Analysis Overview
SHA256
892ee52f7e8e44fdf0776193cadf5919eec3c23b8f649109d8f53351a7657b9b
Threat Level: Likely benign
The file 2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk was found to be: Likely benign.
Malicious Activity Summary
Reads user/profile data of web browsers
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-19 19:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-19 19:30
Reported
2025-01-19 19:33
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Reads user/profile data of web browsers
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1828 wrote to memory of 1680 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe |
| PID 1828 wrote to memory of 1680 | N/A | C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-19_b29def4d05676aaca3dcbdba750ec480_cobalt-strike_hijackloader_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=116.0.5366.21 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6bba51638,0x7ff6bba51644,0x7ff6bba51650
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |