Analysis
-
max time kernel
92s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 15:21
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe
-
Size
31.7MB
-
MD5
05faf10ce401dc0841fb158a61fb68a6
-
SHA1
5aec8e99193580e5736a32f2af9ce2eb87dc4bc4
-
SHA256
c5733833abe89f7e56c96582be668db381335dde27abf8d36e3271df422a8e9c
-
SHA512
c1b1125901ba70d5d60bb204aae8c8e4912f18c0fb66b357b7cac9c6f382efcd9cb7cbb939868b2970b5ee8897161edde7092dbe299524e7ed3ff1fdbc4f7b21
-
SSDEEP
393216:06Ky2NI9Q9i80OTczFb9+CF0y+dpUJsv6tWKFdu9Ce14zRSggL/t3ofR6GdtnFnd:zp8l1CoAy392/d
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\I: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\P: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\Q: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\B: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\w: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\X: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\Y: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\J: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\M: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\D: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\E: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\F: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\H: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\K: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\L: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\N: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\O: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\A: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\S: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\T: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\U: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\V: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\Z: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe File opened (read-only) \??\R: 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeRestorePrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeTakeOwnershipPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeDebugPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeDebugPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeDebugPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeDebugPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeRestorePrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeTakeOwnershipPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeRestorePrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeTakeOwnershipPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeDebugPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeDebugPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeRestorePrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeTakeOwnershipPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeDebugPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeDebugPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeRestorePrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeTakeOwnershipPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeDebugPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeDebugPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeRestorePrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeTakeOwnershipPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeRestorePrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeTakeOwnershipPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeRestorePrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeTakeOwnershipPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeRestorePrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe Token: SeTakeOwnershipPrivilege 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2220 2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-21_05faf10ce401dc0841fb158a61fb68a6_hijackloader_ismagent_ryuk_sliver.exe"1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2220