Analysis Overview
SHA256
7ec7b9883f5c5b523c27f91237a3dccd7833fe7300872ff86130587f3a6fd2fe
Threat Level: Shows suspicious behavior
The file 2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-19 12:57
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 12:57
Reported
2024-06-19 12:59
Platform
win7-20240611-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -ExclusionPath "C:\\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -ExclusionPath "C:\\"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI29402\kdf.exe.manifest
| MD5 | 520598634105f49db54b540a1f2afc6e |
| SHA1 | 3294e643d38b53be53f18e4ebdf6779a9e9165b2 |
| SHA256 | 286992f82e20c3f6ac608f01c00543d4904665de796e119d222f61c9bef09c92 |
| SHA512 | b81077cb16b14a7c588a9ce2cca360d1f1e2a16bf8edb0c2b4c16bcdb3e22a479a28deabaa6042f7a832f259c4d67d4e1f1c5da85cb6da6f0dc6fcc47c595e4b |
C:\Users\Admin\AppData\Local\Temp\_MEI29402\python38.dll
| MD5 | 3cd1e87aeb3d0037d52c8e51030e1084 |
| SHA1 | 49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af |
| SHA256 | 13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8 |
| SHA512 | 497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340 |
C:\Users\Admin\AppData\Local\Temp\_MEI29402\VCRUNTIME140.dll
| MD5 | 8697c106593e93c11adc34faa483c4a0 |
| SHA1 | cd080c51a97aa288ce6394d6c029c06ccb783790 |
| SHA256 | ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833 |
| SHA512 | 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987 |
C:\Users\Admin\AppData\Local\Temp\_MEI29402\base_library.zip
| MD5 | 26debd2733cfe6e1c61a1b6bf5993224 |
| SHA1 | 6e8598cc55ec9e5bdf5d349d8a9b36206f55625e |
| SHA256 | 8ae470f9667bf7d97ee2ccafe2e5b6db80178a983a3077a28665850286e22670 |
| SHA512 | a3dd7a80ccfee23c7801f37c50af2f05af1d45cf8bca9835d09bf569096ec0b37d7356773305bdb8d4e74e290f3076ae016de8569de96275d298ae72b389f05e |
C:\Users\Admin\AppData\Local\Temp\_MEI29402\_ctypes.pyd
| MD5 | 4d13a7b3ecc8c7dc96a0424c465d7251 |
| SHA1 | 0c72f7259ac9108d956aede40b6fcdf3a3943cb5 |
| SHA256 | 2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed |
| SHA512 | 68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8 |
C:\Users\Admin\AppData\Local\Temp\_MEI29402\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI29402\_socket.pyd
| MD5 | eb974aeda30d7478bb800bb4c5fbc0a2 |
| SHA1 | c5b7bc326bd003d42bcf620d657cac3f46f9d566 |
| SHA256 | 1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016 |
| SHA512 | f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b |
C:\Users\Admin\AppData\Local\Temp\_MEI29402\select.pyd
| MD5 | 08b499ae297c5579ba05ea87c31aff5b |
| SHA1 | 4a1a9f1bf41c284e9c5a822f7d018f8edc461422 |
| SHA256 | 940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281 |
| SHA512 | ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9 |
memory/680-963-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp
memory/680-964-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/680-965-0x0000000002810000-0x0000000002818000-memory.dmp
memory/680-966-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp
memory/680-967-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp
memory/680-968-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp
memory/680-969-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp
memory/680-970-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 12:57
Reported
2024-06-19 12:59
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-19_77d354c382291bef42ecde6a8facf6c8_ryuk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -ExclusionPath "C:\\""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -ExclusionPath "C:\\"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI11042\kdf.exe.manifest
| MD5 | 520598634105f49db54b540a1f2afc6e |
| SHA1 | 3294e643d38b53be53f18e4ebdf6779a9e9165b2 |
| SHA256 | 286992f82e20c3f6ac608f01c00543d4904665de796e119d222f61c9bef09c92 |
| SHA512 | b81077cb16b14a7c588a9ce2cca360d1f1e2a16bf8edb0c2b4c16bcdb3e22a479a28deabaa6042f7a832f259c4d67d4e1f1c5da85cb6da6f0dc6fcc47c595e4b |
C:\Users\Admin\AppData\Local\Temp\_MEI11042\python38.dll
| MD5 | 3cd1e87aeb3d0037d52c8e51030e1084 |
| SHA1 | 49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af |
| SHA256 | 13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8 |
| SHA512 | 497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340 |
C:\Users\Admin\AppData\Local\Temp\_MEI11042\VCRUNTIME140.dll
| MD5 | 8697c106593e93c11adc34faa483c4a0 |
| SHA1 | cd080c51a97aa288ce6394d6c029c06ccb783790 |
| SHA256 | ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833 |
| SHA512 | 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987 |
C:\Users\Admin\AppData\Local\Temp\_MEI11042\base_library.zip
| MD5 | 26debd2733cfe6e1c61a1b6bf5993224 |
| SHA1 | 6e8598cc55ec9e5bdf5d349d8a9b36206f55625e |
| SHA256 | 8ae470f9667bf7d97ee2ccafe2e5b6db80178a983a3077a28665850286e22670 |
| SHA512 | a3dd7a80ccfee23c7801f37c50af2f05af1d45cf8bca9835d09bf569096ec0b37d7356773305bdb8d4e74e290f3076ae016de8569de96275d298ae72b389f05e |
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_ctypes.pyd
| MD5 | 4d13a7b3ecc8c7dc96a0424c465d7251 |
| SHA1 | 0c72f7259ac9108d956aede40b6fcdf3a3943cb5 |
| SHA256 | 2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed |
| SHA512 | 68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8 |
C:\Users\Admin\AppData\Local\Temp\_MEI11042\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI11042\_socket.pyd
| MD5 | eb974aeda30d7478bb800bb4c5fbc0a2 |
| SHA1 | c5b7bc326bd003d42bcf620d657cac3f46f9d566 |
| SHA256 | 1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016 |
| SHA512 | f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b |
C:\Users\Admin\AppData\Local\Temp\_MEI11042\select.pyd
| MD5 | 08b499ae297c5579ba05ea87c31aff5b |
| SHA1 | 4a1a9f1bf41c284e9c5a822f7d018f8edc461422 |
| SHA256 | 940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281 |
| SHA512 | ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9 |
memory/3656-959-0x00007FFE96D83000-0x00007FFE96D85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4r14rbf.mhn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3656-965-0x000001F4E2A00000-0x000001F4E2A22000-memory.dmp
memory/3656-970-0x00007FFE96D80000-0x00007FFE97841000-memory.dmp
memory/3656-971-0x00007FFE96D80000-0x00007FFE97841000-memory.dmp
memory/3656-974-0x00007FFE96D80000-0x00007FFE97841000-memory.dmp