38d9f632cef36f1288cf6fb2d91615f080e326dd72f7dbb2300d8cd8edf052a6

General

Target

2024-09-27_9665af1dae01635726088d71d13576ba_cobalt-strike_ryuk
Size

8.9MB
Sample

240927-d9fswswfrh
MD5

9665af1dae01635726088d71d13576ba
SHA1

e4c6d68d64c70d795f847ee54afd5693ec6ef8a5
SHA256

38d9f632cef36f1288cf6fb2d91615f080e326dd72f7dbb2300d8cd8edf052a6
SHA512

04847fbf60d6f4ce310a2c52beeed557b27c14396db92adc0e2d9d36cb8b34beb0af203a69c7a05dc42762e6722f365809524a45dcfdfd1956b140071ba6fcf0
SSDEEP

196608:mAAHnhvhi/niOgjt/WDg6AiQBhyQbEAkZQdnkW9AVSGfGIJX/aI6HMaJTtGb:NAHnhvhuniYzyyu4JfdJX

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Extracted

Language

ps1

Source

URLs

exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/db/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Targets

- Target
  
  2024-09-27_9665af1dae01635726088d71d13576ba_cobalt-strike_ryuk
- Size
  
  8.9MB
- MD5
  
  9665af1dae01635726088d71d13576ba
- SHA1
  
  e4c6d68d64c70d795f847ee54afd5693ec6ef8a5
- SHA256
  
  38d9f632cef36f1288cf6fb2d91615f080e326dd72f7dbb2300d8cd8edf052a6
- SHA512
  
  04847fbf60d6f4ce310a2c52beeed557b27c14396db92adc0e2d9d36cb8b34beb0af203a69c7a05dc42762e6722f365809524a45dcfdfd1956b140071ba6fcf0
- SSDEEP
  
  196608:mAAHnhvhi/niOgjt/WDg6AiQBhyQbEAkZQdnkW9AVSGfGIJX/aI6HMaJTtGb:NAHnhvhuniYzyyu4JfdJX
Score

10^/10

execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2