Analysis
-
max time kernel
123s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
04/03/2025, 00:38
Behavioral task
behavioral1
Sample
2025-03-04_ac838ad7e8e163dece34221b8a88b03e_ismagent_ryuk_sliver.exe
Resource
win7-20241010-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-03-04_ac838ad7e8e163dece34221b8a88b03e_ismagent_ryuk_sliver.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2025-03-04_ac838ad7e8e163dece34221b8a88b03e_ismagent_ryuk_sliver.exe
-
Size
3.3MB
-
MD5
ac838ad7e8e163dece34221b8a88b03e
-
SHA1
5473bb150a166fcb385e5abb97043af4352bacf2
-
SHA256
71dc45bed5b48c963c122a0a21233c4f8f4d5b61568799505b8b15f2d42619e8
-
SHA512
7be869a580d37e306c0382bd62d59be4bd03004bae3d78f649beba4de4802597f43a4121457b53b41a6cafe44d869397803798ead5494333838876d095404aa5
-
SSDEEP
49152:hX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQet5q:hlRsZ47/QXoHUOfAoj140
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5048 wmic.exe Token: SeSecurityPrivilege 5048 wmic.exe Token: SeTakeOwnershipPrivilege 5048 wmic.exe Token: SeLoadDriverPrivilege 5048 wmic.exe Token: SeSystemProfilePrivilege 5048 wmic.exe Token: SeSystemtimePrivilege 5048 wmic.exe Token: SeProfSingleProcessPrivilege 5048 wmic.exe Token: SeIncBasePriorityPrivilege 5048 wmic.exe Token: SeCreatePagefilePrivilege 5048 wmic.exe Token: SeBackupPrivilege 5048 wmic.exe Token: SeRestorePrivilege 5048 wmic.exe Token: SeShutdownPrivilege 5048 wmic.exe Token: SeDebugPrivilege 5048 wmic.exe Token: SeSystemEnvironmentPrivilege 5048 wmic.exe Token: SeRemoteShutdownPrivilege 5048 wmic.exe Token: SeUndockPrivilege 5048 wmic.exe Token: SeManageVolumePrivilege 5048 wmic.exe Token: 33 5048 wmic.exe Token: 34 5048 wmic.exe Token: 35 5048 wmic.exe Token: 36 5048 wmic.exe Token: SeIncreaseQuotaPrivilege 5048 wmic.exe Token: SeSecurityPrivilege 5048 wmic.exe Token: SeTakeOwnershipPrivilege 5048 wmic.exe Token: SeLoadDriverPrivilege 5048 wmic.exe Token: SeSystemProfilePrivilege 5048 wmic.exe Token: SeSystemtimePrivilege 5048 wmic.exe Token: SeProfSingleProcessPrivilege 5048 wmic.exe Token: SeIncBasePriorityPrivilege 5048 wmic.exe Token: SeCreatePagefilePrivilege 5048 wmic.exe Token: SeBackupPrivilege 5048 wmic.exe Token: SeRestorePrivilege 5048 wmic.exe Token: SeShutdownPrivilege 5048 wmic.exe Token: SeDebugPrivilege 5048 wmic.exe Token: SeSystemEnvironmentPrivilege 5048 wmic.exe Token: SeRemoteShutdownPrivilege 5048 wmic.exe Token: SeUndockPrivilege 5048 wmic.exe Token: SeManageVolumePrivilege 5048 wmic.exe Token: 33 5048 wmic.exe Token: 34 5048 wmic.exe Token: 35 5048 wmic.exe Token: 36 5048 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4936 wrote to memory of 5048 4936 2025-03-04_ac838ad7e8e163dece34221b8a88b03e_ismagent_ryuk_sliver.exe 86 PID 4936 wrote to memory of 5048 4936 2025-03-04_ac838ad7e8e163dece34221b8a88b03e_ismagent_ryuk_sliver.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-04_ac838ad7e8e163dece34221b8a88b03e_ismagent_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-04_ac838ad7e8e163dece34221b8a88b03e_ismagent_ryuk_sliver.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048
-