General
-
Target
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver
-
Size
2.9MB
-
Sample
241012-w4l2tsvbqg
-
MD5
31c7fa68b69d8d229a6e9daa2949d895
-
SHA1
2f5593e25a34cbb303901bce8942a8505ba2a38f
-
SHA256
5036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f
-
SHA512
7fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37
-
SSDEEP
49152:JyEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPp:Jnj36pUk0TkfYiQ/p
Behavioral task
behavioral1
Sample
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver.exe
Resource
win7-20240903-en
Malware Config
Extracted
meshagent
2
Home
http://control.tautolo.gy:443/agent.ashx
-
mesh_id
0x18936942A3E5AE65DF8836B6EEFA3FD5DD375127CA3DA1852C2EC2DBA43786A498AA27456851B49C48A8683629B450EB
-
server_id
08C4CDB1491A60BC30D0136004508FDDA3818CAB78A02628E44948AE98F2E0A2B4D87C34CBD4C18D959886F9B49EB33A
-
wss
wss://control.tautolo.gy:443/agent.ashx
Targets
-
-
Target
2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver
-
Size
2.9MB
-
MD5
31c7fa68b69d8d229a6e9daa2949d895
-
SHA1
2f5593e25a34cbb303901bce8942a8505ba2a38f
-
SHA256
5036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f
-
SHA512
7fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37
-
SSDEEP
49152:JyEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPp:Jnj36pUk0TkfYiQ/p
-
Detects MeshAgent payload
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1