Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 08:27

General

  • Target

    2024-09-28_321a25c61bb513862f8fffb5db7a4489_ryuk.exe

  • Size

    5.8MB

  • MD5

    321a25c61bb513862f8fffb5db7a4489

  • SHA1

    f7a1949ebcd01c1ce4175a32ccd1e1dae9e5811b

  • SHA256

    a3e48cf8947f839d542b4ae3b735d204266b143f1d586b1318367bf3cf7f7fc5

  • SHA512

    bef81b668076727f53a94a617112034fa0f8704dcc67cfa3e3d4f2a32e6cb536d07b336b35ae4154c880e270eb27649698e97c5a9bebece892374b135d747906

  • SSDEEP

    98304:dZEFCwmXHQktlw2Kce26t+JhVWn2xxjsUf2hIzsbLTCuyC93ymWRNNxQbNt:daCf3tlKXqXWnAXfgIzK6uV5iN

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-28_321a25c61bb513862f8fffb5db7a4489_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-28_321a25c61bb513862f8fffb5db7a4489_ryuk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\2024-09-28_321a25c61bb513862f8fffb5db7a4489_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-09-28_321a25c61bb513862f8fffb5db7a4489_ryuk.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI22042\_bz2.pyd

    Filesize

    87KB

    MD5

    4079b0e80ef0f97ce35f272410bd29fe

    SHA1

    19ef1b81a1a0b3286bac74b6af9a18ed381bf92c

    SHA256

    466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33

    SHA512

    21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

  • C:\Users\Admin\AppData\Local\Temp\_MEI22042\_cpyHook.cp37-win_amd64.pyd

    Filesize

    32KB

    MD5

    3271deb52590ba75eadbd732e859ea51

    SHA1

    a001ed3664f9fb87a6b52411438157f4619f50fd

    SHA256

    dc80b2f6122ff5f6b8bb37068f602809e9d4e54eaed70b6ae5b22901c83b3993

    SHA512

    472d9dc42cceb0c569b8f40c3a9d5844dd131bad02e206f7f4fbdc48c6c109f770bd3a69af6d37482d2cea1a23bad58b1c1642caf905df056668127dc1c2adf8

  • C:\Users\Admin\AppData\Local\Temp\_MEI22042\_queue.pyd

    Filesize

    27KB

    MD5

    2325dab36242fc732c85914ab7ce25af

    SHA1

    b4a81b312b6e037a0aa4a2e2de5e331cb2803648

    SHA256

    2ffa512a2a369ccd3713419c6d4e36c2bd5d1967e046663d721d7e7ac9e4ab59

    SHA512

    13f92c90a81f5dfbc15cadfd31dbc30b5c72c93dc7ad057f4b211388c3a57ab070bd25c0f1212173a0772972b2d3aa2caedbfb7e3513ffc0d83a15dbc9198b87

  • C:\Users\Admin\AppData\Local\Temp\_MEI22042\_socket.pyd

    Filesize

    74KB

    MD5

    d7e7a7592338ce88e131f858a84deec6

    SHA1

    3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

    SHA256

    4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

    SHA512

    96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

  • C:\Users\Admin\AppData\Local\Temp\_MEI22042\base_library.zip

    Filesize

    762KB

    MD5

    20599d591d36abf085ce3a66c9eaf91c

    SHA1

    15c08e84d605f2cc6f31802ea3343503df1657ba

    SHA256

    16931fea6e21fc24c95ec6f1357e112df8a3a425cde913f751418a0c9df7a0ee

    SHA512

    abcba50c921689fe25f2ece80db734563de22dc4381afb1395d365d0585bf923694a61eedbcff5890205400620f123f1af9ff1134a62800a9c49d5f14d898c3e

