Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 20:35
Behavioral task
behavioral1
Sample
2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe
-
Size
10.5MB
-
MD5
daddfbae1ad15f0ebe8c05cf864ff31a
-
SHA1
da796b17ef99fcbf7886935f26d024ea416efbab
-
SHA256
c1a9adc2fa5605ea6455529090f6aac2df2fc951e9fb48aaa7a3c0bc99c32185
-
SHA512
94cb20650bd76bb44d23bcc854b964815d6c7dcccfc4927ebba959993d7816848fe9b0a86b6685edc2b28abb93a5d46968b2ed1488cd62f8bd301295876d3df5
-
SSDEEP
196608:ZUmD1gjuWJysVYvsO5mDIEVFKgd7pQDw748RmU/3ZlsPvOoXnX+h8CgCat69/0aY:GmeyWJOmDIEBd7pQDGtN3ZWDXXgat650
Malware Config
Signatures
-
Loads dropped DLL 16 IoCs
Processes:
2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exepid process 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 3 api.ipify.org -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1792 taskkill.exe 2532 taskkill.exe 3036 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1792 taskkill.exe Token: SeDebugPrivilege 3036 taskkill.exe Token: SeDebugPrivilege 2532 taskkill.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.execmd.execmd.execmd.exedescription pid process target process PID 2752 wrote to memory of 1852 2752 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe PID 2752 wrote to memory of 1852 2752 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe PID 2752 wrote to memory of 1852 2752 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe PID 1852 wrote to memory of 2780 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe cmd.exe PID 1852 wrote to memory of 2780 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe cmd.exe PID 1852 wrote to memory of 2780 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe cmd.exe PID 2780 wrote to memory of 1792 2780 cmd.exe taskkill.exe PID 2780 wrote to memory of 1792 2780 cmd.exe taskkill.exe PID 2780 wrote to memory of 1792 2780 cmd.exe taskkill.exe PID 1852 wrote to memory of 2156 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe cmd.exe PID 1852 wrote to memory of 2156 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe cmd.exe PID 1852 wrote to memory of 2156 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe cmd.exe PID 2156 wrote to memory of 3036 2156 cmd.exe taskkill.exe PID 2156 wrote to memory of 3036 2156 cmd.exe taskkill.exe PID 2156 wrote to memory of 3036 2156 cmd.exe taskkill.exe PID 1852 wrote to memory of 3032 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe cmd.exe PID 1852 wrote to memory of 3032 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe cmd.exe PID 1852 wrote to memory of 3032 1852 2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe cmd.exe PID 3032 wrote to memory of 2532 3032 cmd.exe taskkill.exe PID 3032 wrote to memory of 2532 3032 cmd.exe taskkill.exe PID 3032 wrote to memory of 2532 3032 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-06_daddfbae1ad15f0ebe8c05cf864ff31a_ryuk.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im Discord.exe /f3⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\taskkill.exetaskkill /im Discord.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im DiscordPTB.exe /f3⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\taskkill.exetaskkill /im DiscordPTB.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im DiscordCanary.exe /f3⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\taskkill.exetaskkill /im DiscordCanary.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57712161f3bc0c34e015b76519017c6ff
SHA1fd28f0165a1016353f1a28a1032898275dd4e117
SHA256e703a30389ed87cd2ec2ca5bbfca4ba74fe0b5c692b37437df4c698712c3e4e9
SHA51216350a1974b9d01fadff8e90add7007ebcd93798b86a1c29a1fbf0c08e8c9628316167aaf204e3e0479ddab3ceba0ec9f30c6a1f7446b4659aa16d7411955e54
-
Filesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
Filesize
82KB
MD5ae8f1119691435dab497acf4f74e48a9
SHA13d66b25add927a8aab7acb5f10ce80f29db17428
SHA256ac01e1aa3248a7e956b0999e62a426396bd703aaaae389166934928552c36ba8
SHA512ece66874a204c1014b71482f0c34b64094f6a3a4385d9cc0e805d247b29d3d9dfe30f292879705e35a40214c9717b983cc8cb5b1af7d3000325042bb3cf17f2b
-
Filesize
121KB
MD5b8a2aa0b18b076f3138d4b6af625b1a8
SHA1965f046846293af33401c7c0d56dd1423698f08a
SHA256ddd2e07bd447e46bf8682953e08a52ef3dec2a16b73016a210ac88196964623c
SHA5120b75f59db170ab74ccb5d82187171000b5a607524449576ecfc8c708e3dfc501ddec5bcb82153f20e928d6c46a7109ebf59fc32d904fe1307a280ce6f1c6bf7e
-
Filesize
44KB
MD587722ab32707069bea55e20319066020
SHA12e38b46e0c2c4f8b701728af82f658653f7ee62a
SHA256e320235734d606b0a931ab5577ed3d73f276dbe4aeda1b643e11f2c68b1e25fc
SHA51282261ef493e0eb45739ef2e99829373f960dce76ac35b1b9c92b65de943d4199200da86f9c12450122a12d8356479ab4c9765e33d70659585c1adb670c1272ee
-
Filesize
763KB
MD506c7e658838a626195b1994d203cc730
SHA18e26a111bfbc524181f891f1a797d72527f8b852
SHA256a6d161f83e902efb48b15c3eb728dea3938c5867b740a64b72b9d80393808765
SHA5126af95825922fd7bd91bccd95cf32956d5bc6f1d3f885728c113a9ecda99d0a063a3d78bb6cb28b91fc2762c4fcbfa1aa89219ba0aa65d2932fa58fb7c58c0edb
-
Filesize
274KB
MD577eef70800962694031e78c7352738d7
SHA1b767d89e989477beb79ba2d5b340b0b4f7ae2192
SHA256732befe49c758070023448f619a3abb088f44e4f05992bc7478dae873be56ad8
SHA5120b3984f7bf9d37648a26ef5d3a93e15d5c2e8a443df123121ba43ca858939346cca0d613f04f2d9aba5420b1291ef429fea84e60920220086b153aac61a20f2f
-
Filesize
3.2MB
MD5bf83f8ad60cb9db462ce62c73208a30d
SHA1f1bc7dbc1e5b00426a51878719196d78981674c4
SHA256012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
SHA512ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e
-
Filesize
670KB
MD5fe1f3632af98e7b7a2799e3973ba03cf
SHA1353c7382e2de3ccdd2a4911e9e158e7c78648496
SHA2561ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b
SHA512a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0
-
Filesize
4.0MB
MD5147281c6864c61225284fc29dd189f37
SHA1f9affa883855c85f339ac697e4f2942dd06a3a2e
SHA256c5d4495bb879cc52a5076e1f366f330aa006d1e7e34c6b640a98378746244099
SHA512ec5d36cda7689f6f9889ff0fdf2d946704c930a030d7254b901db78c4591a3f4fde0fe75a841ae91c2f0881edaf75b36d04e81e3d8605b81df4bc9195a09d056
-
Filesize
26KB
MD53bff7c4ca394c523c25de029461ce32a
SHA115e2e1bff65fdf400ef54358079bb25a29faedaa
SHA256306b8d12b77a8d6b6d06c6120331584af14f8deb97d5aed799a4779413052bc1
SHA5122ce6d85dd23882b8a0ed00e0d2f4cc70f1c2871172e5f4e39d3bcf68ad0f69a528b227f14e02fc28467bc232619cbbf4feead778818a926716604e86285e69a4
-
Filesize
1.2MB
MD57bf3b294fc51a8d1496f0dc23864d330
SHA1f4a315ef83720ee0d6a76bc8dafd6b7c2c16ab43
SHA25664d9c4dc4ea04343e00418cf9c57ca173336d02846b5d7bc92fda9fe0d672e67
SHA512e514add297fe449c34eb8c1b292dc075330364925af230432eec04037a81b8c629dc75622d6d19ca34d243e912902933679e305f35e00c509e18d3dde420ffca
-
Filesize
1.0MB
MD5670368fed0b550dcc0574801ebf4d2da
SHA1fac31b9ba19b4bc0ad138935d6a268bc434dd47a
SHA2566b3d8ea118eca733b95713616306b829a3eea80e1068c30f5408717bf81c715d
SHA512f32d992bfd9f30df53b5be95b81d613a50517e3624906e9bb43b17ccccd5a5d88b435256310c2339dc1b811b19d61edcd4104f973e8d18c674510826b16bc334
-
Filesize
246KB
MD5496778a3b05ad610daad34b752a5fcdf
SHA121ad508f2faab85f2304a8e0fdb687611459c653
SHA256be5a20ea62c97abeaf1cb0c2522f4737d71701f7e1220d92470c0eeb8a99d427
SHA5123bb10d09a61e84b4b2d19644899021cb8e91418693a11cdc0ca0aa1b861631e11101e9a9feb4ff6883f223294296f6c3634b12206b3ee6a37b37cb761078d122
-
Filesize
27KB
MD503c59e006425bcf5821302efacf3e536
SHA1841de7c790b1bb5feabbf713318fd5dd2556dab1
SHA256eb353ed6b1ca807153ff2c72f38f2cce028eb5684de29f681039bd148e7da6c0
SHA512577f9929e9c70098380bd1dd4f7e7826d3630d680a28b9d576585ff7cc4d84edf9c0438e070a401295d5748239052f7e77b12a9b07af8cb5c5657db9e390de38
-
Filesize
77KB
MD5fca96fe528ff7c8a688da45a1667576f
SHA13346925f3c5ec51ef9ffbc57b9630663942bdbc4
SHA2566fb731502320840ea36d2c8194c8de2371d275eb2c2fdffa1a5e62f5bcfc84ea
SHA512cd3e1ea2590052bd8b0db8f230cddbcf248886acd18f17508fadd64701633646967395aa22c5891ace08b5149ac6dd0543f042ece3a5a6bb2315c4bcaca4d423
-
Filesize
85KB
MD51d8aa250048b7f223ac3ed4c0fbbe5f5
SHA1866a044d80db93250c73bb53db332164ea4a9440
SHA2563c4b3cb88c44722bd3b8ad1b4e73b5591e4947d8db0c4d86adb462327d7fef90
SHA5121c03d6d4451a2f1cba7f58800793658879f79d1336790056c9edb52fcfb728faa99313bcc6c31353bd3b1ba9dc1bcb39df6ab924905922c3cf55c52ca8a709ec
-
Filesize
116KB
MD5481a55afd4a25307321cb46f1b508dce
SHA1fc988dcf53f6a91062d92cb4b37aaf2d4e8e1a6d
SHA25624a752482838f62e30c7ad0d40a8a151184901c387ee34ac807f5aec56d04938
SHA512b47076eb30835fe26918dd3a055f3e0822982030a6cc92c5bf588c7bd27928122b612364f7b79440539a360ed08e3d9adcb97f79637b445fa7b73cfefb171f51
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016