Malware Analysis Report

2024-11-30 13:04

Sample ID 240620-fmkvfazeqg
Target 2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk
SHA256 2bef00141975c7393949c72683d41f1a3e1e13681628ee50d18ed9afa3964968
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2bef00141975c7393949c72683d41f1a3e1e13681628ee50d18ed9afa3964968

Threat Level: Shows suspicious behavior

The file 2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Unsigned PE

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-20 04:59

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 04:59

Reported

2024-06-20 05:01

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI15402\ucrtbase.dll

MD5 2c8fe06966d5085a595ffa3c98fe3098
SHA1 e82945e3e63ffef0974d6dd74f2aef2bf6d0a908
SHA256 de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65
SHA512 fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-localization-l1-2-0.dll

MD5 b402ed77d6f31d825bda175dbc0c4f92
SHA1 1f2a4b8753b3aae225feac5487cc0011b73c0eb7
SHA256 6ed17fb3ca5156b39fbc1ef7d1eefa95e739857607de4cd8d41cecfcd1350705
SHA512 ec04013139f3fd9dbf22b92121d82b2eb97e136f8619790cde2d0b660280e838962f9006d3e4c3a359627b017f2b6ade7edff3bbc26e559c3de37540585602d9

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-processthreads-l1-1-1.dll

MD5 3d872be898581f00d0310d7ab9abaf2b
SHA1 420e0ab98bb748723130de414f0ffed117ef3f7e
SHA256 4de821884cbef4182b29d8c33cfe13e43e130ad58ee1281679e8d40a2edcb8ea
SHA512 35cfb9888a5f4299403a0d9c57f0ba79e3625431a9acc5e04ae2ae101b3dc521a0dcff5d4a1bf508b25dbf05dd432f6987d860ff494d15538ed95673a8b7376b

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-file-l1-2-0.dll

MD5 9d8413744097196f92327f632a85acee
SHA1 dfc07f5e5a0634dd1f15fdc9ff9731748fbff919
SHA256 6878d8168d5cc159efe58f14e5ba10310d99b53ab8495521e54c966994dac50b
SHA512 a8f6e9ee1c5d65f68b8b20d406d3e666c186e15cb3b92575257b5637fe7dd5ac7d75e9ad51c839ba4490512f68f6b48822fc9edd316dd7625d3627d3b975fb2a

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-timezone-l1-1-0.dll

MD5 6c180c8de3ecf27de7a5812ff055737e
SHA1 3aad20b71bb374bb2c5f7431a1b75b60956a01fd
SHA256 630466fd77ac7009c947a8370a0d0c20652169824c54ddcb8c05e8df45e23197
SHA512 e4aa79eb2b6b3be9b545e8cb8b43cd6052036dc5cce7077be40441b9942931b30d76c475d550a178d4e94c9c366cabc852f500e482b7fdcd361fc2a08e41c00e

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-file-l2-1-0.dll

MD5 361c6bcfcea263749419b0fbed7a0ce8
SHA1 03db13108ce9d5fc01cecf3199619ffbccbd855a
SHA256 b74aefd6fa638be3f415165c8109121a2093597421101abc312ee7ffa1130278
SHA512 aa8b585000cc65f9841b938e4523d91d8f6db650e0b4bb11efd740c27309bf81cdb77f05d0beda2489bf26f4fbc6d02c93ce3b64946502e2c044eea89696cc76

C:\Users\Admin\AppData\Local\Temp\_MEI15402\python35.dll

MD5 c2520f68864fcbcf98c584b2f197f1d9
SHA1 88d565f3f765fac790d824b44202db01b46dcaed
SHA256 025d2a0ea6ec700f87b6fd22d5f9246a039117c28ebcc78f7590f7da3b76927e
SHA512 7f0cff733335417be5e6a3765c87c4baabe4c768f44099d6da023fc462d2d0f6ceec037ea59a7176eb5f8ad34b28651332e15318cabd1dbde639243972d10c34

