78604a5813861a7dd652b6d2f151bcf8215f0c700b4a1a8f28986fee220b1a59

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
Size

70.2MB
MD5

8f032f34569c3c9e99562a22dfd78a57
SHA1

2e014a220d6767924c6f9e669ae8deb8bd42383e
SHA256

78604a5813861a7dd652b6d2f151bcf8215f0c700b4a1a8f28986fee220b1a59
SHA512

34a2e6c8f0131f305b0a8eaa385e780fe1da5e21c6977324ecb3249e53460d9c3a5caea9675a3c0120c5982e980c9029706b1c1999cff616cf5febc3df82722d
SSDEEP

1572864:HklDCjxMgp23PnpSRxxhaz/+df11/GgzBGQIj5Oi:Eh+9unkRxDw/Mf/pBGRj5

Score

10^/10

discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
1792	apache.exe
1392	win32-67-quickq.exe

Loads dropped DLL 7 IoCs

pid	Process
1792	apache.exe
1792	apache.exe
1792	apache.exe
1792	apache.exe
1392	win32-67-quickq.exe
1392	win32-67-quickq.exe
1392	win32-67-quickq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apache.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32-67-quickq.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2192	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1392	win32-67-quickq.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1296	mmc.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
Token: 33	2880	mmc.exe
Token: SeIncBasePriorityPrivilege	2880	mmc.exe
Token: 33	2880	mmc.exe
Token: SeIncBasePriorityPrivilege	2880	mmc.exe
Token: 33	1296	mmc.exe
Token: SeIncBasePriorityPrivilege	1296	mmc.exe
Token: 33	1296	mmc.exe
Token: SeIncBasePriorityPrivilege	1296	mmc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
2880	mmc.exe
2880	mmc.exe
1296	mmc.exe
1296	mmc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2820	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	30
PID 2388 wrote to memory of 2820	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	30
PID 2388 wrote to memory of 2820	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	30
PID 2820 wrote to memory of 2192	2820	cmd.exe	32
PID 2820 wrote to memory of 2192	2820	cmd.exe	32
PID 2820 wrote to memory of 2192	2820	cmd.exe	32
PID 2388 wrote to memory of 2804	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	33
PID 2388 wrote to memory of 2804	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	33
PID 2388 wrote to memory of 2804	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	33
PID 2388 wrote to memory of 2216	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	35
PID 2388 wrote to memory of 2216	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	35
PID 2388 wrote to memory of 2216	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	35
PID 2216 wrote to memory of 1856	2216	cmd.exe	37
PID 2216 wrote to memory of 1856	2216	cmd.exe	37
PID 2216 wrote to memory of 1856	2216	cmd.exe	37
PID 2216 wrote to memory of 1784	2216	cmd.exe	38
PID 2216 wrote to memory of 1784	2216	cmd.exe	38
PID 2216 wrote to memory of 1784	2216	cmd.exe	38
PID 2216 wrote to memory of 2900	2216	cmd.exe	39
PID 2216 wrote to memory of 2900	2216	cmd.exe	39
PID 2216 wrote to memory of 2900	2216	cmd.exe	39
PID 2388 wrote to memory of 2964	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	40
PID 2388 wrote to memory of 2964	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	40
PID 2388 wrote to memory of 2964	2388	2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe	40
PID 2880 wrote to memory of 1792	2880	mmc.exe	43
PID 2880 wrote to memory of 1792	2880	mmc.exe	43
PID 2880 wrote to memory of 1792	2880	mmc.exe	43
PID 2880 wrote to memory of 1792	2880	mmc.exe	43
PID 1296 wrote to memory of 1392	1296	mmc.exe	46
PID 1296 wrote to memory of 1392	1296	mmc.exe	46
PID 1296 wrote to memory of 1392	1296	mmc.exe	46
PID 1296 wrote to memory of 1392	1296	mmc.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-04_8f032f34569c3c9e99562a22dfd78a57_hijackloader_ryuk.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2192
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" -f C:\ProgramData\qGK3j.xml
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\Ey4DC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:1856
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:1784
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\XoyM8\VeK2i@m8\v+C:\ProgramData\XoyM8\VeK2i@m8\b C:\ProgramData\XoyM8\VeK2i@m8\libhttpd.dll
  2⤵
  PID:2964

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- C:\ProgramData\XoyM8\VeK2i@m8\apache.exe
  "C:\ProgramData\XoyM8\VeK2i@m8\apache.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1792

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296
- C:\ProgramData\win32-67-quickq.exe
  "C:\ProgramData\win32-67-quickq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\XoyM8\VeK2i@m8\PX.txt

Filesize
179KB

MD5
7254eb9aa277475d42598ce82aeb380a

SHA1
a4c35e30c008bb859f40c5596ae73e2666596645

SHA256
3ef71bcb0b97d2d8e28c733863a4094810cdc816f810e3adc028d5e640f247c4

SHA512
ef9d769abeb7129277d144740461ac9074b989e29a4ca37153c0a65295f2436111518b24b0861a12fe00e7681144fdb35061ecd62471e78db6c67588e9acb43f

Download Submit
C:\ProgramData\XoyM8\VeK2i@m8\apache.exe

Filesize
20KB

MD5
eb4e26ad3a0e681c2faabbacb0691a34

SHA1
55781c8ed0dc76e4edfb91ee01267783ed2434f5

SHA256
f2acdf171e603203f422ba64bfe2644a8e125657c96dd626cfd323e9f87c88d1

SHA512
d177bfd6433207e2dcec3a05749a28693b891674b5f6c0dd9438bc75b5e6ee7c13d483ecd5bda9d8097f105d7976cbcf16612c53c8df6932f8d3aafb4435562f

Download Submit
C:\ProgramData\XoyM8\VeK2i@m8\b

Filesize
1.0MB

MD5
7307f5afe4856d5afac9552d5dd6638d

SHA1
7fea813ce35f85acdc780b2afcaacce14a7d5eb5

SHA256
1c3192682831081d56276c10235a8f181566f473942ebfbd3d2a34de2043c8c9

SHA512
dd1a51a733cef317abb64212da7d3d9689a3688cbd974def96be94bea93f104964716806a7c28daba733a7085528619b0a8df6fe6de0d1710173358799503eab

Download Submit
C:\ProgramData\XoyM8\VeK2i@m8\libhttpd.dll

Filesize
2.0MB

MD5
e9fe83497bc0ecf0eca8095cbc3636c3

SHA1
9c76eaff3ac4156b462dd05c8c76272995c8d513

SHA256
171d37105e828ee641b0e6a386dd3fb131857ac9b3ba0246566bc4b0f78d7752

SHA512
7232145954e0fe59ad24a9329ba885df8038666d49e1bd442adc5b32f82f903a44b0338fb18460764a651fde75de244f725787bc1fa2fee90e06896259f72e77

Download Submit
C:\ProgramData\XoyM8\VeK2i@m8\v

Filesize
1.0MB

MD5
0de13eb50b1a642533afc617a7fae29a

SHA1
133e8262bd162a9d52d5042e3db9742e709e0944

SHA256
da9283fd5b388d90e90c6f82f7c20a1093ffa30f136f3bdf2f3f685a01bb1f0a

SHA512
bb1123fc60a0b6ed71a65b2594175c4eebe5061f0cafd072223f021edf9985e88e944f5b96e63ae86a970eaf04d678f478ab200ea8d1ce8cf696b6453f3a4994

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdC69A.tmp\ioSpecial.ini

Filesize
679B

MD5
cb5af3731c5d678fbb904a6b62068bd3

SHA1
1cdd31ab1651aaba27d74fbab54003e69113d481

SHA256
6ad900a2b1dad2584f13460ef0a90739a0efa71708e42d29dab08af39449fd94

SHA512
9433799993fbed1a63a621c2e40bba4c72c2afef4c87c9014462db827accdc97de67b4bf76edc9d5c80e97057d67a47d5372950c3b86e347cb757b65feb7348e

Download Submit
C:\Users\Admin\AppData\Roaming\Ey4DC.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
\ProgramData\XoyM8\VeK2i@m8\libapr-1.dll

Filesize
136KB

MD5
1f2438d15d4434da44dd7d8de4159685

SHA1
485ee0456584372ed290cf2c4cce23acd0365738

SHA256
a469f6528855b68fa5736ac5d17d4bfcc334ddb7b0302925d172e51a1c8f9825

SHA512
2a14c66fbd447fb2a92ecc9ad7ef6203a1ad05517a8bc0fa154e99a57aa97fcef7c8830576eb8de81062527c18c40b0c1c1affa2115a27ac21c9b83e82912798

Download Submit
\ProgramData\XoyM8\VeK2i@m8\libapriconv-1.dll

Filesize
36KB

MD5
19f4219c97ef015d0078432c2597cfc0

SHA1
0137739696289ff2905e5cfcde1cfc7d39e2e94b

SHA256
0e65f8c77bb83505075ebccc9b0ee3c3c4790817967a7fe6a37bb2dd57e35016

SHA512
0825a2d669f60ab6df30453856836a04b64f558efb47f619fce61e64f66297702125f1cccb1d4c6081f7f6079281d5de236d1069737487160d060275e48553d3

Download Submit
\ProgramData\XoyM8\VeK2i@m8\libaprutil-1.dll

Filesize
188KB

MD5
509edf80bbd3f6e6af60ceaf17026666

SHA1
702ccd2c3bd4c1c9f2cf0d4ce33bf8b0e6aac7a0

SHA256
6e8c0aa983b81f977809ca8beb050c33f5bcda741a736f7f2055b5a064b4e59e

SHA512
d28f0f79b1718edbbcfbf75dfc74c8023968f31760e2a99fb5c8ba7c87c3efd171b6d4b3c99ddc5c6e6857bdf72dd9f5b04449f1136aa22d9f7bea7e688a75ef

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC69A.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC69A.tmp\LangDLL.dll

Filesize
5KB

MD5
77ff758c10c66937de6d86c388aa431c

SHA1
14bd5628eaf8a12b55cd38f9560c839cb21ce77a

SHA256
6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008

SHA512
319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC69A.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
memory/1792-34-0x0000000000370000-0x00000000003D9000-memory.dmp

Filesize
420KB

Download
memory/2388-1-0x0000000180000000-0x0000000180467000-memory.dmp

Filesize
4.4MB

Download
memory/2388-2-0x0000000180000000-0x0000000180467000-memory.dmp

Filesize
4.4MB

Download
memory/2388-3-0x0000000180000000-0x0000000180467000-memory.dmp

Filesize
4.4MB

Download
memory/2388-22-0x0000000180000000-0x0000000180467000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads