Overview

overview

7

Static

static

3

2024-05-23...uk.exe

windows7-x64

7

2024-05-23...uk.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    153s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 21:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-23_7aac0b10aee1779dd2535b005ceb9f68_ryuk.exe

  • Size

    1.1MB

  • MD5

    7aac0b10aee1779dd2535b005ceb9f68

  • SHA1

    ab6c46c38338d22bc44c0eb35a00dc271f8ed2d4

  • SHA256

    c48930d91e4a0d6450b75d620d295cf84c7c1892e4f3c68cb2d1aa1a9b48c0a1

  • SHA512

    1647205b60f2888bd2e482dce7eda110a362cde027315c3cb87c2d9baa11e225ae7764ed302ada233ec39dfcb220052406a1aa3bc19f24840abce5a3b0eed39a

  • SSDEEP

    24576:nSi1SoCU5qJSr1eWPSCsP0MugC6eTv743TvRk6NwG:vS7PLjeT8Dv66mG

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 16 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-23_7aac0b10aee1779dd2535b005ceb9f68_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-23_7aac0b10aee1779dd2535b005ceb9f68_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3080
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    PID:3004
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4824
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:4748
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2356
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4648
    • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4324
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:4368
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:5080
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4608
      • C:\Windows\System32\msdtc.exe
        C:\Windows\System32\msdtc.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:3892
      • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
        C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
        1⤵
        • Executes dropped EXE
        PID:2600
      • C:\Windows\SysWow64\perfhost.exe
        C:\Windows\SysWow64\perfhost.exe
        1⤵
        • Executes dropped EXE
        PID:1964

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
        Filesize

        2.2MB

        MD5

        87ee5a325eedc481ddeff0f054b2464a

        SHA1

        6e6146df99ac361254a6fd1c9cefa810b0553d48

        SHA256

        42135e4afd8685714a5a224eac53ea7b79f43a7db9cfac159ad987a111ed6171

        SHA512

        e876eddde3967be6c67168ee855a2c8f1b846521509446064d85b37c5d086a6b9c56e230d007ef272fdcde77755d9bc569d7e1b01d6298384f0687bd38fccacb

        Download Submit

      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        Filesize

        1.4MB

        MD5

        04dd6086f346dfe6ba411a1536d9588e

        SHA1

        293820ac9f3dd02ea4de8d5aac2a5498be9b0a8c

        SHA256

        b5da7560e024b5c2e0eae69b1f1c6ad1d588fe829226f96952ca6385999df851

        SHA512

        01dc5c01e2cea0e9d85da489a28e18f27546b8196d0f05053cbf2084559ffff4312889a243e71551a256581fc748729ab3f119f65c2c95f9a26e106ae7a87502

        Download Submit

      • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
        Filesize

        1.4MB

        MD5

        caf6ce766d8325274a94c2b80d7a4885

        SHA1

        06c81c5f3cb90ae3c982aff6ebfb5098ce07727a

        SHA256

        864443c52b0051bfdcc5bb0ca6cb048f647dc5157cacc91de40ce6255d54a3fd

        SHA512

        2b419b88fee530e667cb5f6f4b1cc0a2786153b109602ff48dde3ba9c5843313a739dbd951052e176b0e6de3e8e61be65b74370a6c7b72cea52253654f3c32c3

        Download Submit

      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        Filesize

        2.1MB

        MD5

        39f9fe293eea3392ffaf9a71aa0f903e

        SHA1

        b90b2b14d1fb98482bb936f7244847967c6a8770

        SHA256

        a49251e3809ac8e5f61752d423a1a001a17f2e46ff9ad37ca10c78b3fe5b1f1e

        SHA512

        ad76e38cbc3a85c2a620c05c6b3da03189f1cfb1da33f26595633e2d7aa2271c4dc0ff58b9885c068f701393b8293cb3dd55e65d63fecacfe5027e94a9b64e16

        Download Submit

      • C:\Windows\SysWOW64\perfhost.exe
        Filesize

        1.2MB

        MD5

        5f33fc772079b4f6af3f9c6c62bb00ac

        SHA1

        7afe3c8c0283dc1c32aa2949ea1c1de8ed247ef9

        SHA256

        61e652b9ee2d45dcf86dc98949192d6ea224f75e351917c7d9101a2f8cb156cf

        SHA512

        5b8aa3c2b987cfc322dc0faa42be150d68acd564fd4dab1de08e1042e9268946dc926e39b4bcad4e2ef3e5150b632b152c071ea79ed96a61839e4a0a8b118c37

        Download Submit

      • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
        Filesize

        1.3MB

        MD5

        1d0a8915b47671b2cdce71bb7eb79471

        SHA1

        46120bd1f2f2921d77fef1606c444782b97da5da

        SHA256

        8602109209b078727318cdb868a4974f4397c05d0a690bc29931b80bfc132ea2

        SHA512

        021d63ad3b64952f6a7cc5a34e85827a4bc46d2a646cf2a8a437c3c81e83b2b9a7fe8f153dfe41682f7c9a4a0f903d606c18a7c095548f55ed145a6c3f4f06ef

        Download Submit

      • C:\Windows\System32\FXSSVC.exe
        Filesize

        1.2MB

        MD5

        cbab02c37f4bfd7ac26c74b2e48f788b

        SHA1

        8ef9ecaa7c2ccc7d429cafa36bcea4de24d7c397

        SHA256

        90edf868b86cb05ac17d3063b6291ac8f25f4e3a08310f773e4788d5a762ba5e

        SHA512

        6abd4c9ecb4c70fad0d5df22adda9cd7483c1ce4236b7fc2c544d192c4d930246c8939658e7e5a4495d507066db210368216b5275365521df9d1989aa63d498d

        Download Submit

      • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
        Filesize

        1.3MB

        MD5

        a5d1e3e663de9efdc27bf423d2dce5e4

        SHA1

        c2127a216aead64a7d2d42917b804c6aeb9e81ee

        SHA256

        7516163b27a0b778c6c98639c025615b2ee19e2d043eaed0964970b834b9b091

        SHA512

        caa3a95232a975f4babaa8b451796a340b9a00283e7df31bd5e7e0dac906fd7668ba6b00146b186c390e32c338e4606b6731f1c2674e1efd56a7d384e7d1a78b

        Download Submit

      • C:\Windows\System32\alg.exe
        Filesize

        1.3MB

        MD5

        219624955902107a321298d3f25e9149

        SHA1

        1c100ea98d1bf86f75a12ab449caadc152b543ce

        SHA256

        9be83bce652c82242c320fac4534fcc24bd55c23c78ff11d609c9ba103acf3d0

        SHA512

        b58db8e266f753a668a7e0b496ccd5ef0ec318919c06ae55db7524a679de90419fd43e72f6552a14b5454baa05fadc8a3bb0e7c6dedfa4f42bc9c238100b9164

        Download Submit

      • C:\Windows\System32\msdtc.exe
        Filesize

        1.3MB

        MD5

        239bfd1d882dc73ca20d11693d69cc9c

        SHA1

        dceaea525151153e0fafc01f118310f1ded6f8c4

        SHA256

        a66e5bd3f6c57028e74671435bc3b631591820598138042030eb7d257e7157f1

        SHA512

        a6caf2fb3ef4121d733cf6a468b5b18450767e46c2323e950dec583308944086733fa0f3fd6ffc7cb42ad7fb4811f599e8b5f89a132e71d29d8c92f012a1f61c

        Download Submit

      • C:\Windows\system32\AppVClient.exe
        Filesize

        1.3MB

        MD5

        25e4020afe65e26634c6de018d684373

        SHA1

        ae38f213254dd41edd21d1a22bf562586720a6fd

        SHA256

        6b8fa05703048e43f214a1108a5e204fd5c19800106024f3e5c31af8cfe1395f

        SHA512

        4422157cd1e3a987b37a1853675cfeca5ae0e28b3c822dcbf136de2ead6d022fb3aa08df3784efc7d2a9f0ba677324271a04b7f833d2e7577ee0890aa4bc4368

        Download Submit

      • memory/1964-273-0x0000000000400000-0x00000000005D6000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2356-34-0x0000000140000000-0x0000000140135000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2356-29-0x0000000140000000-0x0000000140135000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2600-259-0x0000000140000000-0x00000001401EA000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2600-266-0x0000000000680000-0x00000000006E0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2600-260-0x0000000000680000-0x00000000006E0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3004-105-0x0000000140000000-0x00000001401E9000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/3004-12-0x0000000140000000-0x00000001401E9000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/3080-30-0x00000000004F0000-0x0000000000550000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3080-1-0x00000000004F0000-0x0000000000550000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3080-7-0x00000000004F0000-0x0000000000550000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3080-0-0x0000000140000000-0x0000000140125000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3080-33-0x0000000140000000-0x0000000140125000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3892-255-0x0000000140000000-0x00000001401F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4324-204-0x0000000140000000-0x0000000140245000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4324-54-0x0000000000890000-0x00000000008F0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4324-56-0x0000000140000000-0x0000000140245000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4324-48-0x0000000000890000-0x00000000008F0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4368-66-0x0000000002240000-0x00000000022A0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4368-72-0x0000000140000000-0x0000000140209000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4368-59-0x0000000140000000-0x0000000140209000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4368-61-0x0000000002240000-0x00000000022A0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4368-70-0x0000000002240000-0x00000000022A0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4648-37-0x0000000000530000-0x0000000000590000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4648-43-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4648-195-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4648-44-0x0000000000530000-0x0000000000590000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4824-107-0x0000000140000000-0x00000001401E8000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/4824-24-0x0000000140000000-0x00000001401E8000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/4824-25-0x00000000006B0000-0x0000000000710000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4824-16-0x00000000006B0000-0x0000000000710000-memory.dmp

        Filesize

        384KB

        Download

      • memory/5080-217-0x0000000140000000-0x000000014020E000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/5080-80-0x0000000000420000-0x0000000000480000-memory.dmp

        Filesize

        384KB

        Download

      • memory/5080-74-0x0000000000420000-0x0000000000480000-memory.dmp

        Filesize

        384KB

        Download

      • memory/5080-82-0x0000000140000000-0x000000014020E000-memory.dmp

        Filesize

        2.1MB

        Download