94570010902d816cf8b2be7294bcb0bb594088e4ffc067845c58c0b54d0f9159

Analysis

max time kernel
121s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_3e9a614792be8aa430af223b03ea38be_cova_ryuk.exe
Size

21.4MB
MD5

3e9a614792be8aa430af223b03ea38be
SHA1

7f5e5fdefc0b649f96650bc58c7ed7523a86f6b5
SHA256

94570010902d816cf8b2be7294bcb0bb594088e4ffc067845c58c0b54d0f9159
SHA512

6633210c7c21ab3adce96c57cf41bb4f99944e4409f4387e5057a52ade9aa06c86cacb27ada76c7c2160aaca31e50a26b150645c6194d3e898d8efdf34effb46
SSDEEP

393216:4zWJNLzg4F3wg0A6EMevQDnvdS6k2z3/fS/K96bOzHCFjvaLIAxvrfw3JgJvS:46XPgRrEM7dS6pRziNb8vrYr

Score

7^/10

pyinstaller

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2472	GMplop.exe
1912	GMplop.exe

Loads dropped DLL 9 IoCs

pid	Process
2184	2024-06-05_3e9a614792be8aa430af223b03ea38be_cova_ryuk.exe
1912	GMplop.exe
1912	GMplop.exe
1912	GMplop.exe
1912	GMplop.exe
1912	GMplop.exe
1912	GMplop.exe
1912	GMplop.exe
1364	Process not Found

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000d00000001445e-8.dat	pyinstaller
behavioral1/files/0x000d00000001445e-11.dat	pyinstaller
behavioral1/files/0x000d00000001445e-10.dat	pyinstaller
behavioral1/files/0x000d00000001445e-151.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2184	2024-06-05_3e9a614792be8aa430af223b03ea38be_cova_ryuk.exe
Token: SeRestorePrivilege	2184	2024-06-05_3e9a614792be8aa430af223b03ea38be_cova_ryuk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2472	2184	2024-06-05_3e9a614792be8aa430af223b03ea38be_cova_ryuk.exe	28
PID 2184 wrote to memory of 2472	2184	2024-06-05_3e9a614792be8aa430af223b03ea38be_cova_ryuk.exe	28
PID 2184 wrote to memory of 2472	2184	2024-06-05_3e9a614792be8aa430af223b03ea38be_cova_ryuk.exe	28
PID 2472 wrote to memory of 1912	2472	GMplop.exe	30
PID 2472 wrote to memory of 1912	2472	GMplop.exe	30
PID 2472 wrote to memory of 1912	2472	GMplop.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-06-05_3e9a614792be8aa430af223b03ea38be_cova_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_3e9a614792be8aa430af223b03ea38be_cova_ryuk.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Public\Downloads\GMplop.exe
  "C:\Users\Public\Downloads\GMplop.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Public\Downloads\GMplop.exe
    "C:\Users\Public\Downloads\GMplop.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI24722\python310.dll

Filesize
2.8MB

MD5
8640d85afe0bf333d001bbce43434eb5

SHA1
93821eaae9c88de13133827e8b38c95a5f181618

SHA256
167688523ebdb28e0608a8376bc63e7db1bb1ec34667e448cf12aba76a40202b

SHA512
5e395f95baa0239f3b25c7fcf1867bae621ad7041e0c20ba43ecdbe007b888533230aad54f08523ea26093235b7e94c4da1714bd6e550c440a21b3e89931c0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24722\ucrtbase.dll

Filesize
993KB

MD5
9679f79d724bcdbd3338824ffe8b00c7

SHA1
5ded91cc6e3346f689d079594cf3a9bf1200bd61

SHA256
962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36

SHA512
74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd

Download Submit
C:\Users\Public\Downloads\GMplop.exe

Filesize
4.3MB

MD5
86425db6dcdfabf1b93ae4e0932480b6

SHA1
00f38f91bb47193cb05c2a73ba79a0054d1316c9

SHA256
4ffe632977bb608ff8a9ab3afdcfd2d3f45357544fb52f70a1ff86a8f5e93e1b

SHA512
152f5a162aed2d121020b7d9cd52cc0397522870ead524ced925b02baa4a3ae65c2064e980ed58e0ff038b43cc4fd023be394a461232617b0c1c2381d5af5854

Download Submit
C:\Users\Public\Downloads\GMplop.exe

Filesize
2.1MB

MD5
47334ef25c4ba77c11c71b1a06802ff7

SHA1
1c00466e6e6976ae79f61ecbf486170ff79b1c5d

SHA256
87bf29d40ff1de20fad5d30df94b5a5268b992b5dc9c9c846324356ef29f2eda

SHA512
684026a1dbff31c11305b398a602b02c223db4501e3281c454e5d69294d11df29f98ef82bc933df609691882ebf57d57af80ed6466426a9fb25926e75511f503

Download Submit
C:\Users\Public\Downloads\GMplop.exe

Filesize
2.0MB

MD5
bffdd33ee97171012d7fa502e4b9b2b3

SHA1
5aa123c075d0e818cb5783e96d6a03c1d11ce1c7

SHA256
768f4980cb610e2fa58bc3021b71108bc462bc2c2514fa3217ef2a21ade24825

SHA512
22d5f0d79c3a96413b98598436c7598d98dc73fa3c2f9c55647ba5fc911e8d982ead2d3599e914927042e457497de55a29d5b9cfad6777c82655dba6ce712ed5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24722\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
1f72ba20e6771fe77dd27a3007801d37

SHA1
db0eb1b03f742ca62eeebca6b839fdb51f98a14f

SHA256
0ae3ee32f44aaed5389cc36d337d57d0203224fc6808c8a331a12ec4955bb2f4

SHA512
13e802aef851b59e609bf1dbd3738273ef6021c663c33b61e353b489e7ba2e3d3e61838e6c316fbf8a325fce5d580223cf6a9e61e36cdca90f138cfd7200bb27

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24722\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
c3408e38a69dc84d104ce34abf2dfe5b

SHA1
8c01bd146cfd7895769e3862822edb838219edab

SHA256
0bf0f70bd2b599ed0d6c137ce48cf4c419d15ee171f5faeac164e3b853818453

SHA512
aa47871bc6ebf02de3fe1e1a4001870525875b4f9d4571561933ba90756c17107ddf4d00fa70a42e0ae9054c8a2a76d11f44b683d92ffd773cab6cdc388e9b99

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24722\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
75ef38b27be5fa07dc07ca44792edcc3

SHA1
7392603b8c75a57857e5b5773f2079cb9da90ee9

SHA256
659f3321f272166f0b079775df0abdaf1bc482d1bcc66f42cae08fde446eb81a

SHA512
78b485583269b3721a89d4630d746a1d9d0488e73f58081c7bdc21948abf830263e6c77d9f31a8ad84ecb5ff02b0922cb39f3824ccd0e0ed026a5e343a8427bc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24722\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
a55abf3646704420e48c8e29ccde5f7c

SHA1
c2ac5452adbc8d565ad2bc9ec0724a08b449c2d8

SHA256
c2f296dd8372681c37541b0ca8161b4621037d5318b7b8c5346cf7b8a6e22c3e

SHA512
c8eb3ec20821ae4403d48bb5dbf2237428016f23744f7982993a844c53ae89d06f86e03ab801e5aee441a83a82a7c591c0de6a7d586ea1f8c20a2426fced86f0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24722\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
e8af200a0127e12445eb8004a969fc1d

SHA1
a770fe20e42e2bef641c0591c0e763c1c8ba404d

SHA256
64d1ca4ead666023681929d86db26cfd3c70d4b2e521135205a84001d25187db

SHA512
a49b1ce5faf98af719e3a02cd1ff2a7ced1afc4fbf7483beab3f65487d79acc604a0db7c6ee21e45366e93f03fb109126ef00716624c159f1c35e4c100853eaf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24722\python310.dll

Filesize
2.1MB

MD5
fab738f02e477be53d03d8f40796a7dc

SHA1
9e1c19a6f33f79b933fafe251ea4bb78ed55ff30

SHA256
08e6a5940d7f8ef7bbf17e4df991133f918df94f3932faeede238acfca70002b

SHA512
df861e53c6aa796aca380c39b3c395a9889e4ecd4ef8612a53b5c5d05abc4f3390b4ee56cb134ba5a789083523985a694d600ffed2cad77ff5d747411eb5f370

Download Submit
\Users\Public\Downloads\GMplop.exe

Filesize
1.9MB

MD5
ab884918a8927d503ef69bccc6239f99

SHA1
7947e3dabf59c952f14b5c24596e6d973e6d416f

SHA256
92beb7d384c135835ac789a9de8cac8a80f66ce75d92813779918fcd1f0dbe02

SHA512
613c444eb9e7c781528cad2271d8e334b59fd55ceb3d307efe24d7efa4e001df38cc1eae243f6e58e408afeb8b42cb2facbca99d6ea783977d3cbdc362a54ebe

Download Submit
memory/2184-47-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download