Analysis Overview
SHA256
b21ff1bac6c34d8f4d3fcbfe387a540f467b22b80b5e7cee4592db32ff3a8191
Threat Level: Shows suspicious behavior
The file 2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 00:46
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 00:45
Reported
2024-06-07 00:49
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2340 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe |
| PID 2340 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe |
| PID 2340 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI23402\python37.dll
| MD5 | f8f12175880677bd010def8ba14208da |
| SHA1 | 889e23b96d78135dc3294c84ab900b91fa9f7a0c |
| SHA256 | 08686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27 |
| SHA512 | 7792f4a2005c2721b3fa848e2703bfb380670d6bd108599c5a98299f09197b44fb44adbb59da9c55bf064bb3c083a07fd82acdf29b7a09da07981c964eb11304 |
C:\Users\Admin\AppData\Local\Temp\_MEI23402\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI23402\base_library.zip
| MD5 | 6e063980ef2a67b9fe08dd62c41ff158 |
| SHA1 | c0aedbf70331e675dac2516d9a3d67be1ed3620e |
| SHA256 | 8145ddd0e6b6e0c579f7c7b2de986bbf9ed5c78e79a00485b153c359e5822337 |
| SHA512 | 83a80f73f988b6305ae3fc9d0a25fa2383a8102e2ff9b8ce19cfbb6540135e875d2fb69f3ab31905afd8c396ac3daf563932b11bf871cb8f4100bf2d7726def9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 00:45
Reported
2024-06-07 00:49
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4556 wrote to memory of 4608 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe |
| PID 4556 wrote to memory of 4608 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI45562\python37.dll
| MD5 | f8f12175880677bd010def8ba14208da |
| SHA1 | 889e23b96d78135dc3294c84ab900b91fa9f7a0c |
| SHA256 | 08686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27 |
| SHA512 | 7792f4a2005c2721b3fa848e2703bfb380670d6bd108599c5a98299f09197b44fb44adbb59da9c55bf064bb3c083a07fd82acdf29b7a09da07981c964eb11304 |
C:\Users\Admin\AppData\Local\Temp\_MEI45562\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI45562\base_library.zip
| MD5 | 6e063980ef2a67b9fe08dd62c41ff158 |
| SHA1 | c0aedbf70331e675dac2516d9a3d67be1ed3620e |
| SHA256 | 8145ddd0e6b6e0c579f7c7b2de986bbf9ed5c78e79a00485b153c359e5822337 |
| SHA512 | 83a80f73f988b6305ae3fc9d0a25fa2383a8102e2ff9b8ce19cfbb6540135e875d2fb69f3ab31905afd8c396ac3daf563932b11bf871cb8f4100bf2d7726def9 |