Overview

overview

7

Static

static

3

2024-08-21...uk.exe

windows7-x64

7

2024-08-21...uk.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-21_781853a5c139d6f6c5215eb610f50d2d_cobalt-strike_ryuk.exe

  • Size

    2.0MB

  • MD5

    781853a5c139d6f6c5215eb610f50d2d

  • SHA1

    1fb542d69ca80d85aca4fc1e727da23f6caf42a1

  • SHA256

    db3bbd678785299bfd9d3ef18b847504bbcec5fbdb523aeacce3e458cd6863c5

  • SHA512

    5c7cb246f2e9355ada4d504f0fe7c4523e840a1f4f0e077e024e01245f6ebfb38a77c47f0d4f08c3559f020d5f322bdae7a013dd749e6ffb01901fa78e5add40

  • SSDEEP

    24576:lcTyYv0FteQUd5I2kjgD6iQacAksqjnhMgeiCl7G0nehbGZpbD:luXv0FtpU5606zOADmg27RnWGj

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-21_781853a5c139d6f6c5215eb610f50d2d_cobalt-strike_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-21_781853a5c139d6f6c5215eb610f50d2d_cobalt-strike_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2340 -s 220
      2⤵
        PID:2928
    • C:\Windows\System32\alg.exe
      C:\Windows\System32\alg.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:2372

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\System32\alg.exe
      Filesize

      1.2MB

      MD5

      568526115d78e1d28e254e5791ce930f

      SHA1

      452b0016db0ba4388e2deca6c4b8e7b1a2fd5bbc

      SHA256

      3a481ed825b313833b187525865ff445dc5188cce4f3f20a338dc7417926c6a5

      SHA512

      b3a13a8dacd408b3753f1866e5e2d4c414f0120852e43542f590d80db77a499628f9732aa71877f2f3f2027608b3119d3c115f8c0d000e962df90f8bb3ba988a

      Download Submit

    • memory/2340-0-0x00000000001D0000-0x0000000000230000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2340-6-0x00000000001D0000-0x0000000000230000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2340-9-0x0000000140000000-0x000000014021A000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2340-23-0x0000000140000000-0x000000014021A000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2372-19-0x0000000000780000-0x00000000007E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2372-13-0x0000000000780000-0x00000000007E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2372-22-0x0000000100000000-0x000000010012A000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2372-24-0x0000000100000000-0x000000010012A000-memory.dmp

      Filesize

      1.2MB

      Download