e7aecf1668556558425be17668b50442f8f7acd5de44bb2ef2bb0be355eb2383

Analysis

max time kernel
95s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_cac5aaee421a3a4fb1b81f749842ff41_hijackloader_ryuk.exe
Size

1.0MB
MD5

cac5aaee421a3a4fb1b81f749842ff41
SHA1

1b4f4074d85a139e58c9c29ac6e240ccaa901652
SHA256

e7aecf1668556558425be17668b50442f8f7acd5de44bb2ef2bb0be355eb2383
SHA512

3da0791f2dc98374dcb619625307e06f79c325b13b4ac276c9af9ecb8308b71a2835f02ff50769db4f0eb4e118f5be39910792e3d1bbc8c646bfb5b9676b8eb7
SSDEEP

24576:IoHL7iXdBlqZR/Fo90aUVbhTeVX28LaTlgl1P33d6:Ior7k5qZR/PaUVbhTeSgfvM

Score

5^/10

evasion trojan

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\Macromed\Temp\{0FF42D52-D42B-4F5A-89BF-A6AA41EAC131}\fpb.tmp	2024-09-29_cac5aaee421a3a4fb1b81f749842ff41_hijackloader_ryuk.exe

Loads dropped DLL 1 IoCs

pid	Process
3132	2024-09-29_cac5aaee421a3a4fb1b81f749842ff41_hijackloader_ryuk.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2024-09-29_cac5aaee421a3a4fb1b81f749842ff41_hijackloader_ryuk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3132	2024-09-29_cac5aaee421a3a4fb1b81f749842ff41_hijackloader_ryuk.exe
3132	2024-09-29_cac5aaee421a3a4fb1b81f749842ff41_hijackloader_ryuk.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3132	2024-09-29_cac5aaee421a3a4fb1b81f749842ff41_hijackloader_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-29_cac5aaee421a3a4fb1b81f749842ff41_hijackloader_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-29_cac5aaee421a3a4fb1b81f749842ff41_hijackloader_ryuk.exe"
1⤵
- Drops file in System32 directory
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Macromed\Temp\{0FF42D52-D42B-4F5A-89BF-A6AA41EAC131}\fpb.tmp

Filesize
685KB

MD5
e77053c955bdef7c53107a3e948087a2

SHA1
7ae9b78aa23bca5fa2541fadcfa4081501fb1547

SHA256
9e2232486c42dc5bbc26ce171a978ec5657a007a0d0f26c8e31ccaa899bd3981

SHA512
2200af85187ae1358665fe1693d3fd7e6913699cacf954c23c6cd07e85d6fcfaa13c78f1c32b58b653c607c82a29f5c5c4344b8e34e3b29eb54eea4dc6b2c72e

Download Submit