C:\Users\Admin\AppData\Local\Temp\_MEI15402\VCRUNTIME140.dll

MD5 6c2c88ff1b3da84b44d23a253a06c01b
SHA1 488c95acda13dce2f099774ee506e47869e9284e
SHA256 acf65e565021f2017815fc5ec8a3145cf6c15e75c132cf23a378cc943e68327c
SHA512 e104d5d69327abc510e0ef38aae2427a87ed0f76dd5bacb20080f40dd98c9048504ec20baabc5ecf69759e3ff485d4f2bb591b6c9e391271dd11e2dcc05933f2

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-runtime-l1-1-0.dll

MD5 55b80c522731ecb92914bf9cded028c2
SHA1 424c61bc659caf04281959ede1b1f03b703934ed
SHA256 4c787ff8d40bb803e75fe6218fec36a672cfa6cfc7f6e80e68a7eb0b77a10e5a
SHA512 3779b530c7dba624369cb0f5d15154d89547adc3c4c7cc0571f1e8326588165098b9b5768d0052ecf1ea4f2dc84ae7dcf4712e3bc9ebdadb5fca4b0f4de43812

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-string-l1-1-0.dll

MD5 7a2799f4bc45505e7104e06dc8e254f8
SHA1 323bc35e0101b351a4abde1fce698520832518a8
SHA256 92f72f495a6897f7d7cf2c2064b2b65f6b4fbd4f30911a534a5cd0de73395ebe
SHA512 2627da183779f17fcc9709a6da2e2916a296f61124adb9bf563c80d723ada9b769806cab8fbc4ed916f54fd4cde18f25e7ad53ed6c75e7e61fdef37c2f1ec9b2

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-heap-l1-1-0.dll

MD5 01370c79ebabd534e7b58d35072d2866
SHA1 8cd0cd21ff838a2a314246def4bd858bab184a5d
SHA256 742bb9bf4c232f84ad8008af4af8eda7a1ec3eb76f05d9d7ebb95f6a5cabd2d8
SHA512 b07d9634ac804b476d61b6a0fc87894947e88744cc3eecf7d68ede3714acd938fae14452e43f9110919b8f8f9f5d4222e9de2ca97a915dd07b3231d674729761

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-stdio-l1-1-0.dll

MD5 4614d03a94d46c0e9d1c5d96a3fe1d78
SHA1 cacb73ca3c7e31a4b8f749854060b7a422497050
SHA256 c7919be431ce2fa1906ff9eeb19e4cb19a30a4680107ef8737ce894654b21a5a
SHA512 4f30e8c5893662d7889a049c206b08559ad1a34eb7927be313086d6dae40dca3571de3852dba2ad9324e028fa86e8a391a58ec48ba5dbd5c4a88660ffe8b30df

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-convert-l1-1-0.dll

MD5 d749afffa2b3be4b2a9edac50c20b28b
SHA1 972253ed12c344b85290f7b3d5f9608a7f7b0670
SHA256 e64fbac3491b4693e79a3f7b0db1d788f93608d3fc82133edf25a868c80d2153
SHA512 4447b6960a6c178f7c37dbd38e9aec24ba5a0c58e19afcfaa2b70dca7d7bbe87ad7aa1ac9d48ab9b56b1f375768d4c4cb28d5afcf714102f9757faa2b3e728d9

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-math-l1-1-0.dll

MD5 85893a96a568ba9781f50f876ed303cd
SHA1 fb7473bc5b1e88e978b7e5664b45d69770c8f4fa
SHA256 08e34f12de24e89379a0533f21a23ce6fecbea05d4062796d4ffd4adc3012316
SHA512 864fa39423b8ca9c43fa177aca1484ec2ffae4868a434e7a8016efe88f396b67fb8ca3766f611de7218e9983653a8b7b88b07c2591b252dd93a0d9638980e7ff

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-locale-l1-1-0.dll

MD5 bacb72fa56de18d5ac63e4a0a3fe768f
SHA1 7db19efe649d30337781afd62616c0549255046e
SHA256 25905676b543c4f05e9dae135f929c03a57686a6941ce59be2b3450521feb943
SHA512 78d82962c11e5928e77c5bd0377ecb6b00c2eca242d637f76e68fbf907bce7381f3a5294100d055c30f6e2aee164db0b95dcf0c0c77e39edcec4a046cfc63ed4

