Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 00:46
Behavioral task
behavioral1
Sample
2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe
-
Size
19.4MB
-
MD5
610e47ace3a3902057b91c2884b1c5b1
-
SHA1
2dd8f3f668bb9be5898e57ec54ce6a5bbcb13e4c
-
SHA256
f6dfdce66fb0cf3e6690431067c2ce72213979d49730e236790170a2be1f82f5
-
SHA512
ac8a2b10b27e101f3e23c6f62ac4908f4721cdb7e8377a036b183b3a3c0b3c265ce5a3431c55c870a08f8cf91ab55d320df73e094d3273280751c6e28176b372
-
SSDEEP
393216:ikFJR+VHkTwVyLgeF4dGPWQCacxENBbyN+guKd8ZIUELVqcXILww:7AZkUYLgZuUapnbm+TKuZIXVqQIL
Malware Config
Signatures
-
Loads dropped DLL 37 IoCs
Processes:
2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exepid process 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exedescription ioc process File opened (read-only) \??\F: 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exedescription pid process Token: 35 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe Token: SeDebugPrivilege 2904 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exedescription pid process target process PID 2836 wrote to memory of 2904 2836 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe PID 2836 wrote to memory of 2904 2836 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe PID 2836 wrote to memory of 2904 2836 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe"2⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD54a00449123dfcacdd95c7c1a8116c10a
SHA1995698ae5ff395f6e53251acbfd19177236aac2c
SHA256f9a9d7e0439b432c9b1f361246293a9b0e4320408a6f86a6844f03d29946031b
SHA5129843f0fb633dfe8548f2a79d72bd8d3c3ad51c800dd3a0502f02685b0602c6fb6034a82ec212ad1221a713c5c95a5ec3ab6317b010dfd714c276cde7170365f4
-
Filesize
7KB
MD5dc1f3b2235f377dd0d0d8112fe1a5559
SHA1b67322d034e4284181b5d861f4e73871e0ccd442
SHA256fe45e611be791baa09398e975a3d931a20e82e51337af09c4bc413f6a2225d17
SHA512f775962b16d72ec264f2c47993fe4f56ee8775f2630b693f5eb46cb883eb8168338ce0d5453a1d44c89ecc541bd33a8c6ba151f19dc34edaec0e720227873d58
-
Filesize
7KB
MD5b7358378646911ee3a03e89fb49f486a
SHA1e81abcb5590d20b790e804a8062c04f903e769d4
SHA2569c49a3332754657e68a8d97caeb878ed70dbea3b77e501b54a3908d2b5388bfe
SHA512fd0eef36ddf224fb7ac15790c1200d9c411c3b82d8eeb778abb1beb523d4d5511310b0fdd6ae9055280f22c1e5d9554a1440ec0bcf1c553734a0b6d1a7957b01
-
Filesize
8KB
MD51cf0c721af7093fcf3852afb101641e2
SHA1bc7ec26c788a87819243dc9fbb36aba17370afac
SHA25606a56d3739c4537147a2912c1aba644e237710f66e1695ec8bdd18f21d1de407
SHA512671860d783e8081dcb30141a6faeb942f6ae2bbf13d4ed088f253dba96dc19e8a00ec821e0664eb8f0f9a4d7d1c0396dd3241089e136653036bc9875931e7cc5
-
Filesize
6KB
MD57a0bde5b28e9f3711b448aecdcd8b33a
SHA154dcfa8a8fc62419836bb79f3b5e903d2c21f579
SHA25633a0e15981dd6675e404dc579f605aad696baa4281bc4836b5741ef8845fc9af
SHA512804f598859ea0562d2b778eb6d4d459afe8a34859c980cb40887d0f848d854b92e4924b104558abcd7cd7d44c32007fdf7ac10c90ae118f79a1aba4f5c991f81
-
Filesize
7KB
MD541ad90d637992d6f401c294b63551a20
SHA152761061f927b6161d68791c49522ce84a806ada
SHA256016dc9c121ceae460606813b5cbe7a215d113d9bdad22462d1e4877b5368ef33
SHA5122ee1a6e7dbd4545c1cf9b5f2476855df947e55605c8aa97ef1c1dee19a85ea444002ac23da3f16a82d9a2665980204a9e543369019cedcb86e747d7dc82f6d3d
-
Filesize
9KB
MD5ef12b636d1583e7c76c620adc866686c
SHA142793b9e7745d20818d842a8880b672f76cb34f3
SHA2563a12da596bbdf0f80c95d5ac678d9711e09e88bb3cd115a498d444969c74e657
SHA5126d6b51b58e15bc2afec17f1d9c95865785c4364d2bc9f14029af904df44d13ed5acd0693a9a5af8f1363ed4ef547bbda16321a60bbdd40e760674255ed8912d3
-
Filesize
10KB
MD53a8980ea12c88c5062b29c601b5a8e69
SHA1401c26cceb5ce64eed8f49ea625bf7e3d6af56ed
SHA2560b0069c05b15e7d61ff02ab8f0994a6ed0d553ca6318141c444355d7063fbbfa
SHA51265eeb648d9e86cfc8536d0e3576a4f63fccb3117850f9eb2021efcbc4149b75c2faa19ba3168dfcea500252e65b71682cef62428e41cacb393a03343a30fb0d5
-
Filesize
13KB
MD516cfb01068258d9c682e5d874ec4ff8d
SHA1ee9a77534ed8c561c1faf2f82f04b3f1b2c3ce0c
SHA256e1652d80cfa75cf8c5d5fd2375cbdbdf1566507bce79be9822078138e2627094
SHA512d02985b90f232665b2425693ef4e4792f61ce44cacf4afb6fe8e40a4431caffca61569fc6178d35180126b1c27a7fe51c7bb20e16c4c805f11d873cd2f2860cd
-
Filesize
15KB
MD55c27cac29ffa80b049ce988500055cf1
SHA1c3c3671d0f992f52b7735f3acf8af4e38f131d2a
SHA256292c724377358ce19e225165e73b584393d0ca08de5bbe68c595c890d5fccdeb
SHA51275c1ba9c6d2530d46599096fdb86d56eb0c2733cfaf7545e76bde09fe615f0846e62b019f4eff1cc94b93a1a2f24c31bb90c518179de5ae7ea0066428acba825
-
Filesize
8KB
MD54edc8830daf5e94249be93312e248929
SHA14662bce9a2b053ba0f434a000394b5e5158f05bc
SHA25606e983c6923dbd125ab31854417b1937e9ef7e265d02cdc5c684a0a7ef037667
SHA5120a6821dede6c3b837b5a27242779033a02af5917ff2fbfa5f1271d19c007e88356262828752773eb46e6031164e259f0d9f2be8349761372513004826d8b1542
-
Filesize
8KB
MD5a991da97ac18d2fc6c3a72c011635a46
SHA1a6c98726e7ed2799e5814e4ca2780aa78bf5d137
SHA256fe3699a162c5768e2ae6d3cde43fb8670ce37ecb32f1ba98c9ffeddcac4d6c67
SHA512f61801d6ee6d8a5fbfa4a38ca443cbd7fc481ee7920fd9f003e3ffd20ede95f76ce7169e1b14ffdabcb60ef5a0be48c681597f5627eee1b17a5c12dc088975fb
-
Filesize
7KB
MD5179785a6b4815172887d650dc32188b7
SHA184c221b094e5261a1192bd66ee11ff8e040c7da5
SHA256d08a5e45e4f6d97320e79319e7eadbea17564671cd0467946ee53849c7f674c2
SHA512364bfe2bcd65442d8e15c01c61c1d292ec42ae4d2e5cf4399fe6f4846f8d825cf3ffe4cbfb78d39efb6f030e0d7a00b27a17a96cf2984473d105595d8f4d3fe3
-
Filesize
6KB
MD55e3e0e605ac0cc0713e034fd94c35d44
SHA19f200c2b55348b7ad46cdb0a6eba6f62420a69f0
SHA2562d16da08324c2b7040223eca1ad49c21d98fef0ddb8010d050c154596e69bae2
SHA512f1263694df3511f7a446eb5bdd5fd7ace47effb03296d6296f453178b73689c82a0275d42fd45ffba268b99074440c17f2af3228d93f9344609caf5431b78216
-
Filesize
6KB
MD5e68d621f5bff91ac458beae095447f64
SHA114c4bc7ea6c02a53ebc5e4aa724546e4de3d1a71
SHA256826f602d8585ece718550637d231ec5feb003c6517dfc9aacb705c278edc6467
SHA51244d9bff6abf9339e266992f938261cb82f62e014981f64ebb20b7979f9c2c6da2eb90fd1ab4bcd3e98eb489927ebd039cac6ffd5658201670473c8c730dec6f3
-
Filesize
808KB
MD5aed6d63cfa5a3ef7021af9c457fee994
SHA1f6ad746ef520b03df6cf0f5a2512d0df964c4688
SHA256b4bfa27f677295b00a1df9a7e14db4b75cac2dd41b898d4e9a378eccce3699f0
SHA5125573b17eb19d13cc96df5d66ef60cc8ff98e1ac9d8582a870ed2befa28ee271fb41741a92aa703234150fceadf4a436d10b8a6518c1816d0c804eb1261650d2d
-
Filesize
61KB
MD5b4a38b11f49d555f5fc458448f80125e
SHA1229d51db8d1eb248325fa85b13578cfde815b3f8
SHA256a86a89cf3e7e4dbcd1ec879231f043a4f62d00196aa5c8314c484b8bfe53c472
SHA51283a5d1925e51ce26ddabf05ea025a4038eec3877df5388cdf35d07987d36520695965376c2e770451c2e1cdd3ed4947016e056880771054ff9168931723bb91e
-
Filesize
106KB
MD56b2cc4443384e047544a499e874440e3
SHA17de50d01e2fefe5e6f63c80e3423ff21012ebe37
SHA25607cd3a390ba1cf1a5d32b72f7d9058dd39e37043652083755f1debcf84089010
SHA5127d425a2d276b78f780d8c8f1ae89bc9318bfdb4b101e169e49f2806dddb3bd97e98343f04d99c5120dd89dd0a4bbc8787b0b1852bee4e8981e79ada97d90de38
-
Filesize
1.5MB
MD524ed71ea53f830c4dddbc1e9cea71ec7
SHA1ed85d286a0539f5ee4b2c226969a15819aa1ab0b
SHA256643389dcafc777031a87974424568e58bc56a030b6a267ab375eb4a9b5f4bee8
SHA5122c69e5c031b5d24ff644677b21d723942451cd26c09a0a800606bfba422bbe4446f3434553fe449d82e8d0bc82e64aa1550a5999d573780ea216a8c83cf3e053
-
Filesize
51KB
MD5e8ff139e319296f0362dd9e6fd3e220d
SHA1a47d152a95c9e4fdf71da4623da98830a68bb6dd
SHA256aa86416277fd46cbfe91a281be11198dde53d6be93728e1d2c3d4a1905c70416
SHA512b48f43b5e8b2781258bdd2dec23da233d52bcd5f623f260c2dccbc9e86f490de2afbd1514a39a35f1ff0e4a102109eacfb7dac6b04a5ec7d37b48d4cdab24849
-
Filesize
745KB
MD5f6bfd7440acf396926d7de442bc018a2
SHA162823624dbf69195178455695222ba88a2a95c59
SHA256e75fb2430e2fc454116a40fad9eefae813878d6b6fac215f8891a0849126426e
SHA512125bf5e50b3f4e9678e254f4ab5d0cf91e43c68119747375fab834eb88b09de82bee7b590db42b203dd3851bbce5c04525e7795d4deb7b57a7c7777f1b610f60
-
Filesize
59KB
MD568c225dd0f7c88ec60dd927a4edfa8d4
SHA1ce5475f3a9e3ee5c3bd9f150802efbd11c5a97ed
SHA256f51c549dbe5c5d361c7f025d1781c7b70752e162c31192b8993552b8d87abfee
SHA5125205763c534e302ac5be90ff625ad13963820eaf79f97861c80dbc2e80f17414818cd111ee6e07db575042044b8df22198d72916b47bec3a075f4bbaa76a481c
-
Filesize
3.9MB
MD521c7ee84f903054036565138016f4399
SHA1c2aae6f6b2be1727907d8ff695834da13f557837
SHA256a3b3ea1e583c3565cb422af954acc7efa3c3d8031afd1e55921962e6736650d4
SHA51275a6591ac5bca2eba08c23f3391ba4ee66afe2c1b52741896e712f7900a6bd144e2fdf1095480186dabec06678eb740d99e4a30b162d488fcba0ada951a5c5f7
-
Filesize
531KB
MD5f3418b936aa5957c5fce6b2728f83f78
SHA1a78c177b47a00b2bd0782339c899f5c9a21e9aeb
SHA256dc82a8f37e7f08fd343bc375091b390840acb503f0a44dcc56143998de0d06ad
SHA5122d45e82e1aee5158ec14af6bcc31cd9a02ffc5fd8e2fb0a29acdb9763769f7e83a5a02f6844dabd9283250d7620f0f99bf9be1eb3240b3373044179dd7d3c218
-
Filesize
126KB
MD5b9e1ec0b4d7895d9f80c27480792cbb8
SHA13f395198b22bdb2cb05ff32815d556dc921eb54c
SHA25617b70ae51aa5f4f1c81ae344e26c8f622a1e9d7abffd333a6b2f591a3d19488c
SHA512b52363246a4cd9fda8b3c7048e4ca702658a0ec02b957272fee05d8ff6cac28123061127fa4eba5923269e07364f50b40ffe298bb3125aee6abe802656defd71
-
Filesize
121KB
MD571d317f9eca61a768c3806ee4836d6dc
SHA1e9f30e3f34b1155a77c021beed5fbb1b35c1f21a
SHA256cecdc8136e891839df9a1868cc755cadcf3489413d4024b357f75d3075b44b37
SHA512a7a74ed872a16c8670ce0c8322be4615d0fe8a0b30f19f313f0bac6948f8d64c7fe5247c3b29e4e294e993445e7d2e7281bc17d0d4d3bc209ffb7f2515f70ad0
-
Filesize
142KB
MD51849a6b2375e8d383d84c4c505d1e593
SHA19eb5be5f3aa6df46c626894bc848b6cca8100fc2
SHA256c3f5f585f0b96abd5ed093064b26b8698d0c8601453294c1f771df2620720c00
SHA512262de74a0c7285402d4a9118d6f143bb8451cfb759cf6631e7cba7ea2d6de12a4ca723f663c28aa894452c4ff0894626393dd976dd8e86b064030eb8a4b50a00
-
Filesize
3.9MB
MD5a3237243c3462f422b098554cb654710
SHA17a7869b2fb76b8859a51ac3545f19618588d9abe
SHA256842afe5401ad1a3055bfe6d8ce8d8ce5f6fe715155fa49cb9a0da9e42195a577
SHA512715ddfba701789b6e401814cd697ad61da505a4d4e8bd38d0e50ba2379a90601a51737b163f7d7e9a87af17d9da6ee7b7c720e256b8675c4e2466adece876890
-
Filesize
130KB
MD59c4430609eb86be6e6c45499a3c2bd93
SHA1c193f3c7a19600a79a28913ea3c282e83834cef5
SHA25655d949d89550d51da5231dea0996d3049f0125be8669b06ecd2428cad2940f73
SHA512ffb59fdd5db73f8f2143b60ba762a8a36e0e3877b33b4f585deb8c857e5f94248dfea3c492637c00547b1f80a2707ed889cfc9371b503894e182eef671fb8eca
-
Filesize
50KB
MD5fa322d72702b8bd77d94dc98f1b80fcc
SHA1deb8c4432f74ee6533d27b3c7c0780dba05d481a
SHA2569b350abab2139d36d39db0b2b32d37a53e840eb3f4004ea98dec983c5b2886ec
SHA512d30b72cf0b709a32a2f914f5afb491596d815a90ab1860f76f62589834f0f8feb53675b2415bd6642854a1fb8c2bc5b145113df897844178f903e7b5ca3628b4
-
Filesize
29KB
MD5087f657b12264e0d4cdbbed2d4fdda1d
SHA14d7be942b102761fdd183655fd022873164d605b
SHA256c3a1a7823443b0eb3e18aeeae6ade16c2fbd80d3b2f935796c2a2fd7c4e46301
SHA51258452f56674b2a382a29abc7c53fff15cf014e14b1726a2f38dabd8fd0aab4c4b49b7560188bc095893b05a57ac8412c4d1a5aee36e898ea54f732ef4d89d006
-
Filesize
1.4MB
MD5c263e93cc11b7cf23e219d1caf46ba56
SHA14a5f393e39b67a8f1dc17ed3800eb1d44b11463d
SHA2562343e50994a4b6e1d59215a7d65c49c4fa3ca1b302388c41c32b821d61f9776c
SHA51260bf1209d1f4cd15416d659c6db9d0eee92fe305f00355fe10438708b831a2c47937df5df48cce7be713f835b0a12924523243059a32306cce149d5fa2da0616
-
Filesize
133KB
MD53491b5a1fa93c9550e5029ed17443ae1
SHA16355271938ef6e38b5457b40b371f419838dede0
SHA256e47e5747122542d873a022b69501f011bc8e80af330f54a9e31e04d502606783
SHA5127e637aa0cb41db20798887f93f00a02a07421895887c330894c1f61bc8dd901fb730dcf1d54dbac4dfbfcb995b4cfc4beffea2b2f6c759b922e1a7ad7f2f06cb
-
Filesize
146KB
MD590d50fee118106b9d4a1c40f87467c6c
SHA1d6a7081a079784ba62df6fba002a7edac00f092a
SHA2562ef7ea38eea0fa11c7fed53c78a0f43620458499c4c3d7424bb546224cfd8a4f
SHA512a52c50b63567ec925c1ccf0c6351740a2b281774c869c27c7db433e887317ed08b58b60656ed48d035aa4e775c26920a464ec675050d2ede705c634c7f5bf8b5