ryuk | 473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8

Analysis

max time kernel
155s
max time network
152s
platform
windows7_x64
resource
win7v20210410
submitted
26-07-2021 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
Size

116KB
MD5

5c6273b024c93c5bdf557813868f9337
SHA1

eafe0287e6ae983c6f1ff68f6c7780cc3a037783
SHA256

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8
SHA512

4164f5d7f485cc95825cd6608e0a58eadd456d00145bc3b73d3526e07faaf9d416d03e9a62c8c789db447549421cfc2db73f54f5cd3dabc1238c5da9727c2408

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'nyMTcbyxt'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Loads dropped DLL 10 IoCs

Processes:

MsiExec.exemsiexec.exeMsiExec.exe

pid	process
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
2280	MsiExec.exe
1708	msiexec.exe
1708	msiexec.exe
2948	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1296 icacls.exe
1192 icacls.exe

pid	process
1296	icacls.exe
1192	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01170_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02267_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00333_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MAPIPH.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153516.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACT.CFG	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2F.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEML.ICO	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO11.POC	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00330_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXPTOOWS.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunec.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00297_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveNewsletter.dotx	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XIMAGE3B.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OFFOWCI.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00100_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02227_.WMF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gif	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10301_.GIF	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RyukReadMe.html	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIF20F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBF1.tmp	msiexec.exe
File created	C:\Windows\Installer\f74e3ba.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB98.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDF9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF941.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI37.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74e3ba.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE62A.tmp	msiexec.exe
File created	C:\Windows\Installer\f74e3bc.ipi	msiexec.exe

Modifies registry class 7 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exe

pid process

1708 msiexec.exe
1708 msiexec.exe
1708 msiexec.exe

pid	process
1708	msiexec.exe
1708	msiexec.exe
1708	msiexec.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

msiexec.exe

description	pid	process
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeSecurityPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exemsiexec.exe

description	pid	process	target process
PID 1320 wrote to memory of 1296	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	icacls.exe
PID 1320 wrote to memory of 1296	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	icacls.exe
PID 1320 wrote to memory of 1296	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	icacls.exe
PID 1320 wrote to memory of 1296	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	icacls.exe
PID 1320 wrote to memory of 1192	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	icacls.exe
PID 1320 wrote to memory of 1192	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	icacls.exe
PID 1320 wrote to memory of 1192	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	icacls.exe
PID 1320 wrote to memory of 1192	1320	473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe	icacls.exe
PID 1708 wrote to memory of 2280	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2280	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2280	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2280	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2280	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2280	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2280	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2948	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2948	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2948	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2948	1708	msiexec.exe	MsiExec.exe
PID 1708 wrote to memory of 2948	1708	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe
"C:\Users\Admin\AppData\Local\Temp\473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8.sample.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1296

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1192

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 990046DBDC962EDFF1D0E1A027155F54
2⤵
- Loads dropped DLL
PID:2280

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding A7C19FF8D9A53659ADC0D7C2B6E9ADA0
2⤵
- Loads dropped DLL
PID:2948

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
MD5
d66132fb016d955558891741aea2f530

SHA1
78853080273407b951e3ddd262ec2e9d9e6cf4e5

SHA256
7ec297b5a7514a6bb6c7a28e726230c5990a1273520d805cb79a30449d798eaf

SHA512
af7220abf55dea052fce9b05a4909758988e86566bc7e93dd7701b93d0e3bb471e75bc7ade10a3435a597e9e2f53643c7f94f562b730424092f8c08e70d0245b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
MD5
71ecbcbd38678bb24ea4f5176fdb74c6

SHA1
d1cdc93431b3a36579b6096cca860673d366f228

SHA256
7a5f0c8db9d149dc07b633f6a9dde18a2c025476503fd6bd2575eb6f37a9913d

SHA512
fe471322dea530b96816417aa55536eecd9725200dbb002750da18305384ce48f4f8ddc8a6315d11145fef7d508ed0c523a3a8bb9c049b9fe37538cc3ab6850b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
MD5
ec12bcc0c5a0f2fd3e389c1f048702a3

SHA1
5367c4005840c453993c062d0a7d25f22bd73b19

SHA256
4cd0614eb45fb7ecd9ea456fbe4470d78372872f8be822f0f667047425337f4a

SHA512
2989a7ca349f4a7e121223ff3b3e59d171382738ec114eec810676961f973ad065ae8d1fcff7c8344376d5278992048403693d52a800138d1860d7ce2816ebc3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
MD5
dc5db16a1e10080cbfda49271dc5db65

SHA1
e923323c247fdf89a7c00983f7ac05daa9405ca3

SHA256
a2ab1f16a0333e7812105e34fcc8d877735c3684565010603ea5c5b5c4e754f2

SHA512
1dba3b335478e04bf21821cba0bd638e26695a89dfde01b783c875c2707b8d07fea2305cc4157ddf63c8a06ae335d1c9e585ad7dd57b52ef018fd85275edb5b0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
MD5
24a775ce8e8d166bab3ccefcd1516feb

SHA1
1b8c6629f5ec86c0175681747d671d217b58a78c

SHA256
9282ae9ef2fc2e8fab1b75472127ac7c22826916cb5beb5b2d4228b7f4ee3403

SHA512
fe2ac6fd3eee90c20507c627c6f334ac8c8ab674b0c5fa69718c0485666d686228b1141c3504b0a6fa49416902936e7e314f8d762e76a66cef8558caf09d7f20

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
MD5
dfb492a9587df3a181d945a7569050a9

SHA1
d19b81e55eca08407997eb7bff96291731388d34

SHA256
ef9c348e2e67a57ffd8686ba6e8e47b5ae2558e887c0deda6a9ee4fa1ebe2e12

SHA512
3369a761bb4704041e1226c8b2ade3100246f7304d9001281d8449afc699da40394a89097e0a8a1bc6250bccf79e356b9bfa39a7f87c4610f7f278e022f51094

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
MD5
9c800fe6b1220287bcbda3fa2356b03b

SHA1
7f5635dd6f0bcd7e94cf1c1b44fe207a55699150

SHA256
c1b11f66241c8542e474ae731ce810dc19e42d963c47f15587b02a21ebe01209

SHA512
45a9902c3704419a41c9f184e44072e0cbbfaac3aa434c03beea53c51f51ae507910457b850172a9814496e7af6bcc98ba27643b3f652dd96fa957a39dc64123

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
e669cf2aceeab837479df488c41e2bcd

SHA1
7664fe5fadd421780f51f7d5d64d00a20725abc5

SHA256
1e789ded861f6b9cf7b2677b8c1f1626bf9212e5986c0463911433ad981383de

SHA512
9f6f3dafa84ddac3c82df76cae720e687b96f5009c79e0e2b009b7ca676e6e35ea5b99005d620a0cb2b8b5f94a3ce687b32813d5661f85c691d1150a4501338b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
MD5
6824d7ab12d081e1a40241b8b780f2a1

SHA1
c78495fdcebc890d1167cca0d7dcee2aa8620a29

SHA256
a8c5bafa9250f3a98ca71ceed039309db67b8adacaa2f51b8d0f35d89eb62c43

SHA512
bfa7f857a4440e88a5f20c9adbf17dbe507db6a6727955dac1e1298a1bca87d6393e482fee159ebeb7894e1e4303621ce3f523c698cc49f649ec70701c9c896b

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
224cd05c99d3d0a3a11a2a4703b5471d

SHA1
c639a6b485be5c4681e59ad5fdb0bbc9408d3537

SHA256
d1afae7ef23e037f560cf165fe1fe2086e3ab1b9533d088f1e6cb0cbf1238385

SHA512
1e60945c419d8ad58c03259ebb6984eb91856b64bdaef03cd91ac7e8d024bd2d87d86a10595a6edea14c63b551c26ef19f5400de4d08b80def54d3e1830d7348

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.RYK
MD5
b15de6979d515123d95ecc88b154d925

SHA1
7df8428f50b26a9e59ded8b112e721484bcf5346

SHA256
30ff374fcce2f41fb7239b2651559ba0cb9e0878bb407672a6446589f01ae9de

SHA512
dd5e146f5ceb9d519319b1da40c991617b060fb8e9de6cd5e0e7d8075b65773b17659b30d38c7b955300b7f971f737519c4e490dbd37b2e8250313f9a7652f9f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.RYK
MD5
d8df0e5ef9f2555c5e511b112beac67a

SHA1
8d7d38a6cba96f1eb47013be88979ea77766cb28

SHA256
61dd8fcc947e190ebab03daefe14dc37a2948194bf16b0ec682baba2f629aa16

SHA512
cc53c9920b2a329e3b9406cdc120d35c1bcfdff73aca3500cd628d1329179a268b843bd4959211d1a5f8a9f5bd03dc3bf92ca8ad481e125eba1e12879af54e94

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.RYK
MD5
6fcf27ff7e4bd74642c036680dc2a4fa

SHA1
fa04648e28abb42eb186ac76821322936784a4e1

SHA256
60ee536feed6e13e5c8977a574a1a4212b67d8dc025dda5714b4845eae27ce85

SHA512
ec96edc4c534dfcacd3c0ff8a0a89d938808b20d5d8cb0ed28f6ccb1e6f019223b3301a7f66fa15b2a3f3b8a0845975865d3b640e31d5f7dc6399a51ab295d5f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.RYK
MD5
a3d5a333c72d822e7e5fd3d4fa597636

SHA1
46df82bed9daf1bcb4cb21221a44716c9c0760c7

SHA256
79b8e5cc41bdd73de4930ce69ded5b288f8dc4f606e4285cec330d61d1e13d09

SHA512
ab161de7bb492006e32712c779fb65887b9cc21493f67ee9094b15f4e3fdc5a9518938fe57dc6534b338bb618029d1a697e27f2d7d16ed59f3c6099970efc249

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.RYK
MD5
7c3e1bec7dabbb5f0627bd3da7530b42

SHA1
8886772c5d6e4849950dd7252b8623fbb32e917f

SHA256
a6c4c01c0c765b246ea4c6cc9e65a06659ccf2035738ed45adc62e7b1ac2ef70

SHA512
23e2d04a2e3e3446c44ce296201d718684793f9467a9f6c04c31348fc8e207a4b45ca4d8179d313e0ce63fa71c61bbd11c22a65764a19a5cc8c7599a4ed4791b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.RYK
MD5
6f644f6965c2452c63dcb625e748ec2f

SHA1
84c66095fd5e3ec56126f2af0c833b0968c67ab2

SHA256
6c6edff49600259700231b0c3f49ee88774c2240e2535ca854d004e2ba24a9ff

SHA512
8368720ff416c74c98b4f38c0fe0ca0eb226d886dc76ffcef62fe69df0f87d3bb9e897b8b79b9d67d86247dbf90cb3928f4fbd54203dceac91f55d19fd9cd069

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
fa09a885e427c382db1ae354f6ed0dd5

SHA1
bffd01931b8365a8d6aa62fd28176378bc1a63b2

SHA256
370ad6dc60a2e1da1a53671912d56e534e6c154c16b459ccc3d4be805d1ac22f

SHA512
dff7654f49579240f38e54c6909d4c70c468e1eadd460e4db787f46f2449c7faba66cbbafb2a3db850639c3508fea68e336f1784beb43420c2261bc38f163979

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.RYK
MD5
7fa90597a5226af21e6bbd2a64a68173

SHA1
02b099d583af65128e454a16023bac2fe96ad5ab

SHA256
df68b301f792eea305ab4afa2aed3c012616e755c332fd0fd5c1197830543a82

SHA512
23be3f44925be249d2fb18181a3b83862fe9dc396cc301f86b40649a47a1280ce691a36a83cbdd65036fd0ae269d15aea6ad5d41dc0f9da737078851e4fb0add

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.RYK
MD5
d21f3ab6106a4093f45a71bc643d1551

SHA1
5e1e1bac4cd4bf3b693aae08a80bbb2ac9137511

SHA256
029eb3a6a5f9a997a91472f826b50ddeff388e30edc8242cd74e8843a3901888

SHA512
f3bc9cf54d5d596322040f697f7122b7d97839bf1840cadeb22182d992ae28dbd3ad620276b2e831e52c3b7d6d735aa4475391446cfff8a4d109677d3073e9c6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.RYK
MD5
c0e353504be59c5253f6020b0e3b1714

SHA1
49fc409d7aad6abc3aa63aa4f3e094482d8d779a

SHA256
451e13fa7a30e9ec4940c578962027ade5ecfb494aee676fa77191257ab5184d

SHA512
581b076030f3224fc1c6c74f54d5f1fcc15af4431d4a68c7e6e36296350456648f3607d4c072fb05cd3cc9be7b743f12370584e9ba01368a3488b5dfbc55c3b7

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.RYK
MD5
f3861c5be344bbea31337bf8bfd8ef10

SHA1
49bed051bef532555a0f1bf936f9c8546d24b96a

SHA256
3cad71c2b48b4abcb0689994816d72f52ea69b5e3763a11de1f588a258358071

SHA512
2c628a554f3d7a7569c4704a0c62df3b6d2c21b54a777e1e69366ed85b5d085952f6e6b358a1e8009307f7392c64c3c585137757e3b571ca3ba14af58a69c904

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.RYK
MD5
75e4c4c777a2e2dc28e39ca2c5c3cae9

SHA1
763d92f3ea03135518b193b87766c1dff8aff40c

SHA256
cf88e499fd15d33b0175c159c2bb3125f5ef92b491d66f563f9e686267ac408f

SHA512
84e576fd81c9e2bba126fcc7718a3a055068d8105926e604aab60d5d204199c1584af70c1354bd8fc1c5fb6b6992c01697da44816abd0f1a7a36362c60d7660d

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.RYK
MD5
4cd454df2fa8e4d832f5b25afe77e752

SHA1
b26f59bb69e82cb6976cd8c3b981c53d9cbbf102

SHA256
d944ee29075ded04baf5128f112ae2d8ed6a40bef2f86c39565003017d1f9461

SHA512
0e5602fb393ce5e143064760e444af59f2449b3df4d0a24a8ff777b76520033d3a040db1bf6ff3a4cea70331a0b6c9ffa10b0c5e9903a7d40405551160e602ed

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.RYK
MD5
5e63bda04457ecf96dbfe2fbb5914b3a

SHA1
e98aa1cfca204f8ea595aada9b9915b304b0cd21

SHA256
e7b1e4f61baf7a5a19f47c0818a6c36d4155ba439bdc26a87f9e6eba156acae1

SHA512
39c0c55ffc15e47a6e8a1547c07616fb10a745e7e70b9e4a1485c977fcff4da5111838b1f07e4851e11449b5fca3d87c4deefe8a62e0aeceb650459cab4ab7e5

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.RYK
MD5
922e339fde78629cedb2016c29cc263c

SHA1
5e8b706117abcdd92808412db0c275fea3473e60

SHA256
41b04e141d7e28d1cad32ae21c6e90d330bbd6cad0ffc73f54079edd6b914662

SHA512
9b85bd72288c8160880c84f482d372c7911c093b9ee9919eacab085a5c032a2ea2f5520d2ee709b128cf3a2843ec8a01bfb36af8b03c440c046475a49014eab0

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.RYK
MD5
3c65db47c9f8c5cd70e0e1db3745cfc9

SHA1
ae24d94b0d4979cb3781a34db2a12134a19f1dfa

SHA256
55c5bc6d45637b24491fad735fa2ee01ee6fa4c62c43e118dcc02f72ea6af222

SHA512
8ec1e472a2fb0eabf5347823902f9dc03ead3d7ad0ca4ff14eec4b63d9ad7373555b0b0085a1ecb72a0ac1e598aef267693ad86ed83cfadf228eb6cbcabc0693

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.RYK
MD5
7d99738c1b0b47cdfa209da948cf1d81

SHA1
da969ca43b37569c507563aedba8d62473bd89df

SHA256
fe928b870eccad820b56dea50bbd797a9234efdee5b8c9ec512682c6149abc7d

SHA512
3de6a09be4287d259546ff34faeda979c0403efe937758230ba72c5b7349c23a60bcd91ce2b73bb230770e52298d1ff6333fa3564642565fc283406df3cbbb67

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.RYK
MD5
1eb3da5e3a5807c9865bdbdf84a59d25

SHA1
e533f859ee8145ea2ec88e8d4f466f035dc4924f

SHA256
4c70545947eab0095680799f64b8d2b876f53ee6972a4997e0af9723c1c6af65

SHA512
b5ac9d976f52a8712c5e38b1fe5eef9aa28f10ceb045c7810fa420ddf45906956b60d647acb5e5ef3a3307d24664c8e0836c0798a639b99a24d72cc72ba47033

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.RYK
MD5
50694fef4643806d2fa60e344ab0197e

SHA1
eacf72c181ede848800922e8d04d7a25feed69a6

SHA256
e008f0956befc93cd44ed5ca898debed4640f22ff303e2d275fd4164106b1c5f

SHA512
5969674a33329efaeb5cad1a00983cc29d004901f7d8eeca6e99c254fc54fa34c0f8c1d93e3e42f030e9d4841217b58961fa07fbc2b43a3aebac124c8001228b

