFB8EF0000-0x00007FFFB99B1000-memory.dmpFilesize
10.8MB
-
memory/3264-73-0x00007FFFB8EF0000-0x00007FFFB99B1000-memory.dmpFilesize
10.8MB