  • C:\Users\Admin\AppData\Local\Temp\_MEI22042\libcrypto-1_1-x64.dll

    Filesize

    2.4MB

    MD5

    022a61849adab67e3a59bcf4d0f1c40b

    SHA1

    fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

    SHA256

    2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

    SHA512

    94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

  • C:\Users\Admin\AppData\Local\Temp\_MEI22042\python37.dll

    Filesize

    3.7MB

    MD5

    62125a78b9be5ac58c3b55413f085028

    SHA1

    46c643f70dd3b3e82ab4a5d1bc979946039e35b2

    SHA256

    17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

    SHA512

    e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

  • C:\Users\Admin\AppData\Local\Temp\_MEI22042\pythoncom37.dll

    Filesize

    541KB

    MD5

    ab7cfb43a7144fce3649b631b6fedc0f

    SHA1

    26b886ad29141808cda441e91fef784478cbce2e

    SHA256

    1e767ae7f6541a388cc4208d0d5e65d57a04dc6fa10ebc99a1ca0e05fe86dd0e

    SHA512

    0389b986daf7d21e05a4546309ec85c6df4abd69ea346d44516d611a31771a049edff83e09471aa1bc488bd73fadf142e45d6a39ba843e4b7b417011671051de

  • C:\Users\Admin\AppData\Local\Temp\_MEI22042\pywintypes37.dll

    Filesize

    136KB

    MD5

    169ddd37486cb28e12afa1db2cfc1b41

    SHA1

    7359970f9dfac043e8e5dadc3d158407d8bde6cd

    SHA256

    d21c5db781fddcc10af680e1d31207d447a89c7f89a36a8ada9cd141b1bba114

    SHA512

    efc0e6b3b3cf41f8c1b0bdb340521fd5b3c30f54a06fc5cd7de1238b2a6a3fa303d30401ee594407853da04ea4f635ded59ead4cbcb6e0034f5f03b8f680d0a4

  • C:\Users\Admin\AppData\Local\Temp\_MEI22042\select.pyd

    Filesize

    26KB

    MD5

    c30e5eccf9c62b0b0bc57ed591e16cc0

    SHA1

    24aece32d4f215516ee092ab72471d1e15c3ba24

    SHA256

    56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

    SHA512

    3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

  • C:\Users\Admin\AppData\Local\Temp\_MEI22042\unicodedata.pyd

    Filesize

    1.0MB

    MD5

    7d1f105cf81820bb6d0962b669897dde

    SHA1

    6c4897147c05c6d6da98dd969bf84e12cc5682be

    SHA256

    71b13fd922190081d3aeec8628bd72858cc69ee553e16bf3da412f535108d0e4

    SHA512

    7546c3afb0440dc0e4c0f24d7b145a4f162cda72068cc51f7dc1a644454b645c0b3c954920c489b0748ba4c1ea2c34e86ba2565770e08077c2fdd02fd237f9d3

  • \Users\Admin\AppData\Local\Temp\_MEI22042\VCRUNTIME140.dll

    Filesize

    87KB

    MD5

    0e675d4a7a5b7ccd69013386793f68eb

    SHA1

    6e5821ddd8fea6681bda4448816f39984a33596b

    SHA256

    bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

    SHA512

    cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

  • \Users\Admin\AppData\Local\Temp\_MEI22042\_ctypes.pyd

    Filesize

    129KB

    MD5

    2f21f50d2252e3083555a724ca57b71e

    SHA1

    49ec351d569a466284b8cc55ee9aeaf3fbf20099

    SHA256

    09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

    SHA512

    e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

  • \Users\Admin\AppData\Local\Temp\_MEI22042\_hashlib.pyd

    Filesize

    38KB

    MD5

    c3b19ad5381b9832e313a448de7c5210

    SHA1

    51777d53e1ea5592efede1ed349418345b55f367

    SHA256

    bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

    SHA512

    7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

  • \Users\Admin\AppData\Local\Temp\_MEI22042\_lzma.pyd

    Filesize

    251KB

    MD5

    a567a2ecb4737e5b70500eac25f23049

    SHA1

    951673dd1a8b5a7f774d34f61b765da2b4026cab

    SHA256

    a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d

    SHA512

    97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349