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.RYK
MD5
d971ec89e4a8e228290f196984de532d

SHA1
7332064bb0bafbe04c90b07502c4e05eb4fbb003

SHA256
1e9c1da04231ea518bb49798dddf90014ddac317a0716d44dc5eb9a1a5f698f7

SHA512
3890994e13d644ca236eb26bfe09ce54dd1e92884eb47762602657691fb5f8e757fb703654625591984472b2cae0f598aa7f699c330c816212ad9cd0348016b2

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.RYK
MD5
2363e8f67e30aaff7372ac642f287674

SHA1
57d8bab461847b9a0d79781aa2a7fab1bfbb04a1

SHA256
19c073f4a46a33f10793cf3888e9482fd4abad79861f7859f954643c066437c1

SHA512
8a9810f80c8bff6803e4ed60aa8baf11fb37f0b84347c83c298285319fdd4403924b722dcc6ec8f17488d7887a0d4469b293ded408f9c5397a861878e44fe4e7

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.RYK
MD5
f6e35f8787c424cfea150854d7ad2234

SHA1
d9ba7dac3b425b0f9cfb9245422d9f502c6fa65d

SHA256
9c731f3d90e0f7ffa97568b36d699623417eb00f4bbc6de1ff4cebda57b08c38

SHA512
94a471a93bab4e1615c219523e84eba2c2fd5d90dc6bbfc0677314960bf5c07b39d3eaaff08659dfab54728118d19d5d6fd59e021648028ba1a08c31ab5c06ff

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
e7569d1240575b2133d3a58199ac68a0

SHA1
2ba258cf58e5c2f4118214abe5a11b22d65c822a

SHA256
06446737ae73faf49b66f7cdea74324f5da537b4f229fdb66233643684eb63ef

SHA512
1f25b6fbcffe07e7e8c0a72ee91080807103fdfcfe9c092ff4ee35c4992196e98251a3e95b3203abc56be72657a8d9ff95271c68d767a132d7bfd306d0ba2544

Download Submit
C:\MSOCache\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\PerfLogs\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\Users\Public\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\Users\RyukReadMe.html
MD5
4a322c0ac1e2421584da04c934aa057c

SHA1
b5ac6beefdccfc49a58ef6ac538826df6ddacf50

SHA256
754bc40f679e8177c5e6df718d9f99ef9532bb41dc02d3bc37ef595c1887681d

SHA512
30916154d0a16b130573c9e97f5855610bacafed30d4fb5c30e9a797519e21530c031029a9624d7cbd64fdc5446f1c6264d27906774e5767bf2347f61d93cb01

Download Submit
C:\Windows\Installer\MSI37.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSI3D0.tmp
MD5
ff58cd07bf4913ef899efd2dfb112553

SHA1
f14c1681de808543071602f17a6299f8b4ba2ae8

SHA256
1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391

SHA512
23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

Download Submit
C:\Windows\Installer\MSIE62A.tmp
MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
C:\Windows\Installer\MSIEB98.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSIEDF9.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSIF20F.tmp
MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
C:\Windows\Installer\MSIF941.tmp
MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\MSIFDD5.tmp
MD5
33908aa43ac0aaabc06a58d51b1c2cca

SHA1
0a0d1ce3435abe2eed635481bac69e1999031291

SHA256
4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783

SHA512
d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL
MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL
MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
\Windows\Installer\MSI37.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
\Windows\Installer\MSIE62A.tmp
MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
\Windows\Installer\MSIEB98.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
\Windows\Installer\MSIEDF9.tmp
MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
\Windows\Installer\MSIF20F.tmp
MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
\Windows\Installer\MSIF941.tmp
MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
\Windows\Installer\MSIFDD5.tmp
MD5
33908aa43ac0aaabc06a58d51b1c2cca

SHA1
0a0d1ce3435abe2eed635481bac69e1999031291

SHA256
4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783

SHA512
d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

Download Submit
memory/1192-62-0x0000000000000000-mapping.dmp

Download
memory/1296-61-0x0000000000000000-mapping.dmp

Download
memory/1320-60-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1708-110-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/2280-111-0x0000000000000000-mapping.dmp

Download
memory/2948-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads