Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
23/08/2024, 21:34
General
-
Target
2024-08-23_d38ea6eaad9197dffa5252b66249a707_cobalt-strike_hijackloader_ryuk.exe
-
Size
3.6MB
-
MD5
d38ea6eaad9197dffa5252b66249a707
-
SHA1
209667d2d8e7ba24f0bac99a528a6d5c2ec75097
-
SHA256
42e064a03b514482686bea7bc83363fa5c69b6458b475eebdfda57b7159dcec6
-
SHA512
f355aba8435fd766b18af7fbd2f77dc4d474ad395a7bad427ed7d63e417d64cf2cd39bfb588303b1b08fa730c4bfff3b654a99a69e75b9e5d88c5a4f4b88f949
-
SSDEEP
49152:7WRqwwZBbklQCzHswt2Eo0Gl6zanvVD9ctavPDe1uV:h/DQHp0Eo0MGjU
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-23_d38ea6eaad9197dffa5252b66249a707_cobalt-strike_hijackloader_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-23_d38ea6eaad9197dffa5252b66249a707_cobalt-strike_hijackloader_ryuk.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-08-23_d38ea6eaad9197dffa5252b66249a707_cobalt-strike_hijackloader_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-08-23_d38ea6eaad9197dffa5252b66249a707_cobalt-strike_hijackloader_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=128.1.69.153 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x7ff6f40eaef0,0x7ff6f40eaefc,0x7ff6f40eaf082⤵
-