Analysis Overview
SHA256
87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de
Threat Level: Known bad
The file 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de was found to be: Known bad.
Malicious Activity Summary
Ryuk
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 04:58
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 04:58
Reported
2022-02-20 05:38
Platform
win7-en-20211208
Max time kernel
183s
Max time network
214s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JyALUjoOQrep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XYiupUWvmlan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
"C:\Users\Admin\AppData\Local\Temp\87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe"
C:\Users\Admin\AppData\Local\Temp\JyALUjoOQrep.exe
"C:\Users\Admin\AppData\Local\Temp\JyALUjoOQrep.exe" 9 REP
C:\Users\Admin\AppData\Local\Temp\XYiupUWvmlan.exe
"C:\Users\Admin\AppData\Local\Temp\XYiupUWvmlan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
"C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe" 8 LAN
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.2:7 | udp | |
| N/A | 10.127.0.3:7 | udp | |
| N/A | 10.127.0.4:7 | udp | |
| N/A | 10.127.0.5:7 | udp | |
| N/A | 10.127.0.6:7 | udp | |
| N/A | 10.127.0.7:7 | udp | |
| N/A | 10.127.0.8:7 | udp | |
| N/A | 10.127.0.9:7 | udp | |
| N/A | 10.127.0.10:7 | udp | |
| N/A | 10.127.0.11:7 | udp | |
| N/A | 10.127.0.12:7 | udp | |
| N/A | 10.127.0.13:7 | udp | |
| N/A | 10.127.0.14:7 | udp | |
| N/A | 10.127.0.15:7 | udp | |
| N/A | 10.127.0.16:7 | udp | |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.0.2:7 | udp | |
| N/A | 10.127.0.17:7 | udp | |
| N/A | 10.127.0.3:7 | udp | |
| N/A | 10.127.0.4:7 | udp | |
| N/A | 10.127.0.18:7 | udp | |
| N/A | 10.127.0.5:7 | udp | |
| N/A | 10.127.0.19:7 | udp | |
| N/A | 10.127.0.6:7 | udp | |
| N/A | 10.127.0.20:7 | udp | |
| N/A | 10.127.0.7:7 | udp | |
| N/A | 10.127.0.21:7 | udp | |
| N/A | 10.127.0.8:7 | udp | |
| N/A | 10.127.0.9:7 | udp | |
| N/A | 10.127.0.10:7 | udp | |
| N/A | 10.127.0.11:7 | udp | |
| N/A | 10.127.0.22:7 | udp | |
| N/A | 10.127.0.12:7 | udp | |
| N/A | 10.127.0.14:7 | udp | |
| N/A | 10.127.0.15:7 | udp | |
| N/A | 10.127.20.118:7 | udp | |
| N/A | 10.127.20.122:7 | udp | |
| N/A | 10.127.20.124:7 | udp | |
| N/A | 10.127.20.126:7 | udp | |
| N/A | 10.127.20.128:7 | udp | |
| N/A | 10.127.0.23:7 | udp | |
| N/A | 10.127.20.130:7 | udp | |
| N/A | 10.127.20.132:7 | udp | |
| N/A | 10.127.20.134:7 | udp | |
| N/A | 10.127.20.136:7 | udp | |
| N/A | 10.127.0.24:7 | udp | |
| N/A | 10.127.0.25:7 | udp | |
| N/A | 10.127.20.138:7 | udp | |
| N/A | 10.127.0.26:7 | udp | |
| N/A | 10.127.20.140:7 | udp | |
| N/A | 10.127.0.27:7 | udp | |
| N/A | 10.127.20.142:7 | udp | |
| N/A | 10.127.20.144:7 | udp | |
| N/A | 10.127.20.146:7 | udp | |
| N/A | 10.127.0.28:7 | udp | |
| N/A | 10.127.0.29:7 | udp | |
| N/A | 10.127.20.148:7 | udp | |
| N/A | 10.127.0.30:7 | udp | |
| N/A | 10.127.20.150:7 | udp | |
| N/A | 10.127.0.31:7 | udp | |
| N/A | 10.127.20.152:7 | udp | |
| N/A | 10.127.0.32:7 | udp | |
| N/A | 10.127.0.33:7 | udp | |
| N/A | 10.127.0.34:7 | udp | |
| N/A | 10.127.0.35:7 | udp | |
| N/A | 10.127.20.154:7 | udp | |
| N/A | 10.127.0.36:7 | udp | |
| N/A | 10.127.0.37:7 | udp | |
| N/A | 10.127.0.38:7 | udp | |
| N/A | 10.127.0.39:7 | udp | |
| N/A | 10.127.0.40:7 | udp | |
| N/A | 10.127.20.156:7 | udp | |
| N/A | 10.127.20.158:7 | udp | |
| N/A | 10.127.0.41:7 | udp | |
| N/A | 10.127.0.42:7 | udp | |
| N/A | 10.127.20.160:7 | udp | |
| N/A | 10.127.0.43:7 | udp | |
| N/A | 10.127.20.162:7 | udp | |
| N/A | 10.127.0.44:7 | udp | |
| N/A | 10.127.0.45:7 | udp | |
| