Overview

overview

7

Static

static

3

2024-05-24...uk.exe

windows7-x64

1

2024-05-24...uk.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-24_ab743095a632c9474f7311c0491df47e_ryuk.exe

  • Size

    2.2MB

  • MD5

    ab743095a632c9474f7311c0491df47e

  • SHA1

    9db1db204c0504ea16072616712497071fccee0b

  • SHA256

    bb5a610691b6842eb01e544bd2cdd80184a616c9d618e90a213b0361125f0d19

  • SHA512

    6141b8b2492d7eb8910e4c9352ec5a7c8ef66aee78ddb75cfead53c525b6d9b68fb97ff7a0dc3c65d2cfa8321f625c8112321b9c7c611172a20360083a91b026

  • SSDEEP

    24576:GOObVw4TaN1wdFukCba4oXtgLhU3wEdmh584sqjnhMgeiCl7G0nehbGZpbD:GOOh3aN4FuLbegmtGfDmg27RnWGj

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-24_ab743095a632c9474f7311c0491df47e_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-24_ab743095a632c9474f7311c0491df47e_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3152
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3876
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:3172
  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4520
  • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:2144
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:4284
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:3056
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3692
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
      1⤵
        PID:436
      • C:\Windows\system32\fxssvc.exe
        C:\Windows\system32\fxssvc.exe
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:4328
      • C:\Windows\System32\msdtc.exe
        C:\Windows\System32\msdtc.exe
        1⤵
        • Executes dropped EXE
        PID:2668
      • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
        C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
        1⤵
        • Executes dropped EXE
        PID:880

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
        Filesize

        2.2MB

        MD5

        7442a0ba5dbd8a45105a78c693a85f0a

        SHA1

        c5c1ff1d70cc254ff65801cd60bb71da0b9e66a6

        SHA256

        08bafe20575041c8f8fba4d32ae7e0a9719cda355f9da242ab1b7656ae5917e2

        SHA512

        6132dbc5905010033f658ee297bf4d0b04a4b4c8db364e859162fbdb2e0057803a0e1f8ec6e0a12796918faacbee1df2a8297bcc7e671b3a18a7c9cd90a6e39b

        Download Submit
      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        Filesize

        1.4MB

        MD5

        80de405c0665a8064809493756064db1

        SHA1

        c85619db4c0a190bde4938e81ee8b18c541e91d8

        SHA256

        4f2110e3b9c3fa7b2fe94e70dec9ef0ef4b589f6ac3fa05057f15fe22fcb4fbc

        SHA512

        e8e60c9ecbc994815f8f493725444347c4b8545cbdc3c367c84d7009c324e6075a8071e16ada543a8d41650d3613faa4141b79497b0dbb8007419d955295247f

        Download Submit
      • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
        Filesize

        1.4MB

        MD5

        b85f1ad6edae8c28a9f75c459b81c959

        SHA1

        21d44c175584b07dc5ea2c007ac1d90f543f9590

        SHA256

        86a6728b1ec563967c26329434aae5060943611fdac0d3b7c0a3bc9c005caedb

        SHA512

        9fe2a5883462c077189c19600c20ca5c2360055b0106813fd2dfaa78ded74b12b3269628500ea2f23dc4536e2619caa4ac18556e908c8a5edb9a378d641374d3

        Download Submit
      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        Filesize

        2.1MB

        MD5

        77636f04a8a2aff92c34b3656fee26ef

        SHA1

        87c058a9716ee50a4f66e7541a6d114cf0440eb6

        SHA256

        c24083050eba95ef21e179231f5b4b235f467ef60867fbd69ca4e61fceae0e5d

        SHA512

        8147f1947dfbbb90eedb84efb6f7d6323973dcc3de059f2a1cbeb73cf599ebb8b1d69fa36e682147d6886c9d8269fac4d10f4f44c1ca3c47592612c2b1baa894

        Download Submit
      • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
        Filesize

        1.3MB

        MD5

        ed356da8f7847dc562b2c2a9722295ef

        SHA1

        16f3a9570c9441946a3f0c1abcb9536e6c054f79

        SHA256

        e890d0bbc976ba08a88c129a41b19530700364966b6125e56e79c8e0abf828dd

        SHA512

        2cd3c95fc9a92b0c0b94de2018e3098a01e5a1978ab48cc8b6df4735042f4e0c91286907b2b3d02fde896fc30135b20ab9fc91ba380dc798bcc61c7a9a329b45

        Download Submit
      • C:\Windows\System32\FXSSVC.exe
        Filesize

        1.2MB

        MD5

        70968803a76e5c8d23ef2542cf79cab7

        SHA1

        5343020a16f3a0d6509ffbf29bc911c1965399b0

        SHA256

        14b5802ed4bb1b0d14f7357a50bc4a9b63867376c1662382b350f1adba3f3313

        SHA512

        75e00285f10f746c75e9fad245e30cbc7b9fc0770f3d1b5a97e017fd46c36a1ace393a727c6a27521b321edf677c178302b8864c998158b93c1f356426387455

        Download Submit
      • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
        Filesize

        1.3MB

        MD5

        99ac2fe8dd2561fadf4b3be9d6be347e

        SHA1

        c271fc2a0e89175c931aed7092fdcd595ff688ae

        SHA256

        421a33f706eef83e84c3ea295514d2fa686de78a281cf75457a5c119ceb8055e

        SHA512

        9f9406d508f883b6f62933367e2a6608c257794db3aecdd0b0df9b4c9f10258bec812b760ce90b1348332c4253bb0d292505595c3c8a6c5bc24a71ae15d3d534

