198fdcc3828d948ddcafd5dbadf8c0c9f276f74edb8f6b07e0d2142776de2046

Analysis

max time kernel
92s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 01:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_97ec28462bea90e5fc01dab59671ccd3_ryuk.exe
Size

3.8MB
MD5

97ec28462bea90e5fc01dab59671ccd3
SHA1

efceeee19b1dfc73687dde88703b9951bfaa9c9c
SHA256

198fdcc3828d948ddcafd5dbadf8c0c9f276f74edb8f6b07e0d2142776de2046
SHA512

366a2fd8c7617fa969e0a15ceb6e1fc5f4e5eee3e7c155fdd5ea5baf8ab63134bee15683f1ec9975e512eaab711c6a469047b54dbb38bc9f0101efc94bdbdcdc
SSDEEP

49152:ClDo4n7kZdbbPq93gETIn05RcOSSl5ooGNhRQrqfHJ0vMcatXGokw3sjaeYXY9HI:CV9njgEInqD55X4Vp0vjPw3sWrqwZ0G

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4500	script.exe

Loads dropped DLL 2 IoCs

pid	Process
4500	script.exe
4500	script.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4500	1396	2024-05-31_97ec28462bea90e5fc01dab59671ccd3_ryuk.exe	83
PID 1396 wrote to memory of 4500	1396	2024-05-31_97ec28462bea90e5fc01dab59671ccd3_ryuk.exe	83

C:\Users\Admin\AppData\Local\Temp\2024-05-31_97ec28462bea90e5fc01dab59671ccd3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_97ec28462bea90e5fc01dab59671ccd3_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\onefile_1396_133615909324217468\script.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-05-31_97ec28462bea90e5fc01dab59671ccd3_ryuk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1396_133615909324217468\python311.dll

Filesize
5.5MB

MD5
86e0ad6ba8a9052d1729db2c015daf1c

SHA1
48112072903fff2ec5726cca19cc09e42d6384c7

SHA256
5ecda62f6fd2822355c560412f6d90be46a7f763f0ffeec9854177904632ac2d

SHA512
5d6e32f9ff90a9a584183dad1583aea2327b4aea32184b0ebbec3df41b0b833e6bb3cd40822dd64d1033125f52255812b17e4fa0add38fcda6bab1724dfaa2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1396_133615909324217468\script.exe

Filesize
5.0MB

MD5
4a9329847eb0592de89696cf2c56e6f4

SHA1
a664edf1e806dfa27a70824fcbf3a680a90bf105

SHA256
be7cbf500a7783aa0cbbaa009300963276c0a0866ed9f55e2bdb1cd337746f5e

SHA512
8e68551c0d64ac7dce9208f97d341a5c8a67b0a020c0244ca9ddbc8d6ca26e345406e8dc34d25534c8027590f5047fe1a12749458a33d0d03d4a0a68260a3907

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1396_133615909324217468\vcruntime140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit