e2a45fc60520e9b376a2fda8b05cf9c769914d2aae1860f0b1d25093d2a0fbcd

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ryomi.exe
Size

11.4MB
MD5

72f8c47d139df861e5b0bf939ac35851
SHA1

8f7a5c50cddf3fe839d0c6c190e7c4ae237d1e4c
SHA256

e2a45fc60520e9b376a2fda8b05cf9c769914d2aae1860f0b1d25093d2a0fbcd
SHA512

525d4ec3f06da1f9ae102a10ecd1cae0c455bdd4485fd4e0ff77c48e997a5bd9d1f02bb0110fcec7d30bf2ef98b936291a01733377d598c3e808028993d398db
SSDEEP

196608:mkdpaqcDT0ZkbkxqBINkT54Hu6vI6U1OZKX9pIwH7H9xWqcmDYPoaq1rQ:/dgqccZkAxqBtV4Hu6vI68TIu9wqFk19

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3000	main.exe

Loads dropped DLL 2 IoCs

pid	Process
2060	Ryomi.exe
3000	main.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3000	2060	Ryomi.exe	30
PID 2060 wrote to memory of 3000	2060	Ryomi.exe	30
PID 2060 wrote to memory of 3000	2060	Ryomi.exe	30

C:\Users\Admin\AppData\Local\Temp\Ryomi.exe
"C:\Users\Admin\AppData\Local\Temp\Ryomi.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\onefile_2060_133792669503750000\main.exe
  C:\Users\Admin\AppData\Local\Temp\Ryomi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2060_133792669503750000\python312.dll

Filesize
6.6MB

MD5
b243d61f4248909bc721674d70a633de

SHA1
1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc

SHA256
93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7

SHA512
10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2060_133792669503750000\main.exe

Filesize
14.8MB

MD5
c5eb954efd5a936e7d644bbb0b7cd229

SHA1
055f00131b8d82da137f18730ef0ad78f2c5f4ae

SHA256
263558d97f67678e82e205ad48a0986df9b7893d53a7ac0c888eca216e49e7e8

SHA512
435b32dd0536328f8a55559b63adc350f42101ac6581e8325a146972b5484fbd23d10fcaa2dd3082a8712863d7cec197079f4b32e6697b48f8770a557e39eb3e

Download Submit