Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 19:30
Static task
static1
General
-
Target
2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe
-
Size
5.4MB
-
MD5
b29def4d05676aaca3dcbdba750ec480
-
SHA1
24d5cd7ac5689e8dca98087c2e49be4ddfe7a1aa
-
SHA256
892ee52f7e8e44fdf0776193cadf5919eec3c23b8f649109d8f53351a7657b9b
-
SHA512
dd41f55a583a16dc790da687d3ff97eda461771d132135e72f0768e190c8af8eb2f06ae3f2e745c4dbb291bf49c4797a8d735230c389697ea0e2a307757b74ec
-
SSDEEP
49152:P6KRrDaQpOiVLKbN6MwBYJxfB+h4Q4zlRWBh8XQ+kpbUM7CjreQJgwK57hXwuEyI:LzEbbxi4voh8X0n7wyQJze9Nf5t6tn
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1828 wrote to memory of 1680 1828 2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe 85 PID 1828 wrote to memory of 1680 1828 2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=116.0.5366.21 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6bba51638,0x7ff6bba51644,0x7ff6bba516502⤵PID:1680
-