Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-06-2024 00:46

General

  • Target

    2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe

  • Size

    19.4MB

  • MD5

    610e47ace3a3902057b91c2884b1c5b1

  • SHA1

    2dd8f3f668bb9be5898e57ec54ce6a5bbcb13e4c

  • SHA256

    f6dfdce66fb0cf3e6690431067c2ce72213979d49730e236790170a2be1f82f5

  • SHA512

    ac8a2b10b27e101f3e23c6f62ac4908f4721cdb7e8377a036b183b3a3c0b3c265ce5a3431c55c870a08f8cf91ab55d320df73e094d3273280751c6e28176b372

  • SSDEEP

    393216:ikFJR+VHkTwVyLgeF4dGPWQCacxENBbyN+guKd8ZIUELVqcXILww:7AZkUYLgZuUapnbm+TKuZIXVqQIL

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 37 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe"
      2⤵
      • Loads dropped DLL
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_Salsa20.pyd

    Filesize

    9KB

    MD5

    4a00449123dfcacdd95c7c1a8116c10a

    SHA1

    995698ae5ff395f6e53251acbfd19177236aac2c

    SHA256

    f9a9d7e0439b432c9b1f361246293a9b0e4320408a6f86a6844f03d29946031b

    SHA512

    9843f0fb633dfe8548f2a79d72bd8d3c3ad51c800dd3a0502f02685b0602c6fb6034a82ec212ad1221a713c5c95a5ec3ab6317b010dfd714c276cde7170365f4

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_raw_cbc.pyd

    Filesize

    7KB

    MD5

    dc1f3b2235f377dd0d0d8112fe1a5559

    SHA1

    b67322d034e4284181b5d861f4e73871e0ccd442

    SHA256

    fe45e611be791baa09398e975a3d931a20e82e51337af09c4bc413f6a2225d17

    SHA512

    f775962b16d72ec264f2c47993fe4f56ee8775f2630b693f5eb46cb883eb8168338ce0d5453a1d44c89ecc541bd33a8c6ba151f19dc34edaec0e720227873d58

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_raw_cfb.pyd

    Filesize

    7KB

    MD5

    b7358378646911ee3a03e89fb49f486a

    SHA1

    e81abcb5590d20b790e804a8062c04f903e769d4

    SHA256

    9c49a3332754657e68a8d97caeb878ed70dbea3b77e501b54a3908d2b5388bfe

    SHA512

    fd0eef36ddf224fb7ac15790c1200d9c411c3b82d8eeb778abb1beb523d4d5511310b0fdd6ae9055280f22c1e5d9554a1440ec0bcf1c553734a0b6d1a7957b01

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_raw_ctr.pyd

    Filesize

    8KB

    MD5

    1cf0c721af7093fcf3852afb101641e2

    SHA1

    bc7ec26c788a87819243dc9fbb36aba17370afac

    SHA256

    06a56d3739c4537147a2912c1aba644e237710f66e1695ec8bdd18f21d1de407

    SHA512

    671860d783e8081dcb30141a6faeb942f6ae2bbf13d4ed088f253dba96dc19e8a00ec821e0664eb8f0f9a4d7d1c0396dd3241089e136653036bc9875931e7cc5

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_raw_ecb.pyd

    Filesize

    6KB

    MD5

    7a0bde5b28e9f3711b448aecdcd8b33a

    SHA1

    54dcfa8a8fc62419836bb79f3b5e903d2c21f579

    SHA256

    33a0e15981dd6675e404dc579f605aad696baa4281bc4836b5741ef8845fc9af

    SHA512

    804f598859ea0562d2b778eb6d4d459afe8a34859c980cb40887d0f848d854b92e4924b104558abcd7cd7d44c32007fdf7ac10c90ae118f79a1aba4f5c991f81

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_raw_ofb.pyd

    Filesize

    7KB

    MD5

    41ad90d637992d6f401c294b63551a20

    SHA1

    52761061f927b6161d68791c49522ce84a806ada

    SHA256

    016dc9c121ceae460606813b5cbe7a215d113d9bdad22462d1e4877b5368ef33

    SHA512

    2ee1a6e7dbd4545c1cf9b5f2476855df947e55605c8aa97ef1c1dee19a85ea444002ac23da3f16a82d9a2665980204a9e543369019cedcb86e747d7dc82f6d3d

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_BLAKE2s.pyd

    Filesize

    9KB

    MD5

    ef12b636d1583e7c76c620adc866686c

    SHA1

    42793b9e7745d20818d842a8880b672f76cb34f3

    SHA256

    3a12da596bbdf0f80c95d5ac678d9711e09e88bb3cd115a498d444969c74e657

    SHA512

    6d6b51b58e15bc2afec17f1d9c95865785c4364d2bc9f14029af904df44d13ed5acd0693a9a5af8f1363ed4ef547bbda16321a60bbdd40e760674255ed8912d3

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_MD5.pyd

    Filesize

    10KB

    MD5

    3a8980ea12c88c5062b29c601b5a8e69

    SHA1

    401c26cceb5ce64eed8f49ea625bf7e3d6af56ed

    SHA256

    0b0069c05b15e7d61ff02ab8f0994a6ed0d553ca6318141c444355d7063fbbfa

    SHA512

    65eeb648d9e86cfc8536d0e3576a4f63fccb3117850f9eb2021efcbc4149b75c2faa19ba3168dfcea500252e65b71682cef62428e41cacb393a03343a30fb0d5

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_SHA1.pyd

    Filesize

    13KB

    MD5

    16cfb01068258d9c682e5d874ec4ff8d

    SHA1

    ee9a77534ed8c561c1faf2f82f04b3f1b2c3ce0c

    SHA256

    e1652d80cfa75cf8c5d5fd2375cbdbdf1566507bce79be9822078138e2627094

    SHA512

    d02985b90f232665b2425693ef4e4792f61ce44cacf4afb6fe8e40a4431caffca61569fc6178d35180126b1c27a7fe51c7bb20e16c4c805f11d873cd2f2860cd

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_SHA256.pyd

    Filesize

    15KB

    MD5

    5c27cac29ffa80b049ce988500055cf1

    SHA1

    c3c3671d0f992f52b7735f3acf8af4e38f131d2a

    SHA256

    292c724377358ce19e225165e73b584393d0ca08de5bbe68c595c890d5fccdeb

    SHA512

    75c1ba9c6d2530d46599096fdb86d56eb0c2733cfaf7545e76bde09fe615f0846e62b019f4eff1cc94b93a1a2f24c31bb90c518179de5ae7ea0066428acba825

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_ghash_clmul.pyd

    Filesize

    8KB

    MD5

    4edc8830daf5e94249be93312e248929

    SHA1

    4662bce9a2b053ba0f434a000394b5e5158f05bc

    SHA256

    06e983c6923dbd125ab31854417b1937e9ef7e265d02cdc5c684a0a7ef037667

    SHA512

    0a6821dede6c3b837b5a27242779033a02af5917ff2fbfa5f1271d19c007e88356262828752773eb46e6031164e259f0d9f2be8349761372513004826d8b1542

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_ghash_portable.pyd

    Filesize

    8KB

    MD5

    a991da97ac18d2fc6c3a72c011635a46

    SHA1

    a6c98726e7ed2799e5814e4ca2780aa78bf5d137

    SHA256

    fe3699a162c5768e2ae6d3cde43fb8670ce37ecb32f1ba98c9ffeddcac4d6c67

    SHA512

    f61801d6ee6d8a5fbfa4a38ca443cbd7fc481ee7920fd9f003e3ffd20ede95f76ce7169e1b14ffdabcb60ef5a0be48c681597f5627eee1b17a5c12dc088975fb

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Protocol\_scrypt.pyd

    Filesize

    7KB

    MD5

    179785a6b4815172887d650dc32188b7

    SHA1

    84c221b094e5261a1192bd66ee11ff8e040c7da5

    SHA256

    d08a5e45e4f6d97320e79319e7eadbea17564671cd0467946ee53849c7f674c2

    SHA512

    364bfe2bcd65442d8e15c01c61c1d292ec42ae4d2e5cf4399fe6f4846f8d825cf3ffe4cbfb78d39efb6f030e0d7a00b27a17a96cf2984473d105595d8f4d3fe3

