Analysis Overview
SHA256
4da79a66bdded680330fe8825b13cee6c2dc84bcc8a1ee2bda13fc94c86f7f39
Threat Level: Shows suspicious behavior
The file 2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-19 05:01
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 05:01
Reported
2024-06-19 05:03
Platform
win10v2004-20240611-en
Max time kernel
138s
Max time network
124s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2728 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe |
| PID 2728 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| BE | 88.221.83.217:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI27282\python37.dll
| MD5 | 28f9065753cc9436305485567ce894b0 |
| SHA1 | 36ebb3188a787b63fb17bd01a847511c7b15e88e |
| SHA256 | 6f2f87b74aea483a0636fc5c480b294a8103b427a3daf450c1e237c2a2271b1a |
| SHA512 | c3bbc50afb4a0b625aff28650befd126481018bd0b1b9a56c107e3792641679c7d1bfc8be6c9d0760fff6853f8f114b62490cd3567b06abc76ab7db3f244ab54 |
C:\Users\Admin\AppData\Local\Temp\_MEI27282\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI27282\base_library.zip
| MD5 | 15c792e983abc2853914bd3aec7c0bc2 |
| SHA1 | 41b8fdd7097fb52fcaccb218cb0b4059bff1e843 |
| SHA256 | dbcf8891dab51428a07a2bb444616654e3f4d029effb39b3146792d3b2d5b68b |
| SHA512 | 22ee6630c8a394e068832fe48aec74d3afa159dc2ff6cdb9fbe9ee914e39ec834dce9ade21b6d82b6b91a59563b277b00c85c19f5fe0ee1412aa7e12bdd76705 |
C:\Users\Admin\AppData\Local\Temp\_MEI27282\_lzma.pyd
| MD5 | 5e7a6b749a05dd934ee4471411420053 |
| SHA1 | fcd1e54011b98928edbb3820a5838568b9573453 |
| SHA256 | 4dcd803319e24ba8c8e3d5ce2e02c209bd14a9ab07a540d6e3ae52f69d01e742 |
| SHA512 | ce4c5456308adbef0a9d44064aae67b2bb2a913881405ae2e69127eb7ab00a09882fa5304d80d5b3728942b0ab56d1c99132666b6c0ea8809a21396aeaadd8a2 |
C:\Users\Admin\AppData\Local\Temp\_MEI27282\_bz2.pyd
| MD5 | 429ad9f0d7240a1eb9c108b2d7c1382f |
| SHA1 | f54e1c1d31f5dd6698e47750daf48b9291b9ea69 |
| SHA256 | d2571d3a553ea586fb1e5695dd9745caef9f0e30ac5b876d1307678360674f38 |
| SHA512 | bae51da3560e0a720d45f0741f9992fe0729ead0112a614dba961c50cd6f82ddbdcf7b47aeda4f1093f6654f6db77d767ccddd59d34d2143df54121e9d486760 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 05:01
Reported
2024-06-19 05:03
Platform
win7-20240419-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 2076 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe |
| PID 2180 wrote to memory of 2076 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe |
| PID 2180 wrote to memory of 2076 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_e4f19f1cce51caaba54e80a747ef7e16_ryuk.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21802\python37.dll
| MD5 | 28f9065753cc9436305485567ce894b0 |
| SHA1 | 36ebb3188a787b63fb17bd01a847511c7b15e88e |
| SHA256 | 6f2f87b74aea483a0636fc5c480b294a8103b427a3daf450c1e237c2a2271b1a |
| SHA512 | c3bbc50afb4a0b625aff28650befd126481018bd0b1b9a56c107e3792641679c7d1bfc8be6c9d0760fff6853f8f114b62490cd3567b06abc76ab7db3f244ab54 |
C:\Users\Admin\AppData\Local\Temp\_MEI21802\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI21802\base_library.zip
| MD5 | 15c792e983abc2853914bd3aec7c0bc2 |
| SHA1 | 41b8fdd7097fb52fcaccb218cb0b4059bff1e843 |
| SHA256 | dbcf8891dab51428a07a2bb444616654e3f4d029effb39b3146792d3b2d5b68b |
| SHA512 | 22ee6630c8a394e068832fe48aec74d3afa159dc2ff6cdb9fbe9ee914e39ec834dce9ade21b6d82b6b91a59563b277b00c85c19f5fe0ee1412aa7e12bdd76705 |
C:\Users\Admin\AppData\Local\Temp\_MEI21802\_bz2.pyd
| MD5 | 429ad9f0d7240a1eb9c108b2d7c1382f |
| SHA1 | f54e1c1d31f5dd6698e47750daf48b9291b9ea69 |
| SHA256 | d2571d3a553ea586fb1e5695dd9745caef9f0e30ac5b876d1307678360674f38 |
| SHA512 | bae51da3560e0a720d45f0741f9992fe0729ead0112a614dba961c50cd6f82ddbdcf7b47aeda4f1093f6654f6db77d767ccddd59d34d2143df54121e9d486760 |
C:\Users\Admin\AppData\Local\Temp\_MEI21802\_lzma.pyd
| MD5 | 5e7a6b749a05dd934ee4471411420053 |
| SHA1 | fcd1e54011b98928edbb3820a5838568b9573453 |
| SHA256 | 4dcd803319e24ba8c8e3d5ce2e02c209bd14a9ab07a540d6e3ae52f69d01e742 |
| SHA512 | ce4c5456308adbef0a9d44064aae67b2bb2a913881405ae2e69127eb7ab00a09882fa5304d80d5b3728942b0ab56d1c99132666b6c0ea8809a21396aeaadd8a2 |