Overview

overview

3

Static

static

3

2025-03-06...uk.exe

windows11-21h2-x64

3

Resubmissions

06/03/2025, 17:33

250306-v49mfsvks5 3

06/03/2025, 17:30

250306-v3e2fstwdw 10

Analysis

  • max time kernel
    14s
  • max time network
    15s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/03/2025, 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-06_e664cc9bde017862a2c484b30cb7ea93_ryuk.exe

  • Size

    1.5MB

  • MD5

    e664cc9bde017862a2c484b30cb7ea93

  • SHA1

    c5a1415e2860fa0aa106e6ddbdb3d7d7e62e2fc0

  • SHA256

    6f55662b1ec78350e8dae5ea5377df36bd048b9a72d643ade4526b74da8537c9

  • SHA512

    574d466b24c3db733353a43bbd3e95806b13c22c6bd86313f20470566bf06326593987bed9ed173bdea088d1b28a85d2f703ff0908d534478e6a490066297730

  • SSDEEP

    49152:eVzpfQd4T9kIDGE63XVGpclbwbWAaJiwmcTdcoeG88:mfIXIxqPFE98

Score
3/10
discovery

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-06_e664cc9bde017862a2c484b30cb7ea93_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-06_e664cc9bde017862a2c484b30cb7ea93_ryuk.exe"
    1⤵
      PID:4556
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa86413cb8,0x7ffa86413cc8,0x7ffa86413cd8
        2⤵
          PID:1252
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,388393671626727775,349522526385196643,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
          2⤵
            PID:1212
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,388393671626727775,349522526385196643,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3984
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,388393671626727775,349522526385196643,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
            2⤵
              PID:3284
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,388393671626727775,349522526385196643,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
              2⤵
                PID:884
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,388393671626727775,349522526385196643,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
                2⤵
                  PID:1260
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:392
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4072
                  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                    1⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:2280
                  • C:\Windows\system32\BackgroundTransferHost.exe
                    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
                    1⤵
                    • Modifies registry class
                    PID:1348

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    53c68f0f93ab9a94804c00720a0bcd9a

                    SHA1

                    9009307d51e1fd60f9a90d77007e377c7f893434

                    SHA256

                    a38f0777d4ca9e777191cc924c22eb1847ae805ab79ff224860e8c70d7f49422

                    SHA512

                    a1d5b92fced821328a668fbfe9ad694b99c873ffa3ed28aa5bf1e8ef8054486289b5ddb26236cfa7c1ca0db993f306cdfc5878480b6a543aca1620075f77d670

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                    Filesize

                    152B

                    MD5

                    4815ecce34e90c0f6ca91c7e35be703f

                    SHA1

                    61ec0042ccee59f6bdf6b96eb9f412cc97717702

                    SHA256

                    5db366717739338c23e07ca15aea2b48924a3b3ecacb214221239333b11ae7d6

                    SHA512

                    751dfd6eea90fc4efb557611e8afc6ef1634c4e2bdd97f3c72638def09f644ebd8bf5696b9ed8379973106524d08c67188f7f64c0f941e8f95109920120dae05

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    5KB

                    MD5

                    7a133df652d653027e36e3a88f5bd7dc

                    SHA1

                    7fc4d675c53e96420953bd3e37a45483e8b36a7a

                    SHA256

                    d5a60a93f13d9d2e6ac2ecb15e0d47c3a6f0686ec80a334c115bc8d9b19847c6

                    SHA512

                    644d76a6104e77384388331213f7dc1887482f055cf13d2e256aa710f9bf6bf5835f636d1212dc0ec6fd5472de2352694790232cf96428b2c4d1c86a21490dc8

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                    Filesize

                    5KB

                    MD5

                    c57d7c3c2effc1d8a38d6bdfae403375

                    SHA1

                    2b8c3fe166f568c64908205843844793353fe857

                    SHA256

                    37d0f959fbf663536d8223bb834d28eb0a99a2411e1db4b629bcf106a39646e7

                    SHA512

                    9ede6bcfdcdb26e90b9758318f3098bd5f2adb54d8f143a069ebe602f5ad6c94cc90d80a8ee05225b14b81856eb7136a02cef66a2d34f421de08c4b49b10d8c2

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                    Filesize

                    11KB

                    MD5

                    aef5779fceb8aa3f98638f4382a52b00

                    SHA1

                    05b2cdaf57192ccb89ebbe53a2d6c1e4089cabad

                    SHA256

                    c85c2cfa17bda1aa475bb54d12c8f4e310ca1f877d600e3e3e8f108b286e11e7

                    SHA512

                    9d948f97e973cb75888547931639a782f7c6c7017548b834581e012205aa5943c8b3c99f73607c63faf3d0296f2cdf9ee2e10cb1865e7370536da7455f01055b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                    Filesize

                    264KB

                    MD5

                    f50f89a0a91564d0b8a211f8921aa7de

                    SHA1

                    112403a17dd69d5b9018b8cede023cb3b54eab7d

                    SHA256

                    b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                    SHA512

                    bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a39d3a7a-0718-4e30-8d53-d71b373d072c.down_data
                    Filesize

                    555KB

                    MD5

                    5683c0028832cae4ef93ca39c8ac5029

                    SHA1

                    248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                    SHA256

                    855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                    SHA512

                    aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                    Download Submit

                  • memory/4556-0-0x00000229AC040000-0x00000229AC047000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/4556-2-0x00000229AC080000-0x00000229AC084000-memory.dmp

                    Filesize

                    16KB

                    Download

                  • memory/4556-1-0x00000229AC070000-0x00000229AC075000-memory.dmp

                    Filesize

                    20KB

                    Download

                  • memory/4556-5-0x00000229AC070000-0x00000229AC075000-memory.dmp

                    Filesize

                    20KB

                    Download