3c89178e57b6a42804981bab5b8b66168a434b98fb7212574fa193e095411a50

Analysis

max time kernel
122s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-26_db3067ba9a581b1cfd0caa09cf3b0a4e_ismagent_ryuk_sliver.exe
Size

3.2MB
MD5

db3067ba9a581b1cfd0caa09cf3b0a4e
SHA1

f6da3b8b9a85e49fae0850f23ef778f9e122b416
SHA256

3c89178e57b6a42804981bab5b8b66168a434b98fb7212574fa193e095411a50
SHA512

9574bbdbbc999d2fa03d0eec83a84d36254ab682673eec61bf2bb634de4e3bd9948868316bb3fa1ac1e461cf9f8f47c6a480a4b07acb599e7461bbbf199d2e15
SSDEEP

49152:x6Fva8Z3jsWlwddWq2qWDtywom4cVmxvAxLz/BViY36MFvf+QRQ0e11UOrdR8529:U7jxNqP/GmIzv3JQjv8Q9

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3760	wmic.exe
Token: SeSecurityPrivilege	3760	wmic.exe
Token: SeTakeOwnershipPrivilege	3760	wmic.exe
Token: SeLoadDriverPrivilege	3760	wmic.exe
Token: SeSystemProfilePrivilege	3760	wmic.exe
Token: SeSystemtimePrivilege	3760	wmic.exe
Token: SeProfSingleProcessPrivilege	3760	wmic.exe
Token: SeIncBasePriorityPrivilege	3760	wmic.exe
Token: SeCreatePagefilePrivilege	3760	wmic.exe
Token: SeBackupPrivilege	3760	wmic.exe
Token: SeRestorePrivilege	3760	wmic.exe
Token: SeShutdownPrivilege	3760	wmic.exe
Token: SeDebugPrivilege	3760	wmic.exe
Token: SeSystemEnvironmentPrivilege	3760	wmic.exe
Token: SeRemoteShutdownPrivilege	3760	wmic.exe
Token: SeUndockPrivilege	3760	wmic.exe
Token: SeManageVolumePrivilege	3760	wmic.exe
Token: 33	3760	wmic.exe
Token: 34	3760	wmic.exe
Token: 35	3760	wmic.exe
Token: 36	3760	wmic.exe
Token: SeIncreaseQuotaPrivilege	3760	wmic.exe
Token: SeSecurityPrivilege	3760	wmic.exe
Token: SeTakeOwnershipPrivilege	3760	wmic.exe
Token: SeLoadDriverPrivilege	3760	wmic.exe
Token: SeSystemProfilePrivilege	3760	wmic.exe
Token: SeSystemtimePrivilege	3760	wmic.exe
Token: SeProfSingleProcessPrivilege	3760	wmic.exe
Token: SeIncBasePriorityPrivilege	3760	wmic.exe
Token: SeCreatePagefilePrivilege	3760	wmic.exe
Token: SeBackupPrivilege	3760	wmic.exe
Token: SeRestorePrivilege	3760	wmic.exe
Token: SeShutdownPrivilege	3760	wmic.exe
Token: SeDebugPrivilege	3760	wmic.exe
Token: SeSystemEnvironmentPrivilege	3760	wmic.exe
Token: SeRemoteShutdownPrivilege	3760	wmic.exe
Token: SeUndockPrivilege	3760	wmic.exe
Token: SeManageVolumePrivilege	3760	wmic.exe
Token: 33	3760	wmic.exe
Token: 34	3760	wmic.exe
Token: 35	3760	wmic.exe
Token: 36	3760	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3760	4508	2025-02-26_db3067ba9a581b1cfd0caa09cf3b0a4e_ismagent_ryuk_sliver.exe	87
PID 4508 wrote to memory of 3760	4508	2025-02-26_db3067ba9a581b1cfd0caa09cf3b0a4e_ismagent_ryuk_sliver.exe	87

C:\Users\Admin\AppData\Local\Temp\2025-02-26_db3067ba9a581b1cfd0caa09cf3b0a4e_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-26_db3067ba9a581b1cfd0caa09cf3b0a4e_ismagent_ryuk_sliver.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3760

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads