Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 00:34
Behavioral task
behavioral1
Sample
2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe
-
Size
5.5MB
-
MD5
8e133d3442ecdde88f2ac9d7dd91d985
-
SHA1
c3b997671775e5a57e87c86e3c554b5ce1050e61
-
SHA256
298acd9be638fd850e655c5fad7a600816c3bfc4f69052aabad14930bf9182f6
-
SHA512
3335f59dfe3669fa570999c201480c57f7c343c9cb21714f0e2296e499e0a2afed41b6f14c10a8b8b176fb55942e84ca36ee1ce57bf35982127d85605a770196
-
SSDEEP
98304:LaBFpzoLLJ3TbwaVvrZE0I86KI8F/Vtt1mIi3pRN8D8cXu21TbsFCxcfebsVN:LoF9onJ5hrZEb3e9tGPqKmTbsFCxcmbQ
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
Processes:
2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exepid process 2616 2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe 2616 2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe 2616 2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exedescription pid process Token: 35 2616 2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exedescription pid process target process PID 2876 wrote to memory of 2616 2876 2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe 2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe PID 2876 wrote to memory of 2616 2876 2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe 2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe PID 2876 wrote to memory of 2616 2876 2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe 2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-29_8e133d3442ecdde88f2ac9d7dd91d985_ryuk.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\base_library.zipFilesize
768KB
MD5505aabef12f559bd654f59a4ceb9215b
SHA17d297edbad853a517b8eb89506d8bd57521183c1
SHA25687f827c0769049e2aea7056dbf832e1a1b32f9477c723bd298ab20846717d80a
SHA5127ab154ead9c768407d4e99c0df1e16931a653d6efd12e6b3977a8dfefd5734e78f030ec6ef2d82af1cd4625c69015bdab7c2bcf8ed917b25a8ed52547402de65
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\python37.dllFilesize
3.6MB
MD5c4709f84e6cf6e082b80c80b87abe551
SHA1c0c55b229722f7f2010d34e26857df640182f796
SHA256ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4
-
\Users\Admin\AppData\Local\Temp\_MEI28762\VCRUNTIME140.dllFilesize
85KB
MD589a24c66e7a522f1e0016b1d0b4316dc
SHA15340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA2563096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a
-
\Users\Admin\AppData\Local\Temp\_MEI28762\_ctypes.pydFilesize
129KB
MD55e869eebb6169ce66225eb6725d5be4a
SHA1747887da0d7ab152e1d54608c430e78192d5a788
SHA256430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16