Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
17-02-2025 21:35
Behavioral task
behavioral1
Sample
2025-02-17_a34bbcd7868db9e84f574b3ad912f359_ismagent_ryuk_sliver.exe
Resource
win7-20241010-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-02-17_a34bbcd7868db9e84f574b3ad912f359_ismagent_ryuk_sliver.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2025-02-17_a34bbcd7868db9e84f574b3ad912f359_ismagent_ryuk_sliver.exe
-
Size
3.3MB
-
MD5
a34bbcd7868db9e84f574b3ad912f359
-
SHA1
f390e27ce7113b1ce485fabc249d607c33108738
-
SHA256
33ea13671b1d96ace494272af88197d522db117f6df562a73ed71bdaec64a02b
-
SHA512
9adc92ce88e6242751e525bb875939fa9b02f900181e622858891e5d2e06c254268487a76167d724d55856eb9c9572122362abaacaeb02acf899fa932e8eb3c7
-
SSDEEP
49152:DX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85QE:DlRsZ47/QXoHUOfAoj1x6E
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5844 wmic.exe Token: SeSecurityPrivilege 5844 wmic.exe Token: SeTakeOwnershipPrivilege 5844 wmic.exe Token: SeLoadDriverPrivilege 5844 wmic.exe Token: SeSystemProfilePrivilege 5844 wmic.exe Token: SeSystemtimePrivilege 5844 wmic.exe Token: SeProfSingleProcessPrivilege 5844 wmic.exe Token: SeIncBasePriorityPrivilege 5844 wmic.exe Token: SeCreatePagefilePrivilege 5844 wmic.exe Token: SeBackupPrivilege 5844 wmic.exe Token: SeRestorePrivilege 5844 wmic.exe Token: SeShutdownPrivilege 5844 wmic.exe Token: SeDebugPrivilege 5844 wmic.exe Token: SeSystemEnvironmentPrivilege 5844 wmic.exe Token: SeRemoteShutdownPrivilege 5844 wmic.exe Token: SeUndockPrivilege 5844 wmic.exe Token: SeManageVolumePrivilege 5844 wmic.exe Token: 33 5844 wmic.exe Token: 34 5844 wmic.exe Token: 35 5844 wmic.exe Token: 36 5844 wmic.exe Token: SeIncreaseQuotaPrivilege 5844 wmic.exe Token: SeSecurityPrivilege 5844 wmic.exe Token: SeTakeOwnershipPrivilege 5844 wmic.exe Token: SeLoadDriverPrivilege 5844 wmic.exe Token: SeSystemProfilePrivilege 5844 wmic.exe Token: SeSystemtimePrivilege 5844 wmic.exe Token: SeProfSingleProcessPrivilege 5844 wmic.exe Token: SeIncBasePriorityPrivilege 5844 wmic.exe Token: SeCreatePagefilePrivilege 5844 wmic.exe Token: SeBackupPrivilege 5844 wmic.exe Token: SeRestorePrivilege 5844 wmic.exe Token: SeShutdownPrivilege 5844 wmic.exe Token: SeDebugPrivilege 5844 wmic.exe Token: SeSystemEnvironmentPrivilege 5844 wmic.exe Token: SeRemoteShutdownPrivilege 5844 wmic.exe Token: SeUndockPrivilege 5844 wmic.exe Token: SeManageVolumePrivilege 5844 wmic.exe Token: 33 5844 wmic.exe Token: 34 5844 wmic.exe Token: 35 5844 wmic.exe Token: 36 5844 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1488 wrote to memory of 5844 1488 2025-02-17_a34bbcd7868db9e84f574b3ad912f359_ismagent_ryuk_sliver.exe 84 PID 1488 wrote to memory of 5844 1488 2025-02-17_a34bbcd7868db9e84f574b3ad912f359_ismagent_ryuk_sliver.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-17_a34bbcd7868db9e84f574b3ad912f359_ismagent_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-17_a34bbcd7868db9e84f574b3ad912f359_ismagent_ryuk_sliver.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5844
-