        Download Submit
      • C:\Windows\System32\alg.exe
        Filesize

        1.3MB

        MD5

        067e4cbdaf21a3591a4b62da8eb1588d

        SHA1

        bf1cd6e90bd3cc3ac34db3f795887e8b3d80926b

        SHA256

        8a2d2657a2bba0d80b9918746dd44b63506ab90b8a2c2f574f63b65646e884bf

        SHA512

        f81a4664de952e80c8d577f4c0373c3a5d04e39db5f3b8c5aa4d6230b970df362e9491066376b900c1aefe796ce26d282d17ac84c7ce6baf07838a25063c179b

        Download Submit
      • C:\Windows\System32\msdtc.exe
        Filesize

        1.3MB

        MD5

        7a24821f3b55b364f759d932fb27d0b5

        SHA1

        b72bbace313e37bcab5410c5e6ac67552d92a24b

        SHA256

        b063d505d63c79468025b036692bb0f45ffd243640cfe153f0283f5ecaa0bf4b

        SHA512

        9637f59c4c54115de90c30a378b5400c0735f2bc7aa45960286073b214c4b7542958f8a8c6668759cfcd28ab4472b79b7adc16da57c43d0b7adc009e4f47e601

        Download Submit
      • C:\Windows\system32\AppVClient.exe
        Filesize

        1.3MB

        MD5

        6a1f63b065035fb0864f6f27c66a9d35

        SHA1

        e4d6d76736f41f57e1ab463be0d7c84fa5def119

        SHA256

        31531efd66b07c16c801c6e99fedb1ba4a1839340fb955f44a4ef802be78ace2

        SHA512

        d183403e8361e12e5da1303e119a94bcc9fe5eb176f23bd50d07d0d3e2b9875615f7c53d52528342e6276798008d0be02580b3ec6781892bdec508902590a829

        Download Submit
      • memory/880-285-0x0000000140000000-0x00000001401EA000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/2144-55-0x0000000000890000-0x00000000008F0000-memory.dmp
        Filesize

        384KB

        Download
      • memory/2144-180-0x0000000140000000-0x0000000140245000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/2144-63-0x0000000000890000-0x00000000008F0000-memory.dmp
        Filesize

        384KB

        Download
      • memory/2144-54-0x0000000140000000-0x0000000140245000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/2668-273-0x0000000140000000-0x00000001401F8000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/3056-81-0x0000000140000000-0x000000014020E000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/3056-211-0x0000000140000000-0x000000014020E000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/3056-88-0x0000000000810000-0x0000000000870000-memory.dmp
        Filesize

        384KB

        Download
      • memory/3152-7-0x00000000020C0000-0x0000000002120000-memory.dmp
        Filesize

        384KB

        Download
      • memory/3152-29-0x0000000140000000-0x0000000140248000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/3152-9-0x00000000020C0000-0x0000000002120000-memory.dmp
        Filesize

        384KB

        Download
      • memory/3152-6-0x0000000140000000-0x0000000140248000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/3152-0-0x00000000020C0000-0x0000000002120000-memory.dmp
        Filesize

        384KB

        Download
      • memory/3172-41-0x00000000004C0000-0x0000000000520000-memory.dmp
        Filesize

        384KB

        Download
      • memory/3172-50-0x0000000140000000-0x00000001401E8000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/3172-47-0x00000000004C0000-0x0000000000520000-memory.dmp
        Filesize

        384KB

        Download
      • memory/3876-22-0x00000000006F0000-0x0000000000750000-memory.dmp
        Filesize

        384KB

        Download
      • memory/3876-100-0x0000000140000000-0x00000001401E9000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/3876-13-0x0000000140000000-0x00000001401E9000-memory.dmp
        Filesize

        1.9MB

        Download
      • memory/3876-14-0x00000000006F0000-0x0000000000750000-memory.dmp
        Filesize

        384KB

        Download
      • memory/4284-72-0x0000000001A70000-0x0000000001AD0000-memory.dmp
        Filesize

        384KB

        Download
      • memory/4284-66-0x0000000001A70000-0x0000000001AD0000-memory.dmp
        Filesize

        384KB

        Download
      • memory/4284-76-0x0000000001A70000-0x0000000001AD0000-memory.dmp
        Filesize

        384KB

        Download
      • memory/4284-78-0x0000000140000000-0x0000000140209000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4284-74-0x0000000140000000-0x0000000140209000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4328-258-0x0000000140000000-0x0000000140135000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4328-259-0x0000000000EB0000-0x0000000000F10000-memory.dmp
        Filesize

        384KB

        Download
      • memory/4328-269-0x0000000140000000-0x0000000140135000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4520-116-0x0000000140000000-0x0000000140237000-memory.dmp
        Filesize

        2.2MB

        Download
      • memory/4520-49-0x0000000140000000-0x0000000140237000-memory.dmp
        Filesize

        2.2MB

        Download
      • memory/4520-51-0x0000000000810000-0x0000000000870000-memory.dmp
        Filesize

        384KB

        Download
      • memory/4520-33-0x0000000000810000-0x0000000000870000-memory.dmp
        Filesize

        384KB

        Download