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Util\_cpuid_c.pyd

    Filesize

    6KB

    MD5

    5e3e0e605ac0cc0713e034fd94c35d44

    SHA1

    9f200c2b55348b7ad46cdb0a6eba6f62420a69f0

    SHA256

    2d16da08324c2b7040223eca1ad49c21d98fef0ddb8010d050c154596e69bae2

    SHA512

    f1263694df3511f7a446eb5bdd5fd7ace47effb03296d6296f453178b73689c82a0275d42fd45ffba268b99074440c17f2af3228d93f9344609caf5431b78216

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Util\_strxor.pyd

    Filesize

    6KB

    MD5

    e68d621f5bff91ac458beae095447f64

    SHA1

    14c4bc7ea6c02a53ebc5e4aa724546e4de3d1a71

    SHA256

    826f602d8585ece718550637d231ec5feb003c6517dfc9aacb705c278edc6467

    SHA512

    44d9bff6abf9339e266992f938261cb82f62e014981f64ebb20b7979f9c2c6da2eb90fd1ab4bcd3e98eb489927ebd039cac6ffd5658201670473c8c730dec6f3

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\MSVCR100.dll

    Filesize

    808KB

    MD5

    aed6d63cfa5a3ef7021af9c457fee994

    SHA1

    f6ad746ef520b03df6cf0f5a2512d0df964c4688

    SHA256

    b4bfa27f677295b00a1df9a7e14db4b75cac2dd41b898d4e9a378eccce3699f0

    SHA512

    5573b17eb19d13cc96df5d66ef60cc8ff98e1ac9d8582a870ed2befa28ee271fb41741a92aa703234150fceadf4a436d10b8a6518c1816d0c804eb1261650d2d

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\_bz2.pyd

    Filesize

    61KB

    MD5

    b4a38b11f49d555f5fc458448f80125e

    SHA1

    229d51db8d1eb248325fa85b13578cfde815b3f8

    SHA256

    a86a89cf3e7e4dbcd1ec879231f043a4f62d00196aa5c8314c484b8bfe53c472

    SHA512

    83a5d1925e51ce26ddabf05ea025a4038eec3877df5388cdf35d07987d36520695965376c2e770451c2e1cdd3ed4947016e056880771054ff9168931723bb91e

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\_ctypes.pyd

    Filesize

    106KB

    MD5

    6b2cc4443384e047544a499e874440e3

    SHA1

    7de50d01e2fefe5e6f63c80e3423ff21012ebe37

    SHA256

    07cd3a390ba1cf1a5d32b72f7d9058dd39e37043652083755f1debcf84089010

    SHA512

    7d425a2d276b78f780d8c8f1ae89bc9318bfdb4b101e169e49f2806dddb3bd97e98343f04d99c5120dd89dd0a4bbc8787b0b1852bee4e8981e79ada97d90de38

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\_hashlib.pyd

    Filesize

    1.5MB

    MD5

    24ed71ea53f830c4dddbc1e9cea71ec7

    SHA1

    ed85d286a0539f5ee4b2c226969a15819aa1ab0b

    SHA256

    643389dcafc777031a87974424568e58bc56a030b6a267ab375eb4a9b5f4bee8

    SHA512

    2c69e5c031b5d24ff644677b21d723942451cd26c09a0a800606bfba422bbe4446f3434553fe449d82e8d0bc82e64aa1550a5999d573780ea216a8c83cf3e053

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\_socket.pyd

    Filesize

    51KB

    MD5

    e8ff139e319296f0362dd9e6fd3e220d

    SHA1

    a47d152a95c9e4fdf71da4623da98830a68bb6dd

    SHA256

    aa86416277fd46cbfe91a281be11198dde53d6be93728e1d2c3d4a1905c70416

    SHA512

    b48f43b5e8b2781258bdd2dec23da233d52bcd5f623f260c2dccbc9e86f490de2afbd1514a39a35f1ff0e4a102109eacfb7dac6b04a5ec7d37b48d4cdab24849

