Analysis
-
max time kernel
97s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 02:25
Behavioral task
behavioral1
Sample
2025-02-28_03077aaaf5b86ef3b411a71cb922841f_ismagent_ryuk_sliver.exe
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-02-28_03077aaaf5b86ef3b411a71cb922841f_ismagent_ryuk_sliver.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2025-02-28_03077aaaf5b86ef3b411a71cb922841f_ismagent_ryuk_sliver.exe
-
Size
3.3MB
-
MD5
03077aaaf5b86ef3b411a71cb922841f
-
SHA1
782bd0f5ba42aea1d5d2a82cbb873aca78424202
-
SHA256
a2d1752e824dd61387807fac3b839ce925be7383aaf0e145d929ecdd9d53960a
-
SHA512
10b118e62d986b1f727cc7ca5cbaa798adc117dbbec104c59c7525d8675d44ce6fa3c0fae7a02c5928f747811ac49f3b052fb8f908b4f3ae47f76565a313305a
-
SSDEEP
49152:dX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Q6:dlRsZ47/QXoHUOfAoj1x66
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4112 wmic.exe Token: SeSecurityPrivilege 4112 wmic.exe Token: SeTakeOwnershipPrivilege 4112 wmic.exe Token: SeLoadDriverPrivilege 4112 wmic.exe Token: SeSystemProfilePrivilege 4112 wmic.exe Token: SeSystemtimePrivilege 4112 wmic.exe Token: SeProfSingleProcessPrivilege 4112 wmic.exe Token: SeIncBasePriorityPrivilege 4112 wmic.exe Token: SeCreatePagefilePrivilege 4112 wmic.exe Token: SeBackupPrivilege 4112 wmic.exe Token: SeRestorePrivilege 4112 wmic.exe Token: SeShutdownPrivilege 4112 wmic.exe Token: SeDebugPrivilege 4112 wmic.exe Token: SeSystemEnvironmentPrivilege 4112 wmic.exe Token: SeRemoteShutdownPrivilege 4112 wmic.exe Token: SeUndockPrivilege 4112 wmic.exe Token: SeManageVolumePrivilege 4112 wmic.exe Token: 33 4112 wmic.exe Token: 34 4112 wmic.exe Token: 35 4112 wmic.exe Token: 36 4112 wmic.exe Token: SeIncreaseQuotaPrivilege 4112 wmic.exe Token: SeSecurityPrivilege 4112 wmic.exe Token: SeTakeOwnershipPrivilege 4112 wmic.exe Token: SeLoadDriverPrivilege 4112 wmic.exe Token: SeSystemProfilePrivilege 4112 wmic.exe Token: SeSystemtimePrivilege 4112 wmic.exe Token: SeProfSingleProcessPrivilege 4112 wmic.exe Token: SeIncBasePriorityPrivilege 4112 wmic.exe Token: SeCreatePagefilePrivilege 4112 wmic.exe Token: SeBackupPrivilege 4112 wmic.exe Token: SeRestorePrivilege 4112 wmic.exe Token: SeShutdownPrivilege 4112 wmic.exe Token: SeDebugPrivilege 4112 wmic.exe Token: SeSystemEnvironmentPrivilege 4112 wmic.exe Token: SeRemoteShutdownPrivilege 4112 wmic.exe Token: SeUndockPrivilege 4112 wmic.exe Token: SeManageVolumePrivilege 4112 wmic.exe Token: 33 4112 wmic.exe Token: 34 4112 wmic.exe Token: 35 4112 wmic.exe Token: 36 4112 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1152 wrote to memory of 4112 1152 2025-02-28_03077aaaf5b86ef3b411a71cb922841f_ismagent_ryuk_sliver.exe 88 PID 1152 wrote to memory of 4112 1152 2025-02-28_03077aaaf5b86ef3b411a71cb922841f_ismagent_ryuk_sliver.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-28_03077aaaf5b86ef3b411a71cb922841f_ismagent_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-28_03077aaaf5b86ef3b411a71cb922841f_ismagent_ryuk_sliver.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4112
-