Overview

overview

9

Static

static

7

ryomen-gen.rar

windows7-x64

3

ryomen-gen.rar

windows10-2004-x64

3

ryomen-gen...g.json

windows7-x64

3

ryomen-gen...g.json

windows10-2004-x64

3

ryomen-gen...gs.vbs

windows7-x64

1

ryomen-gen...gs.vbs

windows10-2004-x64

1

ryomen-gen...ol.exe

windows7-x64

7

ryomen-gen...ol.exe

windows10-2004-x64

7

out.exe

windows7-x64

out.exe

windows10-2004-x64

ryomen-gen...ol.ini

windows7-x64

1

ryomen-gen...ol.ini

windows10-2004-x64

1

ryomen-gen...me.txt

windows7-x64

1

ryomen-gen...me.txt

windows10-2004-x64

1

ryomen-gen/ryomen.exe

windows7-x64

9

ryomen-gen/ryomen.exe

windows10-2004-x64

9

ryomen.pyc

windows7-x64

3

ryomen.pyc

windows10-2004-x64

3

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ryomen-gen/ryomen.exe

  • Size

    21.9MB

  • MD5

    30ce892010db9f56f0ed936cfc129f30

  • SHA1

    58c3e72b0e782990885d665c2bae00990b036275

  • SHA256

    b8c2f0eba9dccb3a8a634fc9844a9d1a5794b74de9753a0e5ba16c4099d2276b

  • SHA512

    b3c75cb6171921bafdb8fb27f0367d99e6cf2024ad310407d421d19465ad91580b4e54b8c623ec45d55aac333b46fd6cc4ce0ed834903f20ef4c043322398beb

  • SSDEEP

    393216:QWV3KB/MQNuBhQNCEDsSmVcamu9UJMZk4exVbMBVd2RW8aJX2Z6:QmaZMQQWCEDFmVcgi2Zk93bMzMCJa

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 7 IoCs
  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ryomen-gen\ryomen.exe
    "C:\Users\Admin\AppData\Local\Temp\ryomen-gen\ryomen.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\ryomen-gen\ryomen.exe
      "C:\Users\Admin\AppData\Local\Temp\ryomen-gen\ryomen.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI25202\api-ms-win-core-file-l1-2-0.dll
    Filesize

    19KB

    MD5

    ac28edb5ad8eaa70ecbc64baf3e70bd4

    SHA1

    1a594e6cdc25a6e6be7904093f47f582e9c1fe4d

    SHA256

    fbd5e958f6efb4d78fd61ee9ee4b4d1b6f43c1210301668f654a880c65a1be86

    SHA512

    a25b812b9fa965af5f7de5552e2c2f4788a076af003ac0d94c3b2bc42dd9ab7e69af2438ce349b46a3387bf2bfcf27cec270d90ca6a44c9690861331c9e431e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25202\api-ms-win-core-processthreads-l1-1-1.dll
    Filesize

    19KB

    MD5

    8ff0692d32f2fcb0b417220b98f30364

    SHA1

    5eeb1d781d44e4885284c8b535f051efca64aef8

    SHA256

    53cea73c248a49389bc2da01acac1d8e8022a7e034bcd522306e43a937200897

    SHA512

    f73249f70953c537da02b890308cb18a9c6676401975bf13aeb61b1db9dfa042e908c52ee266b404948a568b23b0cfb37ecd4b80379c398c15f56ce7a82cf7a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25202\api-ms-win-core-timezone-l1-1-0.dll
    Filesize

    19KB

    MD5

    863ed806b4f16be984b4f1e279a1f99b

    SHA1

    b9a919216ef90064ac66b12ccde6b3bf1f334ee8

    SHA256

    171ca9df2b9ecfa545748af724c1c56ab396b299503a14c4da2197b0e5a44401

    SHA512

    fb8f195d9a1885c16aa2cc6eff38e627ea127b18978016d6046dc0120a19ab40cc4fe4b799c06f133b02f7cd6a634ae1665f05f9be5fcae609229dfaae0ce478

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25202\python39.dll
    Filesize

    4.3MB

    MD5

    5cd203d356a77646856341a0c9135fc6

    SHA1

    a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

    SHA256

    a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

    SHA512

    390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI25202\ucrtbase.dll
    Filesize

    1.1MB

    MD5

    988755316d0f77fc510923c2f7cd6917

    SHA1

    ccd23c30c38062c87bf730ab6933f928ee981419

    SHA256

    1854cd0f850da28835416e3b69ed6dae465df95f8d84e77adbbc001f6dbd9d78

    SHA512

    8c52210a919d9f2856f38bd6a59bbc039506650a7e30f5d100a5aa5008641707122ff79f6f88c268c9abc9f02ba2792eed6aad6a5c65891a9ce7d6d5f12c3b0a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\_MEI25202\api-ms-win-core-file-l2-1-0.dll
    Filesize

    19KB

    MD5

    b5832f1e3a18d94cd855c3d8c632b30d

    SHA1

    6315b40487078bbafb478786c42c3946647e8ef3

    SHA256

    9f096475d4ba1533f564dd4a1db5dfeb620248fe14518042094b922539dc13e3

    SHA512

    f3016ded97591e25a6d4c70d89251a331402455ab589604e55c486fec37ee8e96bd1be2d4e4e59ba102dad696b3e1f754b699f9ebe8ae462e8b958ed2d431a5b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\_MEI25202\api-ms-win-core-localization-l1-2-0.dll
    Filesize

    19KB

    MD5

    fd59ee6be2136782225dcd86f8177239

    SHA1

    494d20e04f69676c150944e24e4fa714a3f781ca

    SHA256

    1fd044fdbc424779b01b79d477ee79dfbb508a04e86c62e1c8fc4f6d22f6a16a

    SHA512

    2250d54c3b9e6aeb2f5406e1428536564357a48ceab51596b33ff0843086fb420ad886af61725b25a58e2f50a4c17ddee10696d6041db9b60891eff8e495775c

    Download Submit

  • memory/2176-123-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2176-138-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2176-119-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2176-139-0x00000000775C0000-0x0000000077769000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2176-122-0x00000000775C0000-0x0000000077769000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2176-120-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2176-118-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2176-121-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2520-117-0x0000000002570000-0x0000000002F0E000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2520-2-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2520-5-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2520-4-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2520-1-0x0000000077610000-0x0000000077612000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2520-3-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2520-0-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2520-245-0x000000013FA40000-0x00000001403DE000-memory.dmp

    Filesize

    9.6MB

    Download