Malware Analysis Report

2024-11-13 15:29

Sample ID 240607-a38csaef3y
Target 2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk
SHA256 b21ff1bac6c34d8f4d3fcbfe387a540f467b22b80b5e7cee4592db32ff3a8191
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b21ff1bac6c34d8f4d3fcbfe387a540f467b22b80b5e7cee4592db32ff3a8191

Threat Level: Shows suspicious behavior

The file 2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 00:46

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 00:45

Reported

2024-06-07 00:49

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23402\python37.dll

MD5 f8f12175880677bd010def8ba14208da
SHA1 889e23b96d78135dc3294c84ab900b91fa9f7a0c
SHA256 08686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27
SHA512 7792f4a2005c2721b3fa848e2703bfb380670d6bd108599c5a98299f09197b44fb44adbb59da9c55bf064bb3c083a07fd82acdf29b7a09da07981c964eb11304

C:\Users\Admin\AppData\Local\Temp\_MEI23402\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI23402\base_library.zip

MD5 6e063980ef2a67b9fe08dd62c41ff158
SHA1 c0aedbf70331e675dac2516d9a3d67be1ed3620e
SHA256 8145ddd0e6b6e0c579f7c7b2de986bbf9ed5c78e79a00485b153c359e5822337
SHA512 83a80f73f988b6305ae3fc9d0a25fa2383a8102e2ff9b8ce19cfbb6540135e875d2fb69f3ab31905afd8c396ac3daf563932b11bf871cb8f4100bf2d7726def9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 00:45

Reported

2024-06-07 00:49

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-07_0358956d89b008681fc0140ced5ef5c7_ryuk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI45562\python37.dll

MD5 f8f12175880677bd010def8ba14208da
SHA1 889e23b96d78135dc3294c84ab900b91fa9f7a0c
SHA256 08686f0e6e3c54d455d4a4801d5deccadedbafd1e010b3d18ade81180853db27
SHA512 7792f4a2005c2721b3fa848e2703bfb380670d6bd108599c5a98299f09197b44fb44adbb59da9c55bf064bb3c083a07fd82acdf29b7a09da07981c964eb11304

C:\Users\Admin\AppData\Local\Temp\_MEI45562\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI45562\base_library.zip

MD5 6e063980ef2a67b9fe08dd62c41ff158
SHA1 c0aedbf70331e675dac2516d9a3d67be1ed3620e
SHA256 8145ddd0e6b6e0c579f7c7b2de986bbf9ed5c78e79a00485b153c359e5822337
SHA512 83a80f73f988b6305ae3fc9d0a25fa2383a8102e2ff9b8ce19cfbb6540135e875d2fb69f3ab31905afd8c396ac3daf563932b11bf871cb8f4100bf2d7726def9