Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2024 13:22
Behavioral task
behavioral1
Sample
2024-10-10_2c3ff8c08803479c3b67e14d97663c32_ryuk_sliver.exe
Resource
win7-20240903-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-10-10_2c3ff8c08803479c3b67e14d97663c32_ryuk_sliver.exe
Resource
win10v2004-20241007-en
2 signatures
150 seconds
General
-
Target
2024-10-10_2c3ff8c08803479c3b67e14d97663c32_ryuk_sliver.exe
-
Size
3.3MB
-
MD5
2c3ff8c08803479c3b67e14d97663c32
-
SHA1
4e50384d68a46917f9dc010c09e7d18770191c2a
-
SHA256
ee8f0d0fb2da84a19329cacba86cc02145621a89fab37cbb5ca2fdaa0270cb8c
-
SHA512
9dab3ac87523e4910ae1ecc886dafce7cdad5caa990c578900dc150c41057d031a25841eeb286f0d4d569d969a97bc071eec48a05d430e3415029ccebafd36d1
-
SSDEEP
49152:2X3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qk:2lRsZ47/QXoHUOfAoj1x6k
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
wmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 1192 wmic.exe Token: SeSecurityPrivilege 1192 wmic.exe Token: SeTakeOwnershipPrivilege 1192 wmic.exe Token: SeLoadDriverPrivilege 1192 wmic.exe Token: SeSystemProfilePrivilege 1192 wmic.exe Token: SeSystemtimePrivilege 1192 wmic.exe Token: SeProfSingleProcessPrivilege 1192 wmic.exe Token: SeIncBasePriorityPrivilege 1192 wmic.exe Token: SeCreatePagefilePrivilege 1192 wmic.exe Token: SeBackupPrivilege 1192 wmic.exe Token: SeRestorePrivilege 1192 wmic.exe Token: SeShutdownPrivilege 1192 wmic.exe Token: SeDebugPrivilege 1192 wmic.exe Token: SeSystemEnvironmentPrivilege 1192 wmic.exe Token: SeRemoteShutdownPrivilege 1192 wmic.exe Token: SeUndockPrivilege 1192 wmic.exe Token: SeManageVolumePrivilege 1192 wmic.exe Token: 33 1192 wmic.exe Token: 34 1192 wmic.exe Token: 35 1192 wmic.exe Token: 36 1192 wmic.exe Token: SeIncreaseQuotaPrivilege 1192 wmic.exe Token: SeSecurityPrivilege 1192 wmic.exe Token: SeTakeOwnershipPrivilege 1192 wmic.exe Token: SeLoadDriverPrivilege 1192 wmic.exe Token: SeSystemProfilePrivilege 1192 wmic.exe Token: SeSystemtimePrivilege 1192 wmic.exe Token: SeProfSingleProcessPrivilege 1192 wmic.exe Token: SeIncBasePriorityPrivilege 1192 wmic.exe Token: SeCreatePagefilePrivilege 1192 wmic.exe Token: SeBackupPrivilege 1192 wmic.exe Token: SeRestorePrivilege 1192 wmic.exe Token: SeShutdownPrivilege 1192 wmic.exe Token: SeDebugPrivilege 1192 wmic.exe Token: SeSystemEnvironmentPrivilege 1192 wmic.exe Token: SeRemoteShutdownPrivilege 1192 wmic.exe Token: SeUndockPrivilege 1192 wmic.exe Token: SeManageVolumePrivilege 1192 wmic.exe Token: 33 1192 wmic.exe Token: 34 1192 wmic.exe Token: 35 1192 wmic.exe Token: 36 1192 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
2024-10-10_2c3ff8c08803479c3b67e14d97663c32_ryuk_sliver.exedescription pid process target process PID 3836 wrote to memory of 1192 3836 2024-10-10_2c3ff8c08803479c3b67e14d97663c32_ryuk_sliver.exe wmic.exe PID 3836 wrote to memory of 1192 3836 2024-10-10_2c3ff8c08803479c3b67e14d97663c32_ryuk_sliver.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-10_2c3ff8c08803479c3b67e14d97663c32_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-10_2c3ff8c08803479c3b67e14d97663c32_ryuk_sliver.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192