Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06-08-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
2024-08-06_572fb5882f580ed2cfe33bdec95b621d_ryuk.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-08-06_572fb5882f580ed2cfe33bdec95b621d_ryuk.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-08-06_572fb5882f580ed2cfe33bdec95b621d_ryuk.exe
-
Size
91KB
-
MD5
572fb5882f580ed2cfe33bdec95b621d
-
SHA1
e080244c4279eacf111c2019cd06bd399ff5292f
-
SHA256
421cee317b744b4f486cb631c2a0386532eebf569b1cffd5fbe8dfb3f680a9db
-
SHA512
37f9563ff401bf9211ab24151582d1308f282d9eed298b423ec733d3bc3f63237569345732d09a6cc992fab72367d6e2e2104aa2c9107f239c680a308d9a9b4f
-
SSDEEP
1536:6uRFSPMJQAS2K7+gZfkEgaIwgKG1sWVdc9dlDXnGa9VhR68x8:6uzSPwq7BFkErHRGHUl3t9VhRZ
Malware Config
Extracted
metasploit
metasploit_stager
192.168.220.128:5555
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2572 2024-08-06_572fb5882f580ed2cfe33bdec95b621d_ryuk.exe -
Suspicious use of WriteProcessMemory 1 IoCs
description pid Process procid_target PID 2572 wrote to memory of 1200 2572 2024-08-06_572fb5882f580ed2cfe33bdec95b621d_ryuk.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\2024-08-06_572fb5882f580ed2cfe33bdec95b621d_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-06_572fb5882f580ed2cfe33bdec95b621d_ryuk.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572
-