e85fddfefe038db913c23f059dd0247160e38bb0ed35a7b79812be209919098d

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_5b111e03e3a1ae1fa39b8975fce007b6_ismagent_ryuk_sliver.exe
Size

3.3MB
MD5

5b111e03e3a1ae1fa39b8975fce007b6
SHA1

b7caf05df20214f600d6911f78bb6e0c8e14a8d1
SHA256

e85fddfefe038db913c23f059dd0247160e38bb0ed35a7b79812be209919098d
SHA512

62393387acdedc62ccffafeb159b3709250670ed03fcecb9c67536c0548667be1f3280e12e19f2a2db27ecf817ccebb647e4a3844d8a3df44c83a750af3b5f02
SSDEEP

49152:6X3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qt:6lRsZ47/QXoHUOfAoj1x6t

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3828	wmic.exe
Token: SeSecurityPrivilege	3828	wmic.exe
Token: SeTakeOwnershipPrivilege	3828	wmic.exe
Token: SeLoadDriverPrivilege	3828	wmic.exe
Token: SeSystemProfilePrivilege	3828	wmic.exe
Token: SeSystemtimePrivilege	3828	wmic.exe
Token: SeProfSingleProcessPrivilege	3828	wmic.exe
Token: SeIncBasePriorityPrivilege	3828	wmic.exe
Token: SeCreatePagefilePrivilege	3828	wmic.exe
Token: SeBackupPrivilege	3828	wmic.exe
Token: SeRestorePrivilege	3828	wmic.exe
Token: SeShutdownPrivilege	3828	wmic.exe
Token: SeDebugPrivilege	3828	wmic.exe
Token: SeSystemEnvironmentPrivilege	3828	wmic.exe
Token: SeRemoteShutdownPrivilege	3828	wmic.exe
Token: SeUndockPrivilege	3828	wmic.exe
Token: SeManageVolumePrivilege	3828	wmic.exe
Token: 33	3828	wmic.exe
Token: 34	3828	wmic.exe
Token: 35	3828	wmic.exe
Token: 36	3828	wmic.exe
Token: SeIncreaseQuotaPrivilege	3828	wmic.exe
Token: SeSecurityPrivilege	3828	wmic.exe
Token: SeTakeOwnershipPrivilege	3828	wmic.exe
Token: SeLoadDriverPrivilege	3828	wmic.exe
Token: SeSystemProfilePrivilege	3828	wmic.exe
Token: SeSystemtimePrivilege	3828	wmic.exe
Token: SeProfSingleProcessPrivilege	3828	wmic.exe
Token: SeIncBasePriorityPrivilege	3828	wmic.exe
Token: SeCreatePagefilePrivilege	3828	wmic.exe
Token: SeBackupPrivilege	3828	wmic.exe
Token: SeRestorePrivilege	3828	wmic.exe
Token: SeShutdownPrivilege	3828	wmic.exe
Token: SeDebugPrivilege	3828	wmic.exe
Token: SeSystemEnvironmentPrivilege	3828	wmic.exe
Token: SeRemoteShutdownPrivilege	3828	wmic.exe
Token: SeUndockPrivilege	3828	wmic.exe
Token: SeManageVolumePrivilege	3828	wmic.exe
Token: 33	3828	wmic.exe
Token: 34	3828	wmic.exe
Token: 35	3828	wmic.exe
Token: 36	3828	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3828	2252	2024-12-14_5b111e03e3a1ae1fa39b8975fce007b6_ismagent_ryuk_sliver.exe	84
PID 2252 wrote to memory of 3828	2252	2024-12-14_5b111e03e3a1ae1fa39b8975fce007b6_ismagent_ryuk_sliver.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-12-14_5b111e03e3a1ae1fa39b8975fce007b6_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_5b111e03e3a1ae1fa39b8975fce007b6_ismagent_ryuk_sliver.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3828

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads