Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/03/2025, 04:46
Behavioral task
behavioral1
Sample
2025-03-10_b684550e9df7d4788991bde839f27900_ismagent_ryuk_sliver.exe
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-03-10_b684550e9df7d4788991bde839f27900_ismagent_ryuk_sliver.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
2025-03-10_b684550e9df7d4788991bde839f27900_ismagent_ryuk_sliver.exe
-
Size
3.3MB
-
MD5
b684550e9df7d4788991bde839f27900
-
SHA1
d6bb5446b7af88300a504844d25c45f70c1d1bf2
-
SHA256
17ffb0cde527607983673481412015e489899edb3e9a94875e8d136cda904a48
-
SHA512
345176f4857c399db0375325a4872a87d6a074888b3274780813c621627e436563e36c571807d547cfe64501f0286f24e58c7ccf99cdfe7292c8567c392029ff
-
SSDEEP
49152:1X3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qf:1lRsZ47/QXoHUOfAoj1x6f
Score
1/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2700 wmic.exe Token: SeSecurityPrivilege 2700 wmic.exe Token: SeTakeOwnershipPrivilege 2700 wmic.exe Token: SeLoadDriverPrivilege 2700 wmic.exe Token: SeSystemProfilePrivilege 2700 wmic.exe Token: SeSystemtimePrivilege 2700 wmic.exe Token: SeProfSingleProcessPrivilege 2700 wmic.exe Token: SeIncBasePriorityPrivilege 2700 wmic.exe Token: SeCreatePagefilePrivilege 2700 wmic.exe Token: SeBackupPrivilege 2700 wmic.exe Token: SeRestorePrivilege 2700 wmic.exe Token: SeShutdownPrivilege 2700 wmic.exe Token: SeDebugPrivilege 2700 wmic.exe Token: SeSystemEnvironmentPrivilege 2700 wmic.exe Token: SeRemoteShutdownPrivilege 2700 wmic.exe Token: SeUndockPrivilege 2700 wmic.exe Token: SeManageVolumePrivilege 2700 wmic.exe Token: 33 2700 wmic.exe Token: 34 2700 wmic.exe Token: 35 2700 wmic.exe Token: SeIncreaseQuotaPrivilege 2700 wmic.exe Token: SeSecurityPrivilege 2700 wmic.exe Token: SeTakeOwnershipPrivilege 2700 wmic.exe Token: SeLoadDriverPrivilege 2700 wmic.exe Token: SeSystemProfilePrivilege 2700 wmic.exe Token: SeSystemtimePrivilege 2700 wmic.exe Token: SeProfSingleProcessPrivilege 2700 wmic.exe Token: SeIncBasePriorityPrivilege 2700 wmic.exe Token: SeCreatePagefilePrivilege 2700 wmic.exe Token: SeBackupPrivilege 2700 wmic.exe Token: SeRestorePrivilege 2700 wmic.exe Token: SeShutdownPrivilege 2700 wmic.exe Token: SeDebugPrivilege 2700 wmic.exe Token: SeSystemEnvironmentPrivilege 2700 wmic.exe Token: SeRemoteShutdownPrivilege 2700 wmic.exe Token: SeUndockPrivilege 2700 wmic.exe Token: SeManageVolumePrivilege 2700 wmic.exe Token: 33 2700 wmic.exe Token: 34 2700 wmic.exe Token: 35 2700 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2700 2644 2025-03-10_b684550e9df7d4788991bde839f27900_ismagent_ryuk_sliver.exe 31 PID 2644 wrote to memory of 2700 2644 2025-03-10_b684550e9df7d4788991bde839f27900_ismagent_ryuk_sliver.exe 31 PID 2644 wrote to memory of 2700 2644 2025-03-10_b684550e9df7d4788991bde839f27900_ismagent_ryuk_sliver.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-10_b684550e9df7d4788991bde839f27900_ismagent_ryuk_sliver.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-10_b684550e9df7d4788991bde839f27900_ismagent_ryuk_sliver.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700
-