Analysis Overview
SHA256
f6dfdce66fb0cf3e6690431067c2ce72213979d49730e236790170a2be1f82f5
Threat Level: Shows suspicious behavior
The file 2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Enumerates connected drives
Detects Pyinstaller
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:46
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:46
Reported
2024-06-04 00:49
Platform
win7-20240221-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2836 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe |
| PID 2836 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe |
| PID 2836 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI28362\python34.dll
| MD5 | 21c7ee84f903054036565138016f4399 |
| SHA1 | c2aae6f6b2be1727907d8ff695834da13f557837 |
| SHA256 | a3b3ea1e583c3565cb422af954acc7efa3c3d8031afd1e55921962e6736650d4 |
| SHA512 | 75a6591ac5bca2eba08c23f3391ba4ee66afe2c1b52741896e712f7900a6bd144e2fdf1095480186dabec06678eb740d99e4a30b162d488fcba0ada951a5c5f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\MSVCR100.dll
| MD5 | aed6d63cfa5a3ef7021af9c457fee994 |
| SHA1 | f6ad746ef520b03df6cf0f5a2512d0df964c4688 |
| SHA256 | b4bfa27f677295b00a1df9a7e14db4b75cac2dd41b898d4e9a378eccce3699f0 |
| SHA512 | 5573b17eb19d13cc96df5d66ef60cc8ff98e1ac9d8582a870ed2befa28ee271fb41741a92aa703234150fceadf4a436d10b8a6518c1816d0c804eb1261650d2d |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\base_library.zip
| MD5 | f6bfd7440acf396926d7de442bc018a2 |
| SHA1 | 62823624dbf69195178455695222ba88a2a95c59 |
| SHA256 | e75fb2430e2fc454116a40fad9eefae813878d6b6fac215f8891a0849126426e |
| SHA512 | 125bf5e50b3f4e9678e254f4ab5d0cf91e43c68119747375fab834eb88b09de82bee7b590db42b203dd3851bbce5c04525e7795d4deb7b57a7c7777f1b610f60 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_ctypes.pyd
| MD5 | 6b2cc4443384e047544a499e874440e3 |
| SHA1 | 7de50d01e2fefe5e6f63c80e3423ff21012ebe37 |
| SHA256 | 07cd3a390ba1cf1a5d32b72f7d9058dd39e37043652083755f1debcf84089010 |
| SHA512 | 7d425a2d276b78f780d8c8f1ae89bc9318bfdb4b101e169e49f2806dddb3bd97e98343f04d99c5120dd89dd0a4bbc8787b0b1852bee4e8981e79ada97d90de38 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_bz2.pyd
| MD5 | b4a38b11f49d555f5fc458448f80125e |
| SHA1 | 229d51db8d1eb248325fa85b13578cfde815b3f8 |
| SHA256 | a86a89cf3e7e4dbcd1ec879231f043a4f62d00196aa5c8314c484b8bfe53c472 |
| SHA512 | 83a5d1925e51ce26ddabf05ea025a4038eec3877df5388cdf35d07987d36520695965376c2e770451c2e1cdd3ed4947016e056880771054ff9168931723bb91e |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_hashlib.pyd
| MD5 | 24ed71ea53f830c4dddbc1e9cea71ec7 |
| SHA1 | ed85d286a0539f5ee4b2c226969a15819aa1ab0b |
| SHA256 | 643389dcafc777031a87974424568e58bc56a030b6a267ab375eb4a9b5f4bee8 |
| SHA512 | 2c69e5c031b5d24ff644677b21d723942451cd26c09a0a800606bfba422bbe4446f3434553fe449d82e8d0bc82e64aa1550a5999d573780ea216a8c83cf3e053 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32api.pyd
| MD5 | 71d317f9eca61a768c3806ee4836d6dc |
| SHA1 | e9f30e3f34b1155a77c021beed5fbb1b35c1f21a |
| SHA256 | cecdc8136e891839df9a1868cc755cadcf3489413d4024b357f75d3075b44b37 |
| SHA512 | a7a74ed872a16c8670ce0c8322be4615d0fe8a0b30f19f313f0bac6948f8d64c7fe5247c3b29e4e294e993445e7d2e7281bc17d0d4d3bc209ffb7f2515f70ad0 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\pywintypes34.dll
| MD5 | b9e1ec0b4d7895d9f80c27480792cbb8 |
| SHA1 | 3f395198b22bdb2cb05ff32815d556dc921eb54c |
| SHA256 | 17b70ae51aa5f4f1c81ae344e26c8f622a1e9d7abffd333a6b2f591a3d19488c |
| SHA512 | b52363246a4cd9fda8b3c7048e4ca702658a0ec02b957272fee05d8ff6cac28123061127fa4eba5923269e07364f50b40ffe298bb3125aee6abe802656defd71 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\pythoncom34.dll
| MD5 | f3418b936aa5957c5fce6b2728f83f78 |
| SHA1 | a78c177b47a00b2bd0782339c899f5c9a21e9aeb |
| SHA256 | dc82a8f37e7f08fd343bc375091b390840acb503f0a44dcc56143998de0d06ad |
| SHA512 | 2d45e82e1aee5158ec14af6bcc31cd9a02ffc5fd8e2fb0a29acdb9763769f7e83a5a02f6844dabd9283250d7620f0f99bf9be1eb3240b3373044179dd7d3c218 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\_socket.pyd
| MD5 | e8ff139e319296f0362dd9e6fd3e220d |
| SHA1 | a47d152a95c9e4fdf71da4623da98830a68bb6dd |
| SHA256 | aa86416277fd46cbfe91a281be11198dde53d6be93728e1d2c3d4a1905c70416 |
| SHA512 | b48f43b5e8b2781258bdd2dec23da233d52bcd5f623f260c2dccbc9e86f490de2afbd1514a39a35f1ff0e4a102109eacfb7dac6b04a5ec7d37b48d4cdab24849 |
\Users\Admin\AppData\Local\Temp\_MEI28362\win32utils.pyd
| MD5 | 90d50fee118106b9d4a1c40f87467c6c |
| SHA1 | d6a7081a079784ba62df6fba002a7edac00f092a |
| SHA256 | 2ef7ea38eea0fa11c7fed53c78a0f43620458499c4c3d7424bb546224cfd8a4f |
| SHA512 | a52c50b63567ec925c1ccf0c6351740a2b281774c869c27c7db433e887317ed08b58b60656ed48d035aa4e775c26920a464ec675050d2ede705c634c7f5bf8b5 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\yara.pyd
| MD5 | c263e93cc11b7cf23e219d1caf46ba56 |
| SHA1 | 4a5f393e39b67a8f1dc17ed3800eb1d44b11463d |
| SHA256 | 2343e50994a4b6e1d59215a7d65c49c4fa3ca1b302388c41c32b821d61f9776c |
| SHA512 | 60bf1209d1f4cd15416d659c6db9d0eee92fe305f00355fe10438708b831a2c47937df5df48cce7be713f835b0a12924523243059a32306cce149d5fa2da0616 |
\Users\Admin\AppData\Local\Temp\_MEI28362\_lzma.pyd
| MD5 | 3491b5a1fa93c9550e5029ed17443ae1 |
| SHA1 | 6355271938ef6e38b5457b40b371f419838dede0 |
| SHA256 | e47e5747122542d873a022b69501f011bc8e80af330f54a9e31e04d502606783 |
| SHA512 | 7e637aa0cb41db20798887f93f00a02a07421895887c330894c1f61bc8dd901fb730dcf1d54dbac4dfbfcb995b4cfc4beffea2b2f6c759b922e1a7ad7f2f06cb |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32wnet.pyd
| MD5 | 087f657b12264e0d4cdbbed2d4fdda1d |
| SHA1 | 4d7be942b102761fdd183655fd022873164d605b |
| SHA256 | c3a1a7823443b0eb3e18aeeae6ade16c2fbd80d3b2f935796c2a2fd7c4e46301 |
| SHA512 | 58452f56674b2a382a29abc7c53fff15cf014e14b1726a2f38dabd8fd0aab4c4b49b7560188bc095893b05a57ac8412c4d1a5aee36e898ea54f732ef4d89d006 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32file.pyd
| MD5 | 1849a6b2375e8d383d84c4c505d1e593 |
| SHA1 | 9eb5be5f3aa6df46c626894bc848b6cca8100fc2 |
| SHA256 | c3f5f585f0b96abd5ed093064b26b8698d0c8601453294c1f771df2620720c00 |
| SHA512 | 262de74a0c7285402d4a9118d6f143bb8451cfb759cf6631e7cba7ea2d6de12a4ca723f663c28aa894452c4ff0894626393dd976dd8e86b064030eb8a4b50a00 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32security.pyd
| MD5 | 9c4430609eb86be6e6c45499a3c2bd93 |
| SHA1 | c193f3c7a19600a79a28913ea3c282e83834cef5 |
| SHA256 | 55d949d89550d51da5231dea0996d3049f0125be8669b06ecd2428cad2940f73 |
| SHA512 | ffb59fdd5db73f8f2143b60ba762a8a36e0e3877b33b4f585deb8c857e5f94248dfea3c492637c00547b1f80a2707ed889cfc9371b503894e182eef671fb8eca |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32service.pyd
