13418765c7d1c755e47aec453e9836b9dca0e9ef904043b63d4042bdcbf81757 | Triage

Sharing

General

Target

2024-09-19_b2bc9aa586a128967d718492d64d88cf_ryuk
Size

5.4MB
Sample

240919-gnxfastfkh
MD5

b2bc9aa586a128967d718492d64d88cf
SHA1

91e685e3206178afe17bca4aaa0c960dd9770351
SHA256

13418765c7d1c755e47aec453e9836b9dca0e9ef904043b63d4042bdcbf81757
SHA512

8d04697add4615d26589266692f7e1c8243dbaa605b0c6874b33f0c8c80ba7fcbab508fc5f4d23d1be7947a898bb0fce346d7c0b98bb8ae28c785784b8355cc3
SSDEEP

98304:VjD5l5T/7VzSFGKVupb+q8ugzgss4mKmphIY+k37AoZCLSnee/3PWcFcKpsdiXLu:VjD7F/xzVgzgsYKmphxjZySj/3OcF9OH

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Targets

- Target
  
  2024-09-19_b2bc9aa586a128967d718492d64d88cf_ryuk
- Size
  
  5.4MB
- MD5
  
  b2bc9aa586a128967d718492d64d88cf
- SHA1
  
  91e685e3206178afe17bca4aaa0c960dd9770351
- SHA256
  
  13418765c7d1c755e47aec453e9836b9dca0e9ef904043b63d4042bdcbf81757
- SHA512
  
  8d04697add4615d26589266692f7e1c8243dbaa605b0c6874b33f0c8c80ba7fcbab508fc5f4d23d1be7947a898bb0fce346d7c0b98bb8ae28c785784b8355cc3
- SSDEEP
  
  98304:VjD5l5T/7VzSFGKVupb+q8ugzgss4mKmphIY+k37AoZCLSnee/3PWcFcKpsdiXLu:VjD7F/xzVgzgsYKmphxjZySj/3OcF9OH
Score

8^/10

discovery persistence privilege_escalation
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceprivilege_escalation

behavioral2

discoverypersistenceprivilege_escalation