Malware Analysis Report

2024-11-13 15:24

Sample ID 240619-fnhrgavake
Target 2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk
SHA256 4da79a66bdded680330fe8825b13cee6c2dc84bcc8a1ee2bda13fc94c86f7f39
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4da79a66bdded680330fe8825b13cee6c2dc84bcc8a1ee2bda13fc94c86f7f39

Threat Level: Shows suspicious behavior

The file 2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-19 05:01

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 05:01

Reported

2024-06-19 05:03

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
BE 88.221.83.217:443 www.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI27282\python37.dll

MD5 28f9065753cc9436305485567ce894b0
SHA1 36ebb3188a787b63fb17bd01a847511c7b15e88e
SHA256 6f2f87b74aea483a0636fc5c480b294a8103b427a3daf450c1e237c2a2271b1a
SHA512 c3bbc50afb4a0b625aff28650befd126481018bd0b1b9a56c107e3792641679c7d1bfc8be6c9d0760fff6853f8f114b62490cd3567b06abc76ab7db3f244ab54

C:\Users\Admin\AppData\Local\Temp\_MEI27282\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI27282\base_library.zip

MD5 15c792e983abc2853914bd3aec7c0bc2
SHA1 41b8fdd7097fb52fcaccb218cb0b4059bff1e843
SHA256 dbcf8891dab51428a07a2bb444616654e3f4d029effb39b3146792d3b2d5b68b
SHA512 22ee6630c8a394e068832fe48aec74d3afa159dc2ff6cdb9fbe9ee914e39ec834dce9ade21b6d82b6b91a59563b277b00c85c19f5fe0ee1412aa7e12bdd76705

C:\Users\Admin\AppData\Local\Temp\_MEI27282\_lzma.pyd

MD5 5e7a6b749a05dd934ee4471411420053
SHA1 fcd1e54011b98928edbb3820a5838568b9573453
SHA256 4dcd803319e24ba8c8e3d5ce2e02c209bd14a9ab07a540d6e3ae52f69d01e742
SHA512 ce4c5456308adbef0a9d44064aae67b2bb2a913881405ae2e69127eb7ab00a09882fa5304d80d5b3728942b0ab56d1c99132666b6c0ea8809a21396aeaadd8a2

C:\Users\Admin\AppData\Local\Temp\_MEI27282\_bz2.pyd

MD5 429ad9f0d7240a1eb9c108b2d7c1382f
SHA1 f54e1c1d31f5dd6698e47750daf48b9291b9ea69
SHA256 d2571d3a553ea586fb1e5695dd9745caef9f0e30ac5b876d1307678360674f38
SHA512 bae51da3560e0a720d45f0741f9992fe0729ead0112a614dba961c50cd6f82ddbdcf7b47aeda4f1093f6654f6db77d767ccddd59d34d2143df54121e9d486760

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 05:01

Reported

2024-06-19 05:03

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21802\python37.dll

MD5 28f9065753cc9436305485567ce894b0
SHA1 36ebb3188a787b63fb17bd01a847511c7b15e88e
SHA256 6f2f87b74aea483a0636fc5c480b294a8103b427a3daf450c1e237c2a2271b1a
SHA512 c3bbc50afb4a0b625aff28650befd126481018bd0b1b9a56c107e3792641679c7d1bfc8be6c9d0760fff6853f8f114b62490cd3567b06abc76ab7db3f244ab54

C:\Users\Admin\AppData\Local\Temp\_MEI21802\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI21802\base_library.zip

MD5 15c792e983abc2853914bd3aec7c0bc2
SHA1 41b8fdd7097fb52fcaccb218cb0b4059bff1e843
SHA256 dbcf8891dab51428a07a2bb444616654e3f4d029effb39b3146792d3b2d5b68b
SHA512 22ee6630c8a394e068832fe48aec74d3afa159dc2ff6cdb9fbe9ee914e39ec834dce9ade21b6d82b6b91a59563b277b00c85c19f5fe0ee1412aa7e12bdd76705

C:\Users\Admin\AppData\Local\Temp\_MEI21802\_bz2.pyd

MD5 429ad9f0d7240a1eb9c108b2d7c1382f
SHA1 f54e1c1d31f5dd6698e47750daf48b9291b9ea69
SHA256 d2571d3a553ea586fb1e5695dd9745caef9f0e30ac5b876d1307678360674f38
SHA512 bae51da3560e0a720d45f0741f9992fe0729ead0112a614dba961c50cd6f82ddbdcf7b47aeda4f1093f6654f6db77d767ccddd59d34d2143df54121e9d486760

C:\Users\Admin\AppData\Local\Temp\_MEI21802\_lzma.pyd

MD5 5e7a6b749a05dd934ee4471411420053
SHA1 fcd1e54011b98928edbb3820a5838568b9573453
SHA256 4dcd803319e24ba8c8e3d5ce2e02c209bd14a9ab07a540d6e3ae52f69d01e742
SHA512 ce4c5456308adbef0a9d44064aae67b2bb2a913881405ae2e69127eb7ab00a09882fa5304d80d5b3728942b0ab56d1c99132666b6c0ea8809a21396aeaadd8a2