Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 12:57
Behavioral task
behavioral1
Sample
2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe
-
Size
9.5MB
-
MD5
77d354c382291bef42ecde6a8facf6c8
-
SHA1
e32a01a2216274d9d200e8e3f50ce8bb22e60bbd
-
SHA256
7ec7b9883f5c5b523c27f91237a3dccd7833fe7300872ff86130587f3a6fd2fe
-
SHA512
0a2e23740e172961be15202978102fb63a85c70cf5bc9d7658c823d9e087b33f798b2503a3b406673739e0ab060d48983427683b9674bd14b1a7e0d214202f62
-
SSDEEP
196608:0c6xe9onJ5hrZERMB2WZufOuD9LP48RmU/3ZlsPv1KyI5DTa8CSsnd6cgUi:0xe9c5hlERo2WmfDZPtN3ZWAfmDgU
Malware Config
Signatures
-
Loads dropped DLL 6 IoCs
Processes:
2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exepid process 1624 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe 1624 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe 1624 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe 1624 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe 1624 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe 1624 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 680 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.execmd.exedescription pid process target process PID 2940 wrote to memory of 1624 2940 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe PID 2940 wrote to memory of 1624 2940 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe PID 2940 wrote to memory of 1624 2940 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe PID 1624 wrote to memory of 600 1624 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe cmd.exe PID 1624 wrote to memory of 600 1624 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe cmd.exe PID 1624 wrote to memory of 600 1624 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe cmd.exe PID 600 wrote to memory of 680 600 cmd.exe powershell.exe PID 600 wrote to memory of 680 600 cmd.exe powershell.exe PID 600 wrote to memory of 680 600 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -ExclusionPath "C:\\""3⤵
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -ExclusionPath "C:\\"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD58697c106593e93c11adc34faa483c4a0
SHA1cd080c51a97aa288ce6394d6c029c06ccb783790
SHA256ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833
SHA512724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987
-
Filesize
123KB
MD54d13a7b3ecc8c7dc96a0424c465d7251
SHA10c72f7259ac9108d956aede40b6fcdf3a3943cb5
SHA2562995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed
SHA51268ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8
-
Filesize
77KB
MD5eb974aeda30d7478bb800bb4c5fbc0a2
SHA1c5b7bc326bd003d42bcf620d657cac3f46f9d566
SHA2561db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016
SHA512f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b
-
Filesize
764KB
MD526debd2733cfe6e1c61a1b6bf5993224
SHA16e8598cc55ec9e5bdf5d349d8a9b36206f55625e
SHA2568ae470f9667bf7d97ee2ccafe2e5b6db80178a983a3077a28665850286e22670
SHA512a3dd7a80ccfee23c7801f37c50af2f05af1d45cf8bca9835d09bf569096ec0b37d7356773305bdb8d4e74e290f3076ae016de8569de96275d298ae72b389f05e
-
Filesize
1KB
MD5520598634105f49db54b540a1f2afc6e
SHA13294e643d38b53be53f18e4ebdf6779a9e9165b2
SHA256286992f82e20c3f6ac608f01c00543d4904665de796e119d222f61c9bef09c92
SHA512b81077cb16b14a7c588a9ce2cca360d1f1e2a16bf8edb0c2b4c16bcdb3e22a479a28deabaa6042f7a832f259c4d67d4e1f1c5da85cb6da6f0dc6fcc47c595e4b
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
4.0MB
MD53cd1e87aeb3d0037d52c8e51030e1084
SHA149ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af
SHA25613f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8
SHA512497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340
-
Filesize
26KB
MD508b499ae297c5579ba05ea87c31aff5b
SHA14a1a9f1bf41c284e9c5a822f7d018f8edc461422
SHA256940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281
SHA512ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9