Analysis
-
max time kernel
119s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 22:04
Behavioral task
behavioral1
Sample
2025-02-28_4983556159f522664687a8e213a9bb15_ismagent_ryuk_sliver.exe
Resource
win7-20241010-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-02-28_4983556159f522664687a8e213a9bb15_ismagent_ryuk_sliver.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2025-02-28_4983556159f522664687a8e213a9bb15_ismagent_ryuk_sliver.exe
-
Size
3.3MB
-
MD5
4983556159f522664687a8e213a9bb15
-
SHA1
f250ab61672212cee8a805fac3dbba095f3ee4f6
-
SHA256
b5705e3be1775e3c9e20aeffa15c3dc612ab59fc12bc2e2ee41bb4614517c53c
-
SHA512
2b1ec06323eb2553afb626467dfeabc2bacd2fb4619c8308015725d194e1fb20439e6c4f3fa003263291bac7d86bdfad0ef117c6ee655bf5ef2127ef0b2d1f07
-
SSDEEP
49152:KX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qo:KlRsZ47/QXoHUOfAoj1x6o
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4820 wmic.exe Token: SeSecurityPrivilege 4820 wmic.exe Token: SeTakeOwnershipPrivilege 4820 wmic.exe Token: SeLoadDriverPrivilege 4820 wmic.exe Token: SeSystemProfilePrivilege 4820 wmic.exe Token: SeSystemtimePrivilege 4820 wmic.exe Token: SeProfSingleProcessPrivilege 4820 wmic.exe Token: SeIncBasePriorityPrivilege 4820 wmic.exe Token: SeCreatePagefilePrivilege 4820 wmic.exe Token: SeBackupPrivilege 4820 wmic.exe Token: SeRestorePrivilege 4820 wmic.exe Token: SeShutdownPrivilege 4820 wmic.exe Token: SeDebugPrivilege 4820 wmic.exe Token: SeSystemEnvironmentPrivilege 4820 wmic.exe Token: SeRemoteShutdownPrivilege 4820 wmic.exe Token: SeUndockPrivilege 4820 wmic.exe Token: SeManageVolumePrivilege 4820 wmic.exe Token: 33 4820 wmic.exe Token: 34 4820 wmic.exe Token: 35 4820 wmic.exe Token: 36 4820 wmic.exe Token: SeIncreaseQuotaPrivilege 4820 wmic.exe Token: SeSecurityPrivilege 4820 wmic.exe Token: SeTakeOwnershipPrivilege 4820 wmic.exe Token: SeLoadDriverPrivilege 4820 wmic.exe Token: SeSystemProfilePrivilege 4820 wmic.exe Token: SeSystemtimePrivilege 4820 wmic.exe Token: SeProfSingleProcessPrivilege 4820 wmic.exe Token: SeIncBasePriorityPrivilege 4820 wmic.exe Token: SeCreatePagefilePrivilege 4820 wmic.exe Token: SeBackupPrivilege 4820 wmic.exe Token: SeRestorePrivilege 4820 wmic.exe Token: SeShutdownPrivilege 4820 wmic.exe Token: SeDebugPrivilege 4820 wmic.exe Token: SeSystemEnvironmentPrivilege 4820 wmic.exe Token: SeRemoteShutdownPrivilege 4820 wmic.exe Token: SeUndockPrivilege 4820 wmic.exe Token: SeManageVolumePrivilege 4820 wmic.exe Token: 33 4820 wmic.exe Token: 34 4820 wmic.exe Token: 35 4820 wmic.exe Token: 36 4820 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 980 wrote to memory of 4820 980 2025-02-28_4983556159f522664687a8e213a9bb15_ismagent_ryuk_sliver.exe 88 PID 980 wrote to memory of 4820 980 2025-02-28_4983556159f522664687a8e213a9bb15_ismagent_ryuk_sliver.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-28_4983556159f522664687a8e213a9bb15_ismagent_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-28_4983556159f522664687a8e213a9bb15_ismagent_ryuk_sliver.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820
-