caafc0e421aff786ea4cfd333b060a7eda5a4cc370b8e335916fb6fbffb79dcb

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-25_83240479f5e23c6330e43496bb7b6b1c_ismagent_ryuk_sliver.exe
Size

3.3MB
MD5

83240479f5e23c6330e43496bb7b6b1c
SHA1

92a28ae37648a8da8be3b3fe8fa8479b07a9d4bd
SHA256

caafc0e421aff786ea4cfd333b060a7eda5a4cc370b8e335916fb6fbffb79dcb
SHA512

bdf35f3d618c5d47cc0498d7cd14f93280bf798b6894e855ecd774ac6da3f1f1e7e93b3a552779184560c092e2dfd821825a68202135a30ce6165bfea8b34173
SSDEEP

49152:BX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe/5c:BlRsZ47/QXoHUOfAoj1ym

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2216	wmic.exe
Token: SeSecurityPrivilege	2216	wmic.exe
Token: SeTakeOwnershipPrivilege	2216	wmic.exe
Token: SeLoadDriverPrivilege	2216	wmic.exe
Token: SeSystemProfilePrivilege	2216	wmic.exe
Token: SeSystemtimePrivilege	2216	wmic.exe
Token: SeProfSingleProcessPrivilege	2216	wmic.exe
Token: SeIncBasePriorityPrivilege	2216	wmic.exe
Token: SeCreatePagefilePrivilege	2216	wmic.exe
Token: SeBackupPrivilege	2216	wmic.exe
Token: SeRestorePrivilege	2216	wmic.exe
Token: SeShutdownPrivilege	2216	wmic.exe
Token: SeDebugPrivilege	2216	wmic.exe
Token: SeSystemEnvironmentPrivilege	2216	wmic.exe
Token: SeRemoteShutdownPrivilege	2216	wmic.exe
Token: SeUndockPrivilege	2216	wmic.exe
Token: SeManageVolumePrivilege	2216	wmic.exe
Token: 33	2216	wmic.exe
Token: 34	2216	wmic.exe
Token: 35	2216	wmic.exe
Token: SeIncreaseQuotaPrivilege	2216	wmic.exe
Token: SeSecurityPrivilege	2216	wmic.exe
Token: SeTakeOwnershipPrivilege	2216	wmic.exe
Token: SeLoadDriverPrivilege	2216	wmic.exe
Token: SeSystemProfilePrivilege	2216	wmic.exe
Token: SeSystemtimePrivilege	2216	wmic.exe
Token: SeProfSingleProcessPrivilege	2216	wmic.exe
Token: SeIncBasePriorityPrivilege	2216	wmic.exe
Token: SeCreatePagefilePrivilege	2216	wmic.exe
Token: SeBackupPrivilege	2216	wmic.exe
Token: SeRestorePrivilege	2216	wmic.exe
Token: SeShutdownPrivilege	2216	wmic.exe
Token: SeDebugPrivilege	2216	wmic.exe
Token: SeSystemEnvironmentPrivilege	2216	wmic.exe
Token: SeRemoteShutdownPrivilege	2216	wmic.exe
Token: SeUndockPrivilege	2216	wmic.exe
Token: SeManageVolumePrivilege	2216	wmic.exe
Token: 33	2216	wmic.exe
Token: 34	2216	wmic.exe
Token: 35	2216	wmic.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2216	1620	2025-02-25_83240479f5e23c6330e43496bb7b6b1c_ismagent_ryuk_sliver.exe	31
PID 1620 wrote to memory of 2216	1620	2025-02-25_83240479f5e23c6330e43496bb7b6b1c_ismagent_ryuk_sliver.exe	31
PID 1620 wrote to memory of 2216	1620	2025-02-25_83240479f5e23c6330e43496bb7b6b1c_ismagent_ryuk_sliver.exe	31

C:\Users\Admin\AppData\Local\Temp\2025-02-25_83240479f5e23c6330e43496bb7b6b1c_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-25_83240479f5e23c6330e43496bb7b6b1c_ismagent_ryuk_sliver.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2216

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads