Analysis Overview
SHA256
33a32609cb5acf54abeef9eed08d24a03dfd138ddd4b6132c8add72d8232b43a
Threat Level: Known bad
The file 2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk was found to be: Known bad.
Malicious Activity Summary
An open source browser data exporter written in golang.
HackBrowserData
Blocklisted process makes network request
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Unsigned PE
Browser Information Discovery
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 03:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 03:56
Reported
2024-10-08 06:24
Platform
win7-20240903-en
Max time kernel
122s
Max time network
130s
Command Line
Signatures
An open source browser data exporter written in golang.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
HackBrowserData
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Reads user/profile data of web browsers
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs"
C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ha.bat" "
C:\Windows\system32\cmd.exe
cmd /c "start "" .\toboot\hack-browser-data.exe -f json --dir res --zip"
C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
.\toboot\hack-browser-data.exe -f json --dir res --zip
C:\Windows\system32\timeout.exe
timeout /t 4
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Compress-Archive -Path ".\res" -DestinationPath .\res.zip -CompressionLevel Fastest -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -file "HBDSend.ps1"
C:\Windows\system32\timeout.exe
timeout /t 4
Network
Files
C:\Users\Admin\AppData\Local\Temp\.git\logs\refs\remotes\origin\HEAD
| MD5 | 161010715d0c362173bf20c28c2fd9b7 |
| SHA1 | f80849d90d3a9843a658e5560f000f97fc4d8d01 |
| SHA256 | de309dabda86493c2e3260c1e17dd794211789121ffbd93a291909d48a5697e7 |
| SHA512 | c7599a1d21226e3fb73e669a9451b14dfc6d0d9ce6866bc382e32c645f79671f6457b15cf5e377006bc14f3cd8dd7754a5ff1e4496c1bb4129d7d271ff2293c4 |
C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs
| MD5 | 8cb717954c207bc5d1866f0b91f3705b |
| SHA1 | bb2eb348bbaae1c03f0e8a69fe632acf3654906d |
| SHA256 | 5098540013c04d7a204e5ccd000d0342e2724b2a5747c6cde3423c33670e7125 |
| SHA512 | 28671621ebc6b0e2ef08d910770463935f484b3a2bbf2f2d902436856ca63dfefb1d4c5c57bb0eb84d973295bf7dccf4767a72ed26b62f9b7476c5ac51b858bd |
C:\Users\Admin\AppData\Local\Temp\ha.bat
| MD5 | fddf7e3115d866f57c8ee7c39faba7c7 |
| SHA1 | 380fd6c70888e59b3e6422b482bd993a1c6f4092 |
| SHA256 | 58eba8234f52ee4f5cb65bcc38f612fcd0025fbfaaa092f994aa0af02c2623cd |
| SHA512 | 3efc29aab85d86e83f533baadd275b4692eef50cf1cd600fc6bd27f110bfc0494353ed99679e9e93e3cdc119ea05161cb35906855ad8dedcf6f2324f87041d55 |
\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
| MD5 | 6c66514d0e3b4cf5a2e4c2844efcb1f3 |
| SHA1 | 682d46485ce44e719309f80483221d82011c3779 |
| SHA256 | 7374c9b387000b813be75e10c2b988bf8d892985de63eb7446e11ceb225312e8 |
| SHA512 | 4ca2657b47f145db2b162428ed057b52260a0db6758bf21803d75c6451914918f6392a4f8eb4216929e9feac1da70c161bd5ff61878d328863c9267c798c81a5 |
C:\Users\Admin\AppData\Local\Temp\chromiumKey
| MD5 | 068616c682ecf110e197df944c8e91a5 |
| SHA1 | 34e6742941f8c169e0748d24a1b250bdaebc8fe3 |
| SHA256 | c26e61d6f32eba06f51d8bf7dc51fa8b5092d95141696e0d38909ae611675cc0 |
| SHA512 | 7b352babd9abd73c7b9857b08a245d4971cda801e6fb0e215cb5f1b588a42573faf526bfa750a18430c329bc517d61c0deec42ff0dd88022b32bd6b20cd3a30f |
memory/1496-216-0x000000013F2C0000-0x000000014074E000-memory.dmp
memory/1852-221-0x000000001B380000-0x000000001B662000-memory.dmp
memory/1852-222-0x0000000001FC0000-0x0000000001FC8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | f43d80a30a7b0b576b1a75b79451ba6d |
| SHA1 | 2bdc955a39946779f0c40e1c86d7416565f0f3a6 |
| SHA256 | 97081cd1ff330ea118f919e4a6fa81ff8cf82ea1d0ec69ee8c0928a3702210b8 |
| SHA512 | 3ca728b8047fad191cb126c8249200ac9c92299675d2d5c04f5754baf56b41e332bbfb751062f45e8d882bbee9451d4d84ecd73fcc5e5346ad235d5178968484 |
memory/2892-228-0x000000001B2E0000-0x000000001B5C2000-memory.dmp
memory/2892-229-0x00000000022A0000-0x00000000022A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HBDSend.ps1
| MD5 | 4802a57c6fccba23e67bc66c31356d4f |
| SHA1 | fc030aa0f325b17643f58c2659c0742890d9f3d7 |
| SHA256 | 5578ae9942d3aeba7898924a489752dd6c209d4b22cbbdb2eb5f946c61d0df35 |
| SHA512 | 9c2843455b90f14393ff1f6e7b0736607ba16a0e89eef4a9f0d6b7affd3430b2b6dcf87d588758f99d3ae29fcb365e584e40d760024dd1ea2108b3d9190d0b0a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 03:56
Reported
2024-10-08 10:55
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
103s
Command Line
Signatures
An open source browser data exporter written in golang.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
HackBrowserData
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe | N/A |
Reads user/profile data of web browsers
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-08_fc98f5d0bc1552483a44c85d53384a6e_ryuk.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ha.bat" "
C:\Windows\system32\cmd.exe
cmd /c "start "" .\toboot\hack-browser-data.exe -f json --dir res --zip"
C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
.\toboot\hack-browser-data.exe -f json --dir res --zip
C:\Windows\system32\timeout.exe
timeout /t 4
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Compress-Archive -Path ".\res" -DestinationPath .\res.zip -CompressionLevel Fastest -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -file "HBDSend.ps1"
C:\Windows\system32\timeout.exe
timeout /t 4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smtp.mail.ru | udp |
| RU | 94.100.180.160:587 | smtp.mail.ru | tcp |
| US | 8.8.8.8:53 | 160.180.100.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\.git\logs\refs\remotes\origin\HEAD
| MD5 | 161010715d0c362173bf20c28c2fd9b7 |
| SHA1 | f80849d90d3a9843a658e5560f000f97fc4d8d01 |
| SHA256 | de309dabda86493c2e3260c1e17dd794211789121ffbd93a291909d48a5697e7 |
| SHA512 | c7599a1d21226e3fb73e669a9451b14dfc6d0d9ce6866bc382e32c645f79671f6457b15cf5e377006bc14f3cd8dd7754a5ff1e4496c1bb4129d7d271ff2293c4 |
C:\Users\Admin\AppData\Local\Temp\hideCMD.vbs
| MD5 | 8cb717954c207bc5d1866f0b91f3705b |
| SHA1 | bb2eb348bbaae1c03f0e8a69fe632acf3654906d |
| SHA256 | 5098540013c04d7a204e5ccd000d0342e2724b2a5747c6cde3423c33670e7125 |
| SHA512 | 28671621ebc6b0e2ef08d910770463935f484b3a2bbf2f2d902436856ca63dfefb1d4c5c57bb0eb84d973295bf7dccf4767a72ed26b62f9b7476c5ac51b858bd |
C:\Users\Admin\AppData\Local\Temp\ha.bat
| MD5 | fddf7e3115d866f57c8ee7c39faba7c7 |
| SHA1 | 380fd6c70888e59b3e6422b482bd993a1c6f4092 |
| SHA256 | 58eba8234f52ee4f5cb65bcc38f612fcd0025fbfaaa092f994aa0af02c2623cd |
| SHA512 | 3efc29aab85d86e83f533baadd275b4692eef50cf1cd600fc6bd27f110bfc0494353ed99679e9e93e3cdc119ea05161cb35906855ad8dedcf6f2324f87041d55 |
C:\Users\Admin\AppData\Local\Temp\toboot\hack-browser-data.exe
| MD5 | 6c66514d0e3b4cf5a2e4c2844efcb1f3 |
| SHA1 | 682d46485ce44e719309f80483221d82011c3779 |
| SHA256 | 7374c9b387000b813be75e10c2b988bf8d892985de63eb7446e11ceb225312e8 |
| SHA512 | 4ca2657b47f145db2b162428ed057b52260a0db6758bf21803d75c6451914918f6392a4f8eb4216929e9feac1da70c161bd5ff61878d328863c9267c798c81a5 |
C:\Users\Admin\AppData\Local\Temp\chromiumKey
| MD5 | 958a1ff72044f30f68af82e585733974 |
| SHA1 | 9ac41e433578b0e8aaa2f4b8ca7cb228d9d412f3 |
| SHA256 | d53a7c0b594df00f6c490776af5e2f4697c585a470eb9d2c5d77292722756eaf |
| SHA512 | de9d693a3c8ae4c6814427120bb163737e7714bec98d5c2a825e163addfd497818a9ba9c55b5ca2bddf5b4b2f1ba9588586b2a96405ee443b8babf2433d98256 |
C:\Users\Admin\AppData\Local\Temp\localStorage\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/1264-262-0x00007FF70BCD0000-0x00007FF70D15E000-memory.dmp
memory/4256-268-0x00000223589B0000-0x00000223589D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ssqlpobn.fq3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4256-273-0x0000022358A50000-0x0000022358A62000-memory.dmp
memory/4256-274-0x00000223589F0000-0x00000223589FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\res\firefox_42vejdix_default_release_bookmark.json
| MD5 | be3ef38a5549839f142b69e300d32859 |
| SHA1 | 0d5f559740bbdafbb8ba682ce3c36ad5ad2d9729 |
| SHA256 | 2cf82dab7376ec4da21b96f13cc93f485ca648d39be003774f7a77ca130e0a58 |
| SHA512 | ea9734b74c666ef127d28358c72b6fb79fccc5bb59d81a52b15865fd2760101e91b958944d95b02818859b4d4b608748e4a68160dfe2a729b038803606b4242a |
C:\Users\Admin\AppData\Local\Temp\res\firefox_42vejdix_default_release_extension.json
| MD5 | c69904bff2d0e3fdae0d5fcda30ef19d |
| SHA1 | fead75d0019382bfe4250c1c05c69f8845cb1f77 |
| SHA256 | 0151f2d1ed4d991e25f8e657eced0406b0fe4011a34013dbe5eff7809e80061d |
| SHA512 | 406733f0f5f0b8f9d3e898b28b1f89be35e48a86391ed317b0f9e60aebdd1f9581acf3863c8490c3dcb72ed989aed5b33458e5553944968ce318e5ac850c3c77 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fe3aab3ae544a134b68e881b82b70169 |
| SHA1 | 926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6 |
| SHA256 | bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b |
| SHA512 | 3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c86ee90124c6374bc4c440a308eceb38 |
| SHA1 | b2075096ffa0abb9ba5abb0348e921e03fdf97b1 |
| SHA256 | 99412b05f5ff937533a9c7dfc5ae65a4626c8f7f8b985c0b3a1e0ab5933863c8 |
| SHA512 | 3dfadcd144a269cdf379aeb7f911642823e0426cda40cd231d90360f2aef7f6e49e68e0eaf742327ea3422a373128fb9652f8a361caa6ba99b8623eef1c6b8de |
C:\Users\Admin\AppData\Local\Temp\HBDSend.ps1
| MD5 | 4802a57c6fccba23e67bc66c31356d4f |
| SHA1 | fc030aa0f325b17643f58c2659c0742890d9f3d7 |
| SHA256 | 5578ae9942d3aeba7898924a489752dd6c209d4b22cbbdb2eb5f946c61d0df35 |
| SHA512 | 9c2843455b90f14393ff1f6e7b0736607ba16a0e89eef4a9f0d6b7affd3430b2b6dcf87d588758f99d3ae29fcb365e584e40d760024dd1ea2108b3d9190d0b0a |
C:\Users\Admin\AppData\Local\Temp\res.zip
| MD5 | da4955f00150bd6659d9fede22cdb031 |
| SHA1 | b62d735d547383fc8cd99a39ec8b09373dd0aee7 |
| SHA256 | 7b2ca17aef33a27c0a304a1db291d62510e6bac8470354d8a20508ad5827dccd |
| SHA512 | aa657169a85d1ac7c5691a7c3eed6cad19bd6c6671f246045bcc3c94df7338a5bd4a0a382588d98539b6c106ec38997a24ea14f25c67b2d564c1197e54e86e09 |