Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 00:45
Behavioral task
behavioral1
Sample
2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe
-
Size
5.3MB
-
MD5
0358956d89b008681fc0140ced5ef5c7
-
SHA1
04dd00d6b4be8097be674cd35df07ce223a0ad20
-
SHA256
b21ff1bac6c34d8f4d3fcbfe387a540f467b22b80b5e7cee4592db32ff3a8191
-
SHA512
4bb36bfe85e5cf6abd55de10eaa7a4a490e739e4a9e100f0b8a70c9543d6a8060d7b664636d0c3e949575fac05ff4a6f55bbde22a0b2af3c4305bb61b0ad5424
-
SSDEEP
98304:PJhqE6OVQWJuhswoYv5eONVJSVlnsfGm2ceemmZqAZ8a+t1Twe2505IIbsONq4AC:POE/uWJysVYvsOdknseOeehZqAqa+3TM
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exepid process 4608 2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe 4608 2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exedescription pid process Token: 35 4608 2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exedescription pid process target process PID 4556 wrote to memory of 4608 4556 2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe 2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe PID 4556 wrote to memory of 4608 4556 2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe 2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4608
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD50e675d4a7a5b7ccd69013386793f68eb
SHA16e5821ddd8fea6681bda4448816f39984a33596b
SHA256bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66
-
Filesize
762KB
MD56e063980ef2a67b9fe08dd62c41ff158
SHA1c0aedbf70331e675dac2516d9a3d67be1ed3620e
SHA2568145ddd0e6b6e0c579f7c7b2de986bbf9ed5c78e79a00485b153c359e5822337
SHA51283a80f73f988b6305ae3fc9d0a25fa2383a8102e2ff9b8ce19cfbb6540135e875d2fb69f3ab31905afd8c396ac3daf563932b11bf871cb8f4100bf2d7726def9
-
Filesize
3.6MB
MD5f8f12175880677bd010def8ba14208da
SHA1889e23b96d78135dc3294c84ab900b91fa9f7a0c
SHA25608686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27
SHA5127792f4a2005c2721b3fa848e2703bfb380670d6bd108599c5a98299f09197b44fb44adbb59da9c55bf064bb3c083a07fd82acdf29b7a09da07981c964eb11304