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\base_library.zip

    Filesize

    745KB

    MD5

    f6bfd7440acf396926d7de442bc018a2

    SHA1

    62823624dbf69195178455695222ba88a2a95c59

    SHA256

    e75fb2430e2fc454116a40fad9eefae813878d6b6fac215f8891a0849126426e

    SHA512

    125bf5e50b3f4e9678e254f4ab5d0cf91e43c68119747375fab834eb88b09de82bee7b590db42b203dd3851bbce5c04525e7795d4deb7b57a7c7777f1b610f60

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\psutil\_psutil_windows.pyd

    Filesize

    59KB

    MD5

    68c225dd0f7c88ec60dd927a4edfa8d4

    SHA1

    ce5475f3a9e3ee5c3bd9f150802efbd11c5a97ed

    SHA256

    f51c549dbe5c5d361c7f025d1781c7b70752e162c31192b8993552b8d87abfee

    SHA512

    5205763c534e302ac5be90ff625ad13963820eaf79f97861c80dbc2e80f17414818cd111ee6e07db575042044b8df22198d72916b47bec3a075f4bbaa76a481c

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\python34.dll

    Filesize

    3.9MB

    MD5

    21c7ee84f903054036565138016f4399

    SHA1

    c2aae6f6b2be1727907d8ff695834da13f557837

    SHA256

    a3b3ea1e583c3565cb422af954acc7efa3c3d8031afd1e55921962e6736650d4

    SHA512

    75a6591ac5bca2eba08c23f3391ba4ee66afe2c1b52741896e712f7900a6bd144e2fdf1095480186dabec06678eb740d99e4a30b162d488fcba0ada951a5c5f7

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\pythoncom34.dll

    Filesize

    531KB

    MD5

    f3418b936aa5957c5fce6b2728f83f78

    SHA1

    a78c177b47a00b2bd0782339c899f5c9a21e9aeb

    SHA256

    dc82a8f37e7f08fd343bc375091b390840acb503f0a44dcc56143998de0d06ad

    SHA512

    2d45e82e1aee5158ec14af6bcc31cd9a02ffc5fd8e2fb0a29acdb9763769f7e83a5a02f6844dabd9283250d7620f0f99bf9be1eb3240b3373044179dd7d3c218

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\pywintypes34.dll

    Filesize

    126KB

    MD5

    b9e1ec0b4d7895d9f80c27480792cbb8

    SHA1

    3f395198b22bdb2cb05ff32815d556dc921eb54c

    SHA256

    17b70ae51aa5f4f1c81ae344e26c8f622a1e9d7abffd333a6b2f591a3d19488c

    SHA512

    b52363246a4cd9fda8b3c7048e4ca702658a0ec02b957272fee05d8ff6cac28123061127fa4eba5923269e07364f50b40ffe298bb3125aee6abe802656defd71

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32api.pyd

    Filesize

    121KB

    MD5

    71d317f9eca61a768c3806ee4836d6dc

    SHA1

    e9f30e3f34b1155a77c021beed5fbb1b35c1f21a

    SHA256

    cecdc8136e891839df9a1868cc755cadcf3489413d4024b357f75d3075b44b37

    SHA512

    a7a74ed872a16c8670ce0c8322be4615d0fe8a0b30f19f313f0bac6948f8d64c7fe5247c3b29e4e294e993445e7d2e7281bc17d0d4d3bc209ffb7f2515f70ad0

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32file.pyd

    Filesize

    142KB

    MD5

    1849a6b2375e8d383d84c4c505d1e593

    SHA1

    9eb5be5f3aa6df46c626894bc848b6cca8100fc2

    SHA256

    c3f5f585f0b96abd5ed093064b26b8698d0c8601453294c1f771df2620720c00

    SHA512

    262de74a0c7285402d4a9118d6f143bb8451cfb759cf6631e7cba7ea2d6de12a4ca723f663c28aa894452c4ff0894626393dd976dd8e86b064030eb8a4b50a00