| MD5 | fa322d72702b8bd77d94dc98f1b80fcc |
| SHA1 | deb8c4432f74ee6533d27b3c7c0780dba05d481a |
| SHA256 | 9b350abab2139d36d39db0b2b32d37a53e840eb3f4004ea98dec983c5b2886ec |
| SHA512 | d30b72cf0b709a32a2f914f5afb491596d815a90ab1860f76f62589834f0f8feb53675b2415bd6642854a1fb8c2bc5b145113df897844178f903e7b5ca3628b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\psutil\_psutil_windows.pyd
| MD5 | 68c225dd0f7c88ec60dd927a4edfa8d4 |
| SHA1 | ce5475f3a9e3ee5c3bd9f150802efbd11c5a97ed |
| SHA256 | f51c549dbe5c5d361c7f025d1781c7b70752e162c31192b8993552b8d87abfee |
| SHA512 | 5205763c534e302ac5be90ff625ad13963820eaf79f97861c80dbc2e80f17414818cd111ee6e07db575042044b8df22198d72916b47bec3a075f4bbaa76a481c |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 7a0bde5b28e9f3711b448aecdcd8b33a |
| SHA1 | 54dcfa8a8fc62419836bb79f3b5e903d2c21f579 |
| SHA256 | 33a0e15981dd6675e404dc579f605aad696baa4281bc4836b5741ef8845fc9af |
| SHA512 | 804f598859ea0562d2b778eb6d4d459afe8a34859c980cb40887d0f848d854b92e4924b104558abcd7cd7d44c32007fdf7ac10c90ae118f79a1aba4f5c991f81 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_raw_cbc.pyd
| MD5 | dc1f3b2235f377dd0d0d8112fe1a5559 |
| SHA1 | b67322d034e4284181b5d861f4e73871e0ccd442 |
| SHA256 | fe45e611be791baa09398e975a3d931a20e82e51337af09c4bc413f6a2225d17 |
| SHA512 | f775962b16d72ec264f2c47993fe4f56ee8775f2630b693f5eb46cb883eb8168338ce0d5453a1d44c89ecc541bd33a8c6ba151f19dc34edaec0e720227873d58 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_raw_cfb.pyd
| MD5 | b7358378646911ee3a03e89fb49f486a |
| SHA1 | e81abcb5590d20b790e804a8062c04f903e769d4 |
| SHA256 | 9c49a3332754657e68a8d97caeb878ed70dbea3b77e501b54a3908d2b5388bfe |
| SHA512 | fd0eef36ddf224fb7ac15790c1200d9c411c3b82d8eeb778abb1beb523d4d5511310b0fdd6ae9055280f22c1e5d9554a1440ec0bcf1c553734a0b6d1a7957b01 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_raw_ofb.pyd
| MD5 | 41ad90d637992d6f401c294b63551a20 |
| SHA1 | 52761061f927b6161d68791c49522ce84a806ada |
| SHA256 | 016dc9c121ceae460606813b5cbe7a215d113d9bdad22462d1e4877b5368ef33 |
| SHA512 | 2ee1a6e7dbd4545c1cf9b5f2476855df947e55605c8aa97ef1c1dee19a85ea444002ac23da3f16a82d9a2665980204a9e543369019cedcb86e747d7dc82f6d3d |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_raw_ctr.pyd
| MD5 | 1cf0c721af7093fcf3852afb101641e2 |
| SHA1 | bc7ec26c788a87819243dc9fbb36aba17370afac |
| SHA256 | 06a56d3739c4537147a2912c1aba644e237710f66e1695ec8bdd18f21d1de407 |
| SHA512 | 671860d783e8081dcb30141a6faeb942f6ae2bbf13d4ed088f253dba96dc19e8a00ec821e0664eb8f0f9a4d7d1c0396dd3241089e136653036bc9875931e7cc5 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Util\_strxor.pyd
| MD5 | e68d621f5bff91ac458beae095447f64 |
| SHA1 | 14c4bc7ea6c02a53ebc5e4aa724546e4de3d1a71 |
| SHA256 | 826f602d8585ece718550637d231ec5feb003c6517dfc9aacb705c278edc6467 |
| SHA512 | 44d9bff6abf9339e266992f938261cb82f62e014981f64ebb20b7979f9c2c6da2eb90fd1ab4bcd3e98eb489927ebd039cac6ffd5658201670473c8c730dec6f3 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_BLAKE2s.pyd
| MD5 | ef12b636d1583e7c76c620adc866686c |
| SHA1 | 42793b9e7745d20818d842a8880b672f76cb34f3 |
| SHA256 | 3a12da596bbdf0f80c95d5ac678d9711e09e88bb3cd115a498d444969c74e657 |
| SHA512 | 6d6b51b58e15bc2afec17f1d9c95865785c4364d2bc9f14029af904df44d13ed5acd0693a9a5af8f1363ed4ef547bbda16321a60bbdd40e760674255ed8912d3 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_SHA1.pyd
| MD5 | 16cfb01068258d9c682e5d874ec4ff8d |
| SHA1 | ee9a77534ed8c561c1faf2f82f04b3f1b2c3ce0c |
| SHA256 | e1652d80cfa75cf8c5d5fd2375cbdbdf1566507bce79be9822078138e2627094 |
| SHA512 | d02985b90f232665b2425693ef4e4792f61ce44cacf4afb6fe8e40a4431caffca61569fc6178d35180126b1c27a7fe51c7bb20e16c4c805f11d873cd2f2860cd |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_SHA256.pyd
| MD5 | 5c27cac29ffa80b049ce988500055cf1 |
| SHA1 | c3c3671d0f992f52b7735f3acf8af4e38f131d2a |
| SHA256 | 292c724377358ce19e225165e73b584393d0ca08de5bbe68c595c890d5fccdeb |
| SHA512 | 75c1ba9c6d2530d46599096fdb86d56eb0c2733cfaf7545e76bde09fe615f0846e62b019f4eff1cc94b93a1a2f24c31bb90c518179de5ae7ea0066428acba825 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_MD5.pyd
| MD5 | 3a8980ea12c88c5062b29c601b5a8e69 |
| SHA1 | 401c26cceb5ce64eed8f49ea625bf7e3d6af56ed |
| SHA256 | 0b0069c05b15e7d61ff02ab8f0994a6ed0d553ca6318141c444355d7063fbbfa |
| SHA512 | 65eeb648d9e86cfc8536d0e3576a4f63fccb3117850f9eb2021efcbc4149b75c2faa19ba3168dfcea500252e65b71682cef62428e41cacb393a03343a30fb0d5 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Cipher\_Salsa20.pyd
| MD5 | 4a00449123dfcacdd95c7c1a8116c10a |
| SHA1 | 995698ae5ff395f6e53251acbfd19177236aac2c |
| SHA256 | f9a9d7e0439b432c9b1f361246293a9b0e4320408a6f86a6844f03d29946031b |
| SHA512 | 9843f0fb633dfe8548f2a79d72bd8d3c3ad51c800dd3a0502f02685b0602c6fb6034a82ec212ad1221a713c5c95a5ec3ab6317b010dfd714c276cde7170365f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Protocol\_scrypt.pyd
| MD5 | 179785a6b4815172887d650dc32188b7 |
| SHA1 | 84c221b094e5261a1192bd66ee11ff8e040c7da5 |
| SHA256 | d08a5e45e4f6d97320e79319e7eadbea17564671cd0467946ee53849c7f674c2 |
| SHA512 | 364bfe2bcd65442d8e15c01c61c1d292ec42ae4d2e5cf4399fe6f4846f8d825cf3ffe4cbfb78d39efb6f030e0d7a00b27a17a96cf2984473d105595d8f4d3fe3 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Util\_cpuid_c.pyd
| MD5 | 5e3e0e605ac0cc0713e034fd94c35d44 |
| SHA1 | 9f200c2b55348b7ad46cdb0a6eba6f62420a69f0 |
| SHA256 | 2d16da08324c2b7040223eca1ad49c21d98fef0ddb8010d050c154596e69bae2 |
| SHA512 | f1263694df3511f7a446eb5bdd5fd7ace47effb03296d6296f453178b73689c82a0275d42fd45ffba268b99074440c17f2af3228d93f9344609caf5431b78216 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_ghash_portable.pyd
| MD5 | a991da97ac18d2fc6c3a72c011635a46 |
| SHA1 | a6c98726e7ed2799e5814e4ca2780aa78bf5d137 |
| SHA256 | fe3699a162c5768e2ae6d3cde43fb8670ce37ecb32f1ba98c9ffeddcac4d6c67 |
| SHA512 | f61801d6ee6d8a5fbfa4a38ca443cbd7fc481ee7920fd9f003e3ffd20ede95f76ce7169e1b14ffdabcb60ef5a0be48c681597f5627eee1b17a5c12dc088975fb |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\Crypto\Hash\_ghash_clmul.pyd
| MD5 | 4edc8830daf5e94249be93312e248929 |
| SHA1 | 4662bce9a2b053ba0f434a000394b5e5158f05bc |
| SHA256 | 06e983c6923dbd125ab31854417b1937e9ef7e265d02cdc5c684a0a7ef037667 |
| SHA512 | 0a6821dede6c3b837b5a27242779033a02af5917ff2fbfa5f1271d19c007e88356262828752773eb46e6031164e259f0d9f2be8349761372513004826d8b1542 |
C:\Users\Admin\AppData\Local\Temp\_MEI28362\win32mutex.pyd
| MD5 | a3237243c3462f422b098554cb654710 |
| SHA1 | 7a7869b2fb76b8859a51ac3545f19618588d9abe |
| SHA256 | 842afe5401ad1a3055bfe6d8ce8d8ce5f6fe715155fa49cb9a0da9e42195a577 |
| SHA512 | 715ddfba701789b6e401814cd697ad61da505a4d4e8bd38d0e50ba2379a90601a51737b163f7d7e9a87af17d9da6ee7b7c720e256b8675c4e2466adece876890 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 00:46
Reported
2024-06-04 00:49
Platform
win10v2004-20240426-en
Max time kernel
131s
Max time network
95s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2268 wrote to memory of 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe |
| PID 2268 wrote to memory of 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_610e47ace3a3902057b91c2884b1c5b1_ryuk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI22682\python34.dll
| MD5 | 21c7ee84f903054036565138016f4399 |
| SHA1 | c2aae6f6b2be1727907d8ff695834da13f557837 |
| SHA256 | a3b3ea1e583c3565cb422af954acc7efa3c3d8031afd1e55921962e6736650d4 |
| SHA512 | 75a6591ac5bca2eba08c23f3391ba4ee66afe2c1b52741896e712f7900a6bd144e2fdf1095480186dabec06678eb740d99e4a30b162d488fcba0ada951a5c5f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\MSVCR100.dll
| MD5 | aed6d63cfa5a3ef7021af9c457fee994 |
| SHA1 | f6ad746ef520b03df6cf0f5a2512d0df964c4688 |
| SHA256 | b4bfa27f677295b00a1df9a7e14db4b75cac2dd41b898d4e9a378eccce3699f0 |
| SHA512 | 5573b17eb19d13cc96df5d66ef60cc8ff98e1ac9d8582a870ed2befa28ee271fb41741a92aa703234150fceadf4a436d10b8a6518c1816d0c804eb1261650d2d |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\base_library.zip
| MD5 | f6bfd7440acf396926d7de442bc018a2 |
| SHA1 | 62823624dbf69195178455695222ba88a2a95c59 |
| SHA256 | e75fb2430e2fc454116a40fad9eefae813878d6b6fac215f8891a0849126426e |
| SHA512 | 125bf5e50b3f4e9678e254f4ab5d0cf91e43c68119747375fab834eb88b09de82bee7b590db42b203dd3851bbce5c04525e7795d4deb7b57a7c7777f1b610f60 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_ctypes.pyd
| MD5 | 6b2cc4443384e047544a499e874440e3 |
| SHA1 | 7de50d01e2fefe5e6f63c80e3423ff21012ebe37 |
| SHA256 | 07cd3a390ba1cf1a5d32b72f7d9058dd39e37043652083755f1debcf84089010 |
| SHA512 | 7d425a2d276b78f780d8c8f1ae89bc9318bfdb4b101e169e49f2806dddb3bd97e98343f04d99c5120dd89dd0a4bbc8787b0b1852bee4e8981e79ada97d90de38 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_bz2.pyd
| MD5 | b4a38b11f49d555f5fc458448f80125e |
| SHA1 | 229d51db8d1eb248325fa85b13578cfde815b3f8 |
| SHA256 | a86a89cf3e7e4dbcd1ec879231f043a4f62d00196aa5c8314c484b8bfe53c472 |
| SHA512 | 83a5d1925e51ce26ddabf05ea025a4038eec3877df5388cdf35d07987d36520695965376c2e770451c2e1cdd3ed4947016e056880771054ff9168931723bb91e |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_hashlib.pyd
| MD5 | 24ed71ea53f830c4dddbc1e9cea71ec7 |
| SHA1 | ed85d286a0539f5ee4b2c226969a15819aa1ab0b |
| SHA256 | 643389dcafc777031a87974424568e58bc56a030b6a267ab375eb4a9b5f4bee8 |
| SHA512 | 2c69e5c031b5d24ff644677b21d723942451cd26c09a0a800606bfba422bbe4446f3434553fe449d82e8d0bc82e64aa1550a5999d573780ea216a8c83cf3e053 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\win32api.pyd
| MD5 | 71d317f9eca61a768c3806ee4836d6dc |
| SHA1 | e9f30e3f34b1155a77c021beed5fbb1b35c1f21a |
| SHA256 | cecdc8136e891839df9a1868cc755cadcf3489413d4024b357f75d3075b44b37 |
| SHA512 | a7a74ed872a16c8670ce0c8322be4615d0fe8a0b30f19f313f0bac6948f8d64c7fe5247c3b29e4e294e993445e7d2e7281bc17d0d4d3bc209ffb7f2515f70ad0 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\pythoncom34.dll
| MD5 | f3418b936aa5957c5fce6b2728f83f78 |
| SHA1 | a78c177b47a00b2bd0782339c899f5c9a21e9aeb |
| SHA256 | dc82a8f37e7f08fd343bc375091b390840acb503f0a44dcc56143998de0d06ad |
| SHA512 | 2d45e82e1aee5158ec14af6bcc31cd9a02ffc5fd8e2fb0a29acdb9763769f7e83a5a02f6844dabd9283250d7620f0f99bf9be1eb3240b3373044179dd7d3c218 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_socket.pyd
| MD5 | e8ff139e319296f0362dd9e6fd3e220d |
| SHA1 | a47d152a95c9e4fdf71da4623da98830a68bb6dd |
| SHA256 | aa86416277fd46cbfe91a281be11198dde53d6be93728e1d2c3d4a1905c70416 |
| SHA512 | b48f43b5e8b2781258bdd2dec23da233d52bcd5f623f260c2dccbc9e86f490de2afbd1514a39a35f1ff0e4a102109eacfb7dac6b04a5ec7d37b48d4cdab24849 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\pywintypes34.dll
| MD5 | b9e1ec0b4d7895d9f80c27480792cbb8 |
| SHA1 | 3f395198b22bdb2cb05ff32815d556dc921eb54c |
| SHA256 | 17b70ae51aa5f4f1c81ae344e26c8f622a1e9d7abffd333a6b2f591a3d19488c |
| SHA512 | b52363246a4cd9fda8b3c7048e4ca702658a0ec02b957272fee05d8ff6cac28123061127fa4eba5923269e07364f50b40ffe298bb3125aee6abe802656defd71 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\win32utils.pyd
| MD5 | 90d50fee118106b9d4a1c40f87467c6c |
| SHA1 | d6a7081a079784ba62df6fba002a7edac00f092a |
| SHA256 | 2ef7ea38eea0fa11c7fed53c78a0f43620458499c4c3d7424bb546224cfd8a4f |
| SHA512 | a52c50b63567ec925c1ccf0c6351740a2b281774c869c27c7db433e887317ed08b58b60656ed48d035aa4e775c26920a464ec675050d2ede705c634c7f5bf8b5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\yara.pyd
| MD5 | c263e93cc11b7cf23e219d1caf46ba56 |
| SHA1 | 4a5f393e39b67a8f1dc17ed3800eb1d44b11463d |
| SHA256 | 2343e50994a4b6e1d59215a7d65c49c4fa3ca1b302388c41c32b821d61f9776c |
| SHA512 | 60bf1209d1f4cd15416d659c6db9d0eee92fe305f00355fe10438708b831a2c47937df5df48cce7be713f835b0a12924523243059a32306cce149d5fa2da0616 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\win32service.pyd
| MD5 | fa322d72702b8bd77d94dc98f1b80fcc |
| SHA1 | deb8c4432f74ee6533d27b3c7c0780dba05d481a |
| SHA256 | 9b350abab2139d36d39db0b2b32d37a53e840eb3f4004ea98dec983c5b2886ec |
| SHA512 | d30b72cf0b709a32a2f914f5afb491596d815a90ab1860f76f62589834f0f8feb53675b2415bd6642854a1fb8c2bc5b145113df897844178f903e7b5ca3628b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\win32security.pyd
| MD5 | 9c4430609eb86be6e6c45499a3c2bd93 |
| SHA1 | c193f3c7a19600a79a28913ea3c282e83834cef5 |
| SHA256 | 55d949d89550d51da5231dea0996d3049f0125be8669b06ecd2428cad2940f73 |
| SHA512 | ffb59fdd5db73f8f2143b60ba762a8a36e0e3877b33b4f585deb8c857e5f94248dfea3c492637c00547b1f80a2707ed889cfc9371b503894e182eef671fb8eca |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\win32file.pyd
| MD5 | 1849a6b2375e8d383d84c4c505d1e593 |
| SHA1 | 9eb5be5f3aa6df46c626894bc848b6cca8100fc2 |
| SHA256 | c3f5f585f0b96abd5ed093064b26b8698d0c8601453294c1f771df2620720c00 |
| SHA512 | 262de74a0c7285402d4a9118d6f143bb8451cfb759cf6631e7cba7ea2d6de12a4ca723f663c28aa894452c4ff0894626393dd976dd8e86b064030eb8a4b50a00 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\win32wnet.pyd
| MD5 | 087f657b12264e0d4cdbbed2d4fdda1d |
| SHA1 | 4d7be942b102761fdd183655fd022873164d605b |
| SHA256 | c3a1a7823443b0eb3e18aeeae6ade16c2fbd80d3b2f935796c2a2fd7c4e46301 |
| SHA512 | 58452f56674b2a382a29abc7c53fff15cf014e14b1726a2f38dabd8fd0aab4c4b49b7560188bc095893b05a57ac8412c4d1a5aee36e898ea54f732ef4d89d006 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\_lzma.pyd
| MD5 | 3491b5a1fa93c9550e5029ed17443ae1 |
| SHA1 | 6355271938ef6e38b5457b40b371f419838dede0 |
| SHA256 | e47e5747122542d873a022b69501f011bc8e80af330f54a9e31e04d502606783 |
| SHA512 | 7e637aa0cb41db20798887f93f00a02a07421895887c330894c1f61bc8dd901fb730dcf1d54dbac4dfbfcb995b4cfc4beffea2b2f6c759b922e1a7ad7f2f06cb |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\psutil\_psutil_windows.pyd
| MD5 | 68c225dd0f7c88ec60dd927a4edfa8d4 |
| SHA1 | ce5475f3a9e3ee5c3bd9f150802efbd11c5a97ed |
| SHA256 | f51c549dbe5c5d361c7f025d1781c7b70752e162c31192b8993552b8d87abfee |
| SHA512 | 5205763c534e302ac5be90ff625ad13963820eaf79f97861c80dbc2e80f17414818cd111ee6e07db575042044b8df22198d72916b47bec3a075f4bbaa76a481c |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Cipher\_raw_cbc.pyd
| MD5 | dc1f3b2235f377dd0d0d8112fe1a5559 |
| SHA1 | b67322d034e4284181b5d861f4e73871e0ccd442 |
| SHA256 | fe45e611be791baa09398e975a3d931a20e82e51337af09c4bc413f6a2225d17 |
| SHA512 | f775962b16d72ec264f2c47993fe4f56ee8775f2630b693f5eb46cb883eb8168338ce0d5453a1d44c89ecc541bd33a8c6ba151f19dc34edaec0e720227873d58 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Cipher\_raw_ofb.pyd
| MD5 | 41ad90d637992d6f401c294b63551a20 |
| SHA1 | 52761061f927b6161d68791c49522ce84a806ada |
| SHA256 | 016dc9c121ceae460606813b5cbe7a215d113d9bdad22462d1e4877b5368ef33 |
| SHA512 | 2ee1a6e7dbd4545c1cf9b5f2476855df947e55605c8aa97ef1c1dee19a85ea444002ac23da3f16a82d9a2665980204a9e543369019cedcb86e747d7dc82f6d3d |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Util\_strxor.pyd
| MD5 | e68d621f5bff91ac458beae095447f64 |
| SHA1 | 14c4bc7ea6c02a53ebc5e4aa724546e4de3d1a71 |
| SHA256 | 826f602d8585ece718550637d231ec5feb003c6517dfc9aacb705c278edc6467 |
| SHA512 | 44d9bff6abf9339e266992f938261cb82f62e014981f64ebb20b7979f9c2c6da2eb90fd1ab4bcd3e98eb489927ebd039cac6ffd5658201670473c8c730dec6f3 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Hash\_BLAKE2s.pyd
| MD5 | ef12b636d1583e7c76c620adc866686c |
| SHA1 | 42793b9e7745d20818d842a8880b672f76cb34f3 |
| SHA256 | 3a12da596bbdf0f80c95d5ac678d9711e09e88bb3cd115a498d444969c74e657 |
| SHA512 | 6d6b51b58e15bc2afec17f1d9c95865785c4364d2bc9f14029af904df44d13ed5acd0693a9a5af8f1363ed4ef547bbda16321a60bbdd40e760674255ed8912d3 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Cipher\_raw_ctr.pyd
| MD5 | 1cf0c721af7093fcf3852afb101641e2 |
| SHA1 | bc7ec26c788a87819243dc9fbb36aba17370afac |
| SHA256 | 06a56d3739c4537147a2912c1aba644e237710f66e1695ec8bdd18f21d1de407 |
| SHA512 | 671860d783e8081dcb30141a6faeb942f6ae2bbf13d4ed088f253dba96dc19e8a00ec821e0664eb8f0f9a4d7d1c0396dd3241089e136653036bc9875931e7cc5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Cipher\_raw_cfb.pyd
| MD5 | b7358378646911ee3a03e89fb49f486a |
| SHA1 | e81abcb5590d20b790e804a8062c04f903e769d4 |
| SHA256 | 9c49a3332754657e68a8d97caeb878ed70dbea3b77e501b54a3908d2b5388bfe |
| SHA512 | fd0eef36ddf224fb7ac15790c1200d9c411c3b82d8eeb778abb1beb523d4d5511310b0fdd6ae9055280f22c1e5d9554a1440ec0bcf1c553734a0b6d1a7957b01 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 7a0bde5b28e9f3711b448aecdcd8b33a |
| SHA1 | 54dcfa8a8fc62419836bb79f3b5e903d2c21f579 |
| SHA256 | 33a0e15981dd6675e404dc579f605aad696baa4281bc4836b5741ef8845fc9af |
| SHA512 | 804f598859ea0562d2b778eb6d4d459afe8a34859c980cb40887d0f848d854b92e4924b104558abcd7cd7d44c32007fdf7ac10c90ae118f79a1aba4f5c991f81 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Hash\_ghash_clmul.pyd
| MD5 | 4edc8830daf5e94249be93312e248929 |
| SHA1 | 4662bce9a2b053ba0f434a000394b5e5158f05bc |
| SHA256 | 06e983c6923dbd125ab31854417b1937e9ef7e265d02cdc5c684a0a7ef037667 |
| SHA512 | 0a6821dede6c3b837b5a27242779033a02af5917ff2fbfa5f1271d19c007e88356262828752773eb46e6031164e259f0d9f2be8349761372513004826d8b1542 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Hash\_ghash_portable.pyd
| MD5 | a991da97ac18d2fc6c3a72c011635a46 |
| SHA1 | a6c98726e7ed2799e5814e4ca2780aa78bf5d137 |
| SHA256 | fe3699a162c5768e2ae6d3cde43fb8670ce37ecb32f1ba98c9ffeddcac4d6c67 |
| SHA512 | f61801d6ee6d8a5fbfa4a38ca443cbd7fc481ee7920fd9f003e3ffd20ede95f76ce7169e1b14ffdabcb60ef5a0be48c681597f5627eee1b17a5c12dc088975fb |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Util\_cpuid_c.pyd
| MD5 | 5e3e0e605ac0cc0713e034fd94c35d44 |
| SHA1 | 9f200c2b55348b7ad46cdb0a6eba6f62420a69f0 |
| SHA256 | 2d16da08324c2b7040223eca1ad49c21d98fef0ddb8010d050c154596e69bae2 |
| SHA512 | f1263694df3511f7a446eb5bdd5fd7ace47effb03296d6296f453178b73689c82a0275d42fd45ffba268b99074440c17f2af3228d93f9344609caf5431b78216 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Protocol\_scrypt.pyd
| MD5 | 179785a6b4815172887d650dc32188b7 |
| SHA1 | 84c221b094e5261a1192bd66ee11ff8e040c7da5 |
| SHA256 | d08a5e45e4f6d97320e79319e7eadbea17564671cd0467946ee53849c7f674c2 |
| SHA512 | 364bfe2bcd65442d8e15c01c61c1d292ec42ae4d2e5cf4399fe6f4846f8d825cf3ffe4cbfb78d39efb6f030e0d7a00b27a17a96cf2984473d105595d8f4d3fe3 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Cipher\_Salsa20.pyd
| MD5 | 4a00449123dfcacdd95c7c1a8116c10a |
| SHA1 | 995698ae5ff395f6e53251acbfd19177236aac2c |
| SHA256 | f9a9d7e0439b432c9b1f361246293a9b0e4320408a6f86a6844f03d29946031b |
| SHA512 | 9843f0fb633dfe8548f2a79d72bd8d3c3ad51c800dd3a0502f02685b0602c6fb6034a82ec212ad1221a713c5c95a5ec3ab6317b010dfd714c276cde7170365f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Hash\_MD5.pyd
| MD5 | 3a8980ea12c88c5062b29c601b5a8e69 |
| SHA1 | 401c26cceb5ce64eed8f49ea625bf7e3d6af56ed |
| SHA256 | 0b0069c05b15e7d61ff02ab8f0994a6ed0d553ca6318141c444355d7063fbbfa |
| SHA512 | 65eeb648d9e86cfc8536d0e3576a4f63fccb3117850f9eb2021efcbc4149b75c2faa19ba3168dfcea500252e65b71682cef62428e41cacb393a03343a30fb0d5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Hash\_SHA256.pyd
| MD5 | 5c27cac29ffa80b049ce988500055cf1 |
| SHA1 | c3c3671d0f992f52b7735f3acf8af4e38f131d2a |
| SHA256 | 292c724377358ce19e225165e73b584393d0ca08de5bbe68c595c890d5fccdeb |
| SHA512 | 75c1ba9c6d2530d46599096fdb86d56eb0c2733cfaf7545e76bde09fe615f0846e62b019f4eff1cc94b93a1a2f24c31bb90c518179de5ae7ea0066428acba825 |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\Crypto\Hash\_SHA1.pyd
| MD5 | 16cfb01068258d9c682e5d874ec4ff8d |
| SHA1 | ee9a77534ed8c561c1faf2f82f04b3f1b2c3ce0c |
| SHA256 | e1652d80cfa75cf8c5d5fd2375cbdbdf1566507bce79be9822078138e2627094 |
| SHA512 | d02985b90f232665b2425693ef4e4792f61ce44cacf4afb6fe8e40a4431caffca61569fc6178d35180126b1c27a7fe51c7bb20e16c4c805f11d873cd2f2860cd |
C:\Users\Admin\AppData\Local\Temp\_MEI22682\win32mutex.pyd
| MD5 | a3237243c3462f422b098554cb654710 |
| SHA1 | 7a7869b2fb76b8859a51ac3545f19618588d9abe |
| SHA256 | 842afe5401ad1a3055bfe6d8ce8d8ce5f6fe715155fa49cb9a0da9e42195a577 |
| SHA512 | 715ddfba701789b6e401814cd697ad61da505a4d4e8bd38d0e50ba2379a90601a51737b163f7d7e9a87af17d9da6ee7b7c720e256b8675c4e2466adece876890 |