Overview

overview

10

Static

static

3

2025-03-22...uk.exe

windows7-x64

10

2025-03-22...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-22_b2a31ff4048cc5c9ec4e5d44e742a94b_ryuk.exe

  • Size

    905KB

  • MD5

    b2a31ff4048cc5c9ec4e5d44e742a94b

  • SHA1

    63892286dd4505971f1c061b70e21c6760bddc47

  • SHA256

    acfe65cf08cb8b8239b27d762f68f6602210b686cd88438a24f6c77d8524ff46

  • SHA512

    f74ce6a4767503ea1ce8d3f6fba89a9acf25abe3d6e53c2c0acbdba20dc56c834949203dd46ad10a06166912f0cd222b9ae9e3c9db8eb011672d86f17ee69c3f

  • SSDEEP

    12288:CthJIq+H3rw6R59ES7lWtE02rBzhzasvJZlDvRHeplOwFGwhMTSVTPEDSukrEOIe:CX+qS7ZGSL5FxJPp+ewwwh2SZAO

Score
10/10
flawedgraceratbackdoordefense_evasionloaderpersistenceprivilege_escalationrat

Malware Config

Signatures

  • FlawedGraceRAT

    FlawedGrace is a full-featured RAT written in C++.

    ratflawedgracerat
  • Flawedgracerat family
    flawedgracerat
  • FlawedGraceRat Backdoor 14 IoCs

    Detects FlawedGraceRat x64 backdoor in memory.

    backdoor
  • FlawedGraceRat Loader 14 IoCs

    Detects FlawedGraceRat x64 loader in memory.

    loader
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\System32\msiexec.exe
      msiexec.exe
      2⤵
        PID:2600
      • C:\Windows\System32\msiexec.exe
        msiexec.exe
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1356
        • C:\Windows\System32\svchost.exe
          svchost.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1696
    • C:\Users\Admin\AppData\Local\Temp\2025-03-22_b2a31ff4048cc5c9ec4e5d44e742a94b_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-03-22_b2a31ff4048cc5c9ec4e5d44e742a94b_ryuk.exe"
      1⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-0~1.EXE >> NUL
        2⤵
          PID:2924

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/536-18-0x0000000003500000-0x00000000035A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/536-12-0x0000000003500000-0x00000000035A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/536-15-0x0000000003500000-0x00000000035A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/536-17-0x0000000003500000-0x00000000035A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/536-9-0x0000000003500000-0x00000000035A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/536-5-0x0000000002FD0000-0x0000000003076000-memory.dmp

        Filesize

        664KB

        Download

      • memory/536-7-0x0000000003500000-0x00000000035A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/536-6-0x0000000003500000-0x00000000035A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/536-8-0x0000000003500000-0x00000000035A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/536-10-0x0000000003500000-0x00000000035A4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/1696-25-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-57-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-62-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-63-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-59-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-60-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-26-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-22-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-23-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-24-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-51-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-35-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-21-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/1696-53-0x00000000004C0000-0x0000000000531000-memory.dmp

        Filesize

        452KB

        Download

      • memory/2540-4-0x0000000001DE0000-0x0000000001E84000-memory.dmp

        Filesize

        656KB

        Download

      • memory/2540-2-0x0000000001DE0000-0x0000000001E84000-memory.dmp

        Filesize

        656KB

        Download

      • memory/2540-1-0x0000000001DE0000-0x0000000001E84000-memory.dmp

        Filesize

        656KB

        Download

      • memory/2540-0-0x0000000001C60000-0x0000000001D07000-memory.dmp

        Filesize

        668KB

        Download

      • memory/2540-3-0x0000000001DE0000-0x0000000001E84000-memory.dmp

        Filesize

        656KB

        Download

      • memory/2540-14-0x0000000001DE0000-0x0000000001E84000-memory.dmp

        Filesize

        656KB

        Download