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-time-l1-1-0.dll

MD5 38b633f132f8e2b3abc268537fa415ec
SHA1 ccccb8c3e31dce7b6b952022d245c11ff3ae8122
SHA256 46cb7b3a9f8aac5adcdbe23494e458f3195adf4b8ed1c71f2d934ddde651e57e
SHA512 23bd77d61c20b1af7f13b5bcbeb9fa74ee807f809bb3d4dd40c7709ca4870078fa6e8e94eefc83a725c0245c0ce02e3adbd4f370d6b986f0c9442ccbc2c2ab96

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-environment-l1-1-0.dll

MD5 7a2874fe036f7dc86ed5f712adaa38e6
SHA1 440f2dc5379ceee35d29571c195dc7a76e8b70e7
SHA256 dd054e4de84144c2130fa8d28d563252a7c4089a58872e49d63bc43c9a1a3cb8
SHA512 d20811025f714b5fd3754d607422f4fb5cd6c456ffceef139edcb0cfaacd9b63a694ce2ea737db78385f0b23ddcfc283282a319b79e7a0e4bd50034e87aacb9a

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-process-l1-1-0.dll

MD5 9ee275466394a2088d7dfbbc0c716671
SHA1 4d2f94674587251c60805889395ab7377e8c5e17
SHA256 c68a61c260454c0aeb051ddb2bed52cbca44b96d50046017cbc351b41f225dc0
SHA512 996212d07b0b6e55f54e17d6a053f017b1fd00f50906db9de25b8ae5632eeac9c197e91db1c293e7abf0e8b823937cb18e26f43e166f76c02a6914c9776a72b3

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-conio-l1-1-0.dll

MD5 84a950e3c162d67f98516bb1744139e0
SHA1 05ff2fe60c5748c33ba8605aaf609b3bdfe2772f
SHA256 91f4db05c69c58ecb2493e30acc5297043c41b1ce6db50cee4e2922cd4bcd7f2
SHA512 7328c6a512d450f2538efeabf3f467489a898ed7c1d45c1952b98d118d898083510c9849182bc425411a408c113a351a28b41bedeb5b8de61427144b3fa87c80

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 73e14d927d075ca273b3237116351e8f
SHA1 0c15cea3c83c7f7e692dc6f8bd856b615c727d49
SHA256 966a7f15bfb2e0ff7888d583638ebd675d8f46b264194cf332f78140b7c129e1
SHA512 664f72d7adf48f8499321f8a5df952c6043532aae09bae9ffbd59da77b161cd43211a3aaef1ba85529dfe00498d1ac3a933a7c9cf437095c6a337c9bc0816b3f

C:\Users\Admin\AppData\Local\Temp\_MEI15402\base_library.zip

MD5 9e2a1b96fdb535040072e91f676bfeb6
SHA1 482982a6055244d21a5109c0b226e45bbe4b13db
SHA256 a013225c2cdf713e0236edaea29e705da6b9bb50863f61899ea1c7b1deaac465
SHA512 b3c34b0a8cf3c4c15c35b16a9e2e26b08283feb94bed00862ec6b226c3a93e4e6a27be68d5a763455fb926bb67d1c905f7b5f6f7de493cf5df2bfd8ec31b6641

C:\Users\Admin\AppData\Local\Temp\_MEI15402\pywintypes35.dll

MD5 bb279504eefa88aafd104ffe99d4adcc
SHA1 d88dfd761aadfc6c6725c5c597189d120cd66756
SHA256 b2aa5cd820a661ced9c2b79b112bc0475aab4ec4ec5ccaa5aba8c3452c467a61
SHA512 237f9d763afb6670154cd4df9987bd35bd9ad45cffd781e6c2f6a342297cfe1dab93625ab3c5ce35b0111c0a3813ba6332317ed312a0591b7a32e5417d9225d9

C:\Users\Admin\AppData\Local\Temp\_MEI15402\python3.dll

MD5 bedd43b3a689e82bffb2cecc1325a554
SHA1 c459580ccd107254c4b845837f4303599b74f7c0
SHA256 e61098416aadc2a12a9fb8f46523126efb6838fae21709ceb9b5beffb6104484
SHA512 ac1571df83c71453dd4db65183d2e198d0524bdd2823e188fa2fc4538775d974095f72e1ac9c6f21bdb47e117e46a744e3dd5ca6c6392db86efd3c2e6e845f9f

C:\Users\Admin\AppData\Local\Temp\_MEI15402\_bz2.pyd

MD5 9eca8835d401251c900b9b912f67432d
SHA1 08f9dbc0c3493543846fd635b58957fe82793752
SHA256 6b47a8d1926aad9070e2bc10b0492f7ba18a72d956c8d403f65acd6677a9c27e
SHA512 f41b9b311286755e90223b9c9285ed022b3cdb682b1ec6a79b05efd92a25fdaffc61fa0a7541b47029817d4e307585d079dfe2b25c8c33598da1a8de8c72fce5

C:\Users\Admin\AppData\Local\Temp\_MEI15402\_lzma.pyd

MD5 2801cb78144e691cf2e5ed3c52a26264
SHA1 a8bae6fb71596c3bf0aab9623dee916c95cf538f
SHA256 fc94b15db09021337c644d9b5e78e010f6b7fc3399eddfad9c4e408e6bf1f190
SHA512 a1e7b703d85924defa5cbd5f2628a29b18f5fe817cdeffd580d3c04ef6c15b46e348d69ab6a3f11f117a9ff93e2fe29a4b1395e1327559da35c077e692af4021

C:\Users\Admin\AppData\Local\Temp\_MEI15402\_hashlib.pyd

MD5 d809b65891f4e700341ea348d85d355c
SHA1 eddac80ba401d56c6f8ceccfec73e9a06fa17f47
SHA256 04cd613fed7ebee107f247abceff81cd6799039f6740beac8cacd842b47fcf86
SHA512 9e5d360b00024144d5c9038e2f5dbc3896c88d848bc7a7da43bb64334b13e349905733ff2ff61f14ee10ede78fb0e51a933f98d1e58ad06d1e877a272645913d

C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-utility-l1-1-0.dll

MD5 5cde35104a68606913af6e5bd3b1adea
SHA1 f1f28141585c000753ab4db9ffc61f90929d4a1a
SHA256 111f6dd2e7247071a33d75bf98d521a8d09c4071f90483a82e6ed9af69bb52c4
SHA512 caa5f80ac380a6e0242104f297fbfe6091260d743ef967fb1010720dbcba2a575baf8cb1f666b11fe780428d71a04767e2cc63d1bd9638d5f1af1063e3f43f91

C:\Users\Admin\AppData\Local\Temp\_MEI15402\_socket.pyd

MD5 a5fa85aa44fb613ee0a41ae800a2bf23
SHA1 f6fccbe3e595e679ae509615ad727a0c7c05269e
SHA256 5fd818104f77ebf8d8e924f4234ee769db5551937cae617d9c96f30c0eed610a
SHA512 1a45e1d9d62193ccfc73693a7011b4476933748c49b269906955fa2408b8b150062ba3a64120268c7179af576439174516955bae0f49f868d74581ab3dda0841

\Users\Admin\AppData\Local\Temp\_MEI15402\select.pyd

MD5 09b1e57ce241797e1068ae72df81f7bf
SHA1 eedd48d7046c9c5608e08f94954c0fc9e77ca7a9
SHA256 616354b9bd84d575bcca2dddcd31075d9ba4e590a3d8670565e412473ae1f3c6
SHA512 b8c0a284a2a2dab8531b879e33cfe4ff1afb2448631506f78181768e080901331d9d0892dc05f5c7636c29cac1932a109fa6dea70708cee8b8f53392934ad7f7

C:\Users\Admin\AppData\Local\Temp\_MEI15402\_ssl.pyd

MD5 e51378f4861076cd7b765880a8ce9395
SHA1 e7b3c5e76ff19dc12590a8f23f9c8d842e3316f4
SHA256 ad307d89ec8b215f8f7c0da54c67ef17b678974eb6199f6ad9a6589b44cfd343
SHA512 f13fc13c8c84da03a30b48c5a508bb0d2b842b29ef4d08909b4d1d91ceafa5b426e719f278ccf99e37066cc13a9c0685bb903e8d9574f4a24dc45e2eedeeac0e

C:\Users\Admin\AppData\Local\Temp\_MEI15402\unicodedata.pyd

MD5 1c8c526f00b61f44371c483f3464d8e9
SHA1 356ea0b55674cee3eeb531a76a89b587679f8cc4
SHA256 df20d3d81520bd9dcdd10b8833fdd883735e36bc5104bb592bb574327e2b0430
SHA512 df44579b292981bdd04d851c4e3cd17f0c1251e22ecddc87170293632b16fd7a3a3c6489b12b606e2a6645089155bd9a6a2bc63566965d45b50ce9b6091039ea

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 04:59

Reported

2024-06-20 05:02

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_98a4b4622bae35ad3e117466cb8d9ada_ryuk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI44762\ucrtbase.dll

MD5 2c8fe06966d5085a595ffa3c98fe3098
SHA1 e82945e3e63ffef0974d6dd74f2aef2bf6d0a908
SHA256 de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65
SHA512 fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f

C:\Users\Admin\AppData\Local\Temp\_MEI44762\python35.dll

MD5 c2520f68864fcbcf98c584b2f197f1d9
SHA1 88d565f3f765fac790d824b44202db01b46dcaed
SHA256 025d2a0ea6ec700f87b6fd22d5f9246a039117c28ebcc78f7590f7da3b76927e
SHA512 7f0cff733335417be5e6a3765c87c4baabe4c768f44099d6da023fc462d2d0f6ceec037ea59a7176eb5f8ad34b28651332e15318cabd1dbde639243972d10c34

C:\Users\Admin\AppData\Local\Temp\_MEI44762\VCRUNTIME140.dll

MD5 6c2c88ff1b3da84b44d23a253a06c01b
SHA1 488c95acda13dce2f099774ee506e47869e9284e
SHA256 acf65e565021f2017815fc5ec8a3145cf6c15e75c132cf23a378cc943e68327c
SHA512 e104d5d69327abc510e0ef38aae2427a87ed0f76dd5bacb20080f40dd98c9048504ec20baabc5ecf69759e3ff485d4f2bb591b6c9e391271dd11e2dcc05933f2

C:\Users\Admin\AppData\Local\Temp\_MEI44762\base_library.zip

MD5 9e2a1b96fdb535040072e91f676bfeb6
SHA1 482982a6055244d21a5109c0b226e45bbe4b13db
SHA256 a013225c2cdf713e0236edaea29e705da6b9bb50863f61899ea1c7b1deaac465
SHA512 b3c34b0a8cf3c4c15c35b16a9e2e26b08283feb94bed00862ec6b226c3a93e4e6a27be68d5a763455fb926bb67d1c905f7b5f6f7de493cf5df2bfd8ec31b6641

C:\Users\Admin\AppData\Local\Temp\_MEI44762\python3.dll

MD5 bedd43b3a689e82bffb2cecc1325a554
SHA1 c459580ccd107254c4b845837f4303599b74f7c0
SHA256 e61098416aadc2a12a9fb8f46523126efb6838fae21709ceb9b5beffb6104484
SHA512 ac1571df83c71453dd4db65183d2e198d0524bdd2823e188fa2fc4538775d974095f72e1ac9c6f21bdb47e117e46a744e3dd5ca6c6392db86efd3c2e6e845f9f

C:\Users\Admin\AppData\Local\Temp\_MEI44762\_hashlib.pyd

MD5 d809b65891f4e700341ea348d85d355c
SHA1 eddac80ba401d56c6f8ceccfec73e9a06fa17f47
SHA256 04cd613fed7ebee107f247abceff81cd6799039f6740beac8cacd842b47fcf86
SHA512 9e5d360b00024144d5c9038e2f5dbc3896c88d848bc7a7da43bb64334b13e349905733ff2ff61f14ee10ede78fb0e51a933f98d1e58ad06d1e877a272645913d

C:\Users\Admin\AppData\Local\Temp\_MEI44762\select.pyd

MD5 09b1e57ce241797e1068ae72df81f7bf
SHA1 eedd48d7046c9c5608e08f94954c0fc9e77ca7a9
SHA256 616354b9bd84d575bcca2dddcd31075d9ba4e590a3d8670565e412473ae1f3c6
SHA512 b8c0a284a2a2dab8531b879e33cfe4ff1afb2448631506f78181768e080901331d9d0892dc05f5c7636c29cac1932a109fa6dea70708cee8b8f53392934ad7f7

C:\Users\Admin\AppData\Local\Temp\_MEI44762\unicodedata.pyd

MD5 1c8c526f00b61f44371c483f3464d8e9
SHA1 356ea0b55674cee3eeb531a76a89b587679f8cc4
SHA256 df20d3d81520bd9dcdd10b8833fdd883735e36bc5104bb592bb574327e2b0430
SHA512 df44579b292981bdd04d851c4e3cd17f0c1251e22ecddc87170293632b16fd7a3a3c6489b12b606e2a6645089155bd9a6a2bc63566965d45b50ce9b6091039ea

C:\Users\Admin\AppData\Local\Temp\_MEI44762\_ssl.pyd

MD5 e51378f4861076cd7b765880a8ce9395
SHA1 e7b3c5e76ff19dc12590a8f23f9c8d842e3316f4
SHA256 ad307d89ec8b215f8f7c0da54c67ef17b678974eb6199f6ad9a6589b44cfd343
SHA512 f13fc13c8c84da03a30b48c5a508bb0d2b842b29ef4d08909b4d1d91ceafa5b426e719f278ccf99e37066cc13a9c0685bb903e8d9574f4a24dc45e2eedeeac0e

C:\Users\Admin\AppData\Local\Temp\_MEI44762\_socket.pyd

MD5 a5fa85aa44fb613ee0a41ae800a2bf23
SHA1 f6fccbe3e595e679ae509615ad727a0c7c05269e
SHA256 5fd818104f77ebf8d8e924f4234ee769db5551937cae617d9c96f30c0eed610a
SHA512 1a45e1d9d62193ccfc73693a7011b4476933748c49b269906955fa2408b8b150062ba3a64120268c7179af576439174516955bae0f49f868d74581ab3dda0841

C:\Users\Admin\AppData\Local\Temp\_MEI44762\_lzma.pyd

MD5 2801cb78144e691cf2e5ed3c52a26264
SHA1 a8bae6fb71596c3bf0aab9623dee916c95cf538f
SHA256 fc94b15db09021337c644d9b5e78e010f6b7fc3399eddfad9c4e408e6bf1f190
SHA512 a1e7b703d85924defa5cbd5f2628a29b18f5fe817cdeffd580d3c04ef6c15b46e348d69ab6a3f11f117a9ff93e2fe29a4b1395e1327559da35c077e692af4021

C:\Users\Admin\AppData\Local\Temp\_MEI44762\_bz2.pyd

MD5 9eca8835d401251c900b9b912f67432d
SHA1 08f9dbc0c3493543846fd635b58957fe82793752
SHA256 6b47a8d1926aad9070e2bc10b0492f7ba18a72d956c8d403f65acd6677a9c27e
SHA512 f41b9b311286755e90223b9c9285ed022b3cdb682b1ec6a79b05efd92a25fdaffc61fa0a7541b47029817d4e307585d079dfe2b25c8c33598da1a8de8c72fce5

C:\Users\Admin\AppData\Local\Temp\_MEI44762\pywintypes35.dll

MD5 bb279504eefa88aafd104ffe99d4adcc
SHA1 d88dfd761aadfc6c6725c5c597189d120cd66756
SHA256 b2aa5cd820a661ced9c2b79b112bc0475aab4ec4ec5ccaa5aba8c3452c467a61
SHA512 237f9d763afb6670154cd4df9987bd35bd9ad45cffd781e6c2f6a342297cfe1dab93625ab3c5ce35b0111c0a3813ba6332317ed312a0591b7a32e5417d9225d9