Overview

overview

8

Static

static

3

2024-11-28...uk.exe

windows7-x64

8

2024-11-28...uk.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 01:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe

  • Size

    161KB

  • MD5

    b955a003f7365e8c50687d0901d9dbf8

  • SHA1

    760314c901d81a85f74213185d2a28eec4f2007b

  • SHA256

    26f90bcfd6a4439369da73ceebea471fdc8d5cdaca9c1ce260b43b3410ef77d2

  • SHA512

    50395286d5b5e65538cfb7c15c46cb5c718ea106571fe6700c123e3e974dd6a5520971699daa0c4b762f2e1e5d9e334b37fac2260e8f2b84abed8a4cb8b03061

  • SSDEEP

    3072:DzpdNvL55JguE/075wkp/rJWT2fmFSYaz86VFbBBJfq9YaQ6OvL8:HT955Jxi07T5rJBfmI0X

Score
8/10
defense_evasiondiscoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 3 IoCs
    exploit
  • Deletes itself 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
    defense_evasion
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 1 IoCs
  • Modifies termsrv.dll 1 TTPs 1 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 2 IoCs
    evasion
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-28_b955a003f7365e8c50687d0901d9dbf8_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Modifies termsrv.dll
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\Terminal server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
      2⤵
        PID:2516
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Windows\system32\termsrv.dll"
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1740
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\system32\termsrv.dll" /grant Administrators:F
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2372
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\system32\termsrv.dll" /grant "Admin":F
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2260
      • C:\Windows\system32\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\Kill.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c sc queryex termservice
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\system32\sc.exe
            sc queryex termservice
            4⤵
            • Launches sc.exe
            PID:2728
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c taskkill /pid 0 /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2884
          • C:\Windows\system32\taskkill.exe
            taskkill /pid 0 /f
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2848
      • C:\Windows\system32\taskkill.exe
        taskkill /f /fi "MODULES eq termsrv.dll"
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
      • C:\Windows\system32\net.exe
        net start termservice
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 start termservice
          3⤵
            PID:2588
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\Killme.bat" "
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\Windows\system32\timeout.exe
            timeout 5
            3⤵
            • Delays execution with timeout.exe
            PID:1096
          • C:\Windows\system32\cmd.exe
            cmd /c del "C:\Users\Admin\AppData\Local\Temp\Killme.bat"
            3⤵
              PID:2840

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Kill.bat
          Filesize

          264B

          MD5

          cf7acc3b9a514d6334e2e6e349a93b05

          SHA1

          b9e2f3556ada80d1cbdb2f5d5108c9273a2f1d8d

          SHA256

          748422d881ae7da2a1767636f54502ac8045fdb681d27ecaebbdbdb7246d240e

          SHA512

          8a494de0b7bc23d90e51d883ff1468ef09355ccb60ee4ea606f918042153beee09c60d56478bb3aa9b15fd6f20ed8ef98ef6d747803f12dca2aa7b8930bfbae5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Killme.bat
          Filesize

          132B

          MD5

          0ec0fa2b8c804ce48c8b60e4c6843868

          SHA1

          79da378ec6a7941be48552b17893daa964e06a03

          SHA256

          bfb0aa89ca798cd52234676246779783fe76a6bc08446e654d143fb513121511

          SHA512

          b0cc05add08d2c2ac3051160bb3a5cce847bc4ccb560901862aa6ccec571398a417cd515e77a4b85bf232b1e6503f76d23f8681d00794fdcd32724587f19186e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\text.txt
          Filesize

          340B

          MD5

          b97400b07b9e6925afb596b5ef574190

          SHA1

          050c835f701e056970550a37d22eafbe790f2d91

          SHA256

          13a84fc292b020db3afcb9e0cbfdc737ae9767de10c2bb382369a530db113ae9

          SHA512

          13fdaaea4459e6734db8fe9eb66905d2b431eb5bf09148f65c0bed38b436a8ca0c345f2a079751fdd62c866f884ee1317b500ae522d7646b76301350c3d0f581

          Download Submit

        • C:\Windows\System32\termsrv.dll
          Filesize

          665KB

          MD5

          fe373a760450b27e6a92db01eba9395f

          SHA1

          c7b78b3f61c3e579d785a5cbf31e3875f9c470a7

          SHA256

          9e9216d5a4f1276fc5d2d61a41919ad12a703a08bc784bec7321f409135f3723

          SHA512

          0a1fc093d6d208960fc0e152d790af92ead392cce3f313033f9b55fa48bcac53632c9a225cefb335e5998cc067e76a1b048fa9d794dd4d5bc846f3bacdcda907

          Download Submit