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32mutex.pyd

    Filesize

    3.9MB

    MD5

    a3237243c3462f422b098554cb654710

    SHA1

    7a7869b2fb76b8859a51ac3545f19618588d9abe

    SHA256

    842afe5401ad1a3055bfe6d8ce8d8ce5f6fe715155fa49cb9a0da9e42195a577

    SHA512

    715ddfba701789b6e401814cd697ad61da505a4d4e8bd38d0e50ba2379a90601a51737b163f7d7e9a87af17d9da6ee7b7c720e256b8675c4e2466adece876890

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32security.pyd

    Filesize

    130KB

    MD5

    9c4430609eb86be6e6c45499a3c2bd93

    SHA1

    c193f3c7a19600a79a28913ea3c282e83834cef5

    SHA256

    55d949d89550d51da5231dea0996d3049f0125be8669b06ecd2428cad2940f73

    SHA512

    ffb59fdd5db73f8f2143b60ba762a8a36e0e3877b33b4f585deb8c857e5f94248dfea3c492637c00547b1f80a2707ed889cfc9371b503894e182eef671fb8eca

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32service.pyd

    Filesize

    50KB

    MD5

    fa322d72702b8bd77d94dc98f1b80fcc

    SHA1

    deb8c4432f74ee6533d27b3c7c0780dba05d481a

    SHA256

    9b350abab2139d36d39db0b2b32d37a53e840eb3f4004ea98dec983c5b2886ec

    SHA512

    d30b72cf0b709a32a2f914f5afb491596d815a90ab1860f76f62589834f0f8feb53675b2415bd6642854a1fb8c2bc5b145113df897844178f903e7b5ca3628b4

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32wnet.pyd

    Filesize

    29KB

    MD5

    087f657b12264e0d4cdbbed2d4fdda1d

    SHA1

    4d7be942b102761fdd183655fd022873164d605b

    SHA256

    c3a1a7823443b0eb3e18aeeae6ade16c2fbd80d3b2f935796c2a2fd7c4e46301

    SHA512

    58452f56674b2a382a29abc7c53fff15cf014e14b1726a2f38dabd8fd0aab4c4b49b7560188bc095893b05a57ac8412c4d1a5aee36e898ea54f732ef4d89d006

  • C:\Users\Admin\AppData\Local\Temp\_MEI28362\yara.pyd

    Filesize

    1.4MB

    MD5

    c263e93cc11b7cf23e219d1caf46ba56

    SHA1

    4a5f393e39b67a8f1dc17ed3800eb1d44b11463d

    SHA256

    2343e50994a4b6e1d59215a7d65c49c4fa3ca1b302388c41c32b821d61f9776c

    SHA512

    60bf1209d1f4cd15416d659c6db9d0eee92fe305f00355fe10438708b831a2c47937df5df48cce7be713f835b0a12924523243059a32306cce149d5fa2da0616

  • \Users\Admin\AppData\Local\Temp\_MEI28362\_lzma.pyd

    Filesize

    133KB

    MD5

    3491b5a1fa93c9550e5029ed17443ae1

    SHA1

    6355271938ef6e38b5457b40b371f419838dede0

    SHA256

    e47e5747122542d873a022b69501f011bc8e80af330f54a9e31e04d502606783

    SHA512

    7e637aa0cb41db20798887f93f00a02a07421895887c330894c1f61bc8dd901fb730dcf1d54dbac4dfbfcb995b4cfc4beffea2b2f6c759b922e1a7ad7f2f06cb

  • \Users\Admin\AppData\Local\Temp\_MEI28362\win32utils.pyd

    Filesize

    146KB

    MD5

    90d50fee118106b9d4a1c40f87467c6c

    SHA1

    d6a7081a079784ba62df6fba002a7edac00f092a

    SHA256

    2ef7ea38eea0fa11c7fed53c78a0f43620458499c4c3d7424bb546224cfd8a4f

    SHA512

    a52c50b63567ec925c1ccf0c6351740a2b281774c869c27c7db433e887317ed08b58b60656ed48d035aa4e775c26920a464ec675050d2ede705c634c7f5bf8b5