Analysis
-
max time kernel
51s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 14:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-24_5db2db595d891a4285384266d430988b_ryuk.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2024-06-24_5db2db595d891a4285384266d430988b_ryuk.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-24_5db2db595d891a4285384266d430988b_ryuk.exe
-
Size
87KB
-
MD5
5db2db595d891a4285384266d430988b
-
SHA1
00bbe6b5d23da7b78260d1d58d3f31c38813df9a
-
SHA256
9f3a91db555da8542f6c94b89ff9f48b2718f7fe556faf99641ec42233aaf7ea
-
SHA512
fe2e557a1285a84140d02a9c25cd289101f9172fc0c6d51de98a11d88af33c311fe50a50fb77faa485ccf17cdbc88aaedb7ad7b026ad8b837ae408906ab11302
-
SSDEEP
1536:B8G2UPyqUSm6x325YGHXqoaO1YmZgP2sW5dc9dlvshVhVpxtQA:xHPHUf605F3jaO1Y0S8UyhVhVlx
Malware Config
Extracted
cobaltstrike
http://dash.clayonedom.bond:2096/api/2
-
user_agent
Host: dash.clayonedom.bond User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2024-06-24_5db2db595d891a4285384266d430988b_ryuk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-24_5db2db595d891a4285384266d430988b_ryuk.exe" 2024-06-24_5db2db595d891a4285384266d430988b_ryuk.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2024-06-24_5db2db595d891a4285384266d430988b_ryuk.exepid process 1588 2024-06-24_5db2db595d891a4285384266d430988b_ryuk.exe 1588 2024-06-24_5db2db595d891a4285384266d430988b_ryuk.exe