d0e26e20c403251c6eeec9529dc6c6110192953d2af6358e39fec0c9d071e8ec

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 09:36

Target

2024-06-06_5901bfd3f331f0492a32818ae504062c_ryuk.exe
Size

1.8MB
MD5

5901bfd3f331f0492a32818ae504062c
SHA1

efefcf4dd2ee2979f9170ab169c60b8afe1b8e72
SHA256

d0e26e20c403251c6eeec9529dc6c6110192953d2af6358e39fec0c9d071e8ec
SHA512

818b0b76b9d7196b0914bbe2d19493327b2655277e623f2b01901acc703de2c9e54bbef9065178ae5c47e2962402047578f1a92444daaf6003f963635e741337
SSDEEP

49152:9KfuPS3ELNjV7SZxEfOfOgwf0LCks7R9L58UqFJjskU:mm9OZxwgbC17DVqFJU

Score

5^/10

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-06_5901bfd3f331f0492a32818ae504062c_ryuk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2024	2024-06-06_5901bfd3f331f0492a32818ae504062c_ryuk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2228	2024	2024-06-06_5901bfd3f331f0492a32818ae504062c_ryuk.exe	28
PID 2024 wrote to memory of 2228	2024	2024-06-06_5901bfd3f331f0492a32818ae504062c_ryuk.exe	28
PID 2024 wrote to memory of 2228	2024	2024-06-06_5901bfd3f331f0492a32818ae504062c_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-06-06_5901bfd3f331f0492a32818ae504062c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_5901bfd3f331f0492a32818ae504062c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2024 -s 220
  2⤵
  PID:2228

memory/2024-0-0x0000000001C00000-0x0000000001C60000-memory.dmp

Filesize
384KB

Download
memory/2024-9-0x0000000001C00000-0x0000000001C60000-memory.dmp

Filesize
384KB

Download
memory/2024-8-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download
memory/2024-12-0x0000000140000000-0x00000001401DF000-memory.dmp

Filesize
1.9MB

Download