Overview

overview

10

Static

static

3

2025-03-22...uk.exe

windows7-x64

10

2025-03-22...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-22_b2a31ff4048cc5c9ec4e5d44e742a94b_ryuk.exe

  • Size

    905KB

  • MD5

    b2a31ff4048cc5c9ec4e5d44e742a94b

  • SHA1

    63892286dd4505971f1c061b70e21c6760bddc47

  • SHA256

    acfe65cf08cb8b8239b27d762f68f6602210b686cd88438a24f6c77d8524ff46

  • SHA512

    f74ce6a4767503ea1ce8d3f6fba89a9acf25abe3d6e53c2c0acbdba20dc56c834949203dd46ad10a06166912f0cd222b9ae9e3c9db8eb011672d86f17ee69c3f

  • SSDEEP

    12288:CthJIq+H3rw6R59ES7lWtE02rBzhzasvJZlDvRHeplOwFGwhMTSVTPEDSukrEOIe:CX+qS7ZGSL5FxJPp+ewwwh2SZAO

Score
10/10
flawedgraceratbackdoordefense_evasionloaderpersistenceprivilege_escalationrat

Malware Config

Signatures

  • FlawedGraceRAT

    FlawedGrace is a full-featured RAT written in C++.

    ratflawedgracerat
  • Flawedgracerat family
    flawedgracerat
  • FlawedGraceRat Backdoor 11 IoCs

    Detects FlawedGraceRat x64 backdoor in memory.

    backdoor
  • FlawedGraceRat Loader 12 IoCs

    Detects FlawedGraceRat x64 loader in memory.

    loader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\System32\msiexec.exe
      msiexec.exe
      2⤵
        PID:3160
      • C:\Windows\System32\msiexec.exe
        msiexec.exe
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\System32\svchost.exe
          svchost.exe
          3⤵
            PID:1792
      • C:\Users\Admin\AppData\Local\Temp\2025-03-22_b2a31ff4048cc5c9ec4e5d44e742a94b_ryuk.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-22_b2a31ff4048cc5c9ec4e5d44e742a94b_ryuk.exe"
        1⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4220
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-0~1.EXE >> NUL
          2⤵
            PID:4728

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1792-48-0x0000029095940000-0x00000290959B1000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1792-49-0x0000029095940000-0x00000290959B1000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1792-61-0x0000029095940000-0x00000290959B1000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1792-57-0x0000029095940000-0x00000290959B1000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1792-23-0x0000029095940000-0x00000290959B1000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1792-32-0x0000029095940000-0x00000290959B1000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1792-56-0x0000029095940000-0x00000290959B1000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1792-22-0x0000029095940000-0x00000290959B1000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1792-58-0x0000029095940000-0x00000290959B1000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1792-21-0x0000029095940000-0x00000290959B1000-memory.dmp

          Filesize

          452KB

          Download

        • memory/1792-20-0x0000029095940000-0x00000290959B1000-memory.dmp

          Filesize

          452KB

          Download

        • memory/2188-10-0x0000000001A50000-0x0000000001AF4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/2188-13-0x0000000001A50000-0x0000000001AF4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/2188-18-0x0000000001A50000-0x0000000001AF4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/2188-9-0x0000000001A50000-0x0000000001AF4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/2188-12-0x0000000001A50000-0x0000000001AF4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/2188-8-0x0000000001900000-0x00000000019A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/4220-6-0x000001732A280000-0x000001732A324000-memory.dmp

          Filesize

          656KB

          Download

        • memory/4220-14-0x000001732A280000-0x000001732A324000-memory.dmp

          Filesize

          656KB

          Download

        • memory/4220-0-0x000001732A280000-0x000001732A324000-memory.dmp

          Filesize

          656KB

          Download

        • memory/4220-5-0x000001732A280000-0x000001732A324000-memory.dmp

          Filesize

          656KB

          Download

        • memory/4220-4-0x000001732A280000-0x000001732A324000-memory.dmp

          Filesize

          656KB

          Download

        • memory/4220-3-0x000001732A280000-0x000001732A324000-memory.dmp

          Filesize

          656KB

          Download

        • memory/4220-1-0x000001732A090000-0x000001732A137000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4220-2-0x000001732A280000-0x000001732A324000-memory.dmp

          Filesize

          656KB

          Download