Overview

overview

7

Static

static

3

2024-09-29...uk.exe

windows7-x64

7

2024-09-29...uk.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-29_43c8bf767fb36d3f448c94196dfb53fb_ryuk.exe

  • Size

    3.0MB

  • MD5

    43c8bf767fb36d3f448c94196dfb53fb

  • SHA1

    3c08f701682b44894460c9250f8fc857e17412e4

  • SHA256

    72b95ace3c49e8d01a8ac419d3b60f509eeb19ea8269f4c1e7e9d4bc8d7ed07c

  • SHA512

    5c7c13029c51f1db3f12e1198cbee2af3de854a4971e7c422f6f4f59c490a7f910716db9a5678304ded8ddadb8fa57420ca9a010b4fc6ed254e780f8ac48f834

  • SSDEEP

    98304:KjczPu9LbmxCb6ib4WraIox9Xchfq9zbpGlOFngtMRMT:KjhBBWIox9XcAzNRgt1T

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-29_43c8bf767fb36d3f448c94196dfb53fb_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-29_43c8bf767fb36d3f448c94196dfb53fb_ryuk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Auto.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Auto.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1000
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\StartAllBackCfg.exe
        StartAllBackCfg.exe /install
        3⤵
        • Executes dropped EXE
        PID:2312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Auto.exe
    Filesize

    846KB

    MD5

    149034d4a5d59769062fb576f051d092

    SHA1

    8e4fce741e80828d4af046f1980186b7d652c0f6

    SHA256

    02213a2e40dd90a251b27566b7ffb25155368a418b67047096924aafec918cd9

    SHA512

    2b51f9c16db5947f9a6e822582b36da2e0d6eb74431a9f843c30a406ad3b1756324f0e3dc3e44525fb6dd832c2aa573ed678f5f71627f6d9362717c311bac809

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\StartAllBackCfg.exe
    Filesize

    3.3MB

    MD5

    ae74c5aa6b7054c312def92b2f33040c

    SHA1

    473b85b545c346b9ed5363b1c888a174942c5fed

    SHA256

    a322482b24b7f56f99fafb3940d5fa15a4bb55afe974a96077f36f074c5479fe

    SHA512

    4ec038b8862894d3f6a125f058ec8b5151d43631a18ea3761c182e7c3204e91ce5a1892a725cbc177d313e11c729bade9ce4495b290924492dd388a91d84548a

    Download Submit