ryuk | c7f8289950b0d8aa97dceadf2a98aef51886710d56a5283b889c9ad191531028

Analysis

max time kernel
171s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7f8289950b0d8aa97dceadf2a98aef51886710d56a5283b889c9ad191531028.dll
Size

130KB
MD5

1e2b8973130672a1e739b035d30155b0
SHA1

b4f098806ac9060f0f4dd3d63e8d831c69be6c81
SHA256

c7f8289950b0d8aa97dceadf2a98aef51886710d56a5283b889c9ad191531028
SHA512

a4be4accd1f5a7ab4131b477f61565822f545cff1c89e6167de4f07fa7bb1a8204c87c7ad7a40c83ed54161f5f4e6853196bb843949222384efd561692e2c4be

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

PFeXAUzHLrep.exeUpHVkmBhClan.exeoLKOhKLNOlan.exe

pid process

1164 PFeXAUzHLrep.exe
1148 UpHVkmBhClan.exe
968 oLKOhKLNOlan.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exe

pid process

1680 rundll32.exe
1680 rundll32.exe
1680 rundll32.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1964 icacls.exe
1924 icacls.exe

pid	process
1164	PFeXAUzHLrep.exe
1148	UpHVkmBhClan.exe
968	oLKOhKLNOlan.exe

pid	process
1680	rundll32.exe
1680	rundll32.exe
1680	rundll32.exe

pid	process
1964	icacls.exe
1924	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\oLKOhKLNOlan.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\oLKOhKLNOlan.exe	rundll32.exe
File created	C:\Windows\SysWOW64\PFeXAUzHLrep.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\PFeXAUzHLrep.exe	rundll32.exe
File created	C:\Windows\SysWOW64\UpHVkmBhClan.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\UpHVkmBhClan.exe	rundll32.exe

Drops file in Program Files directory 2 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\RyukReadMe.html	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1652 wrote to memory of 1680	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1680	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1680	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1680	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1680	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1680	1652	rundll32.exe	rundll32.exe
PID 1652 wrote to memory of 1680	1652	rundll32.exe	rundll32.exe
PID 1680 wrote to memory of 1164	1680	rundll32.exe	PFeXAUzHLrep.exe
PID 1680 wrote to memory of 1164	1680	rundll32.exe	PFeXAUzHLrep.exe
PID 1680 wrote to memory of 1164	1680	rundll32.exe	PFeXAUzHLrep.exe
PID 1680 wrote to memory of 1164	1680	rundll32.exe	PFeXAUzHLrep.exe
PID 1680 wrote to memory of 1148	1680	rundll32.exe	UpHVkmBhClan.exe
PID 1680 wrote to memory of 1148	1680	rundll32.exe	UpHVkmBhClan.exe
PID 1680 wrote to memory of 1148	1680	rundll32.exe	UpHVkmBhClan.exe
PID 1680 wrote to memory of 1148	1680	rundll32.exe	UpHVkmBhClan.exe
PID 1680 wrote to memory of 968	1680	rundll32.exe	oLKOhKLNOlan.exe
PID 1680 wrote to memory of 968	1680	rundll32.exe	oLKOhKLNOlan.exe
PID 1680 wrote to memory of 968	1680	rundll32.exe	oLKOhKLNOlan.exe
PID 1680 wrote to memory of 968	1680	rundll32.exe	oLKOhKLNOlan.exe
PID 1680 wrote to memory of 1964	1680	rundll32.exe	icacls.exe
PID 1680 wrote to memory of 1964	1680	rundll32.exe	icacls.exe
PID 1680 wrote to memory of 1964	1680	rundll32.exe	icacls.exe
PID 1680 wrote to memory of 1964	1680	rundll32.exe	icacls.exe
PID 1680 wrote to memory of 1924	1680	rundll32.exe	icacls.exe
PID 1680 wrote to memory of 1924	1680	rundll32.exe	icacls.exe
PID 1680 wrote to memory of 1924	1680	rundll32.exe	icacls.exe
PID 1680 wrote to memory of 1924	1680	rundll32.exe	icacls.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7f8289950b0d8aa97dceadf2a98aef51886710d56a5283b889c9ad191531028.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7f8289950b0d8aa97dceadf2a98aef51886710d56a5283b889c9ad191531028.dll,#1
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\PFeXAUzHLrep.exe
"C:\Windows\SysWOW64\PFeXAUzHLrep.exe" 9 REP
3⤵
- Executes dropped EXE
PID:1164

C:\Windows\SysWOW64\UpHVkmBhClan.exe
"C:\Windows\SysWOW64\UpHVkmBhClan.exe" 8 LAN
3⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWOW64\oLKOhKLNOlan.exe
"C:\Windows\SysWOW64\oLKOhKLNOlan.exe" 8 LAN
3⤵
- Executes dropped EXE
PID:968

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1964

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1924

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\PerfLogs\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Public\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\RyukReadMe.html
MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Windows\SysWOW64\PFeXAUzHLrep.exe
MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\UpHVkmBhClan.exe
MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\oLKOhKLNOlan.exe
MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\PFeXAUzHLrep.exe
MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\UpHVkmBhClan.exe
MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\oLKOhKLNOlan.exe
MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1680-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmp

Filesize
8KB

Download
memory/1680-56-0x0000000035000000-0x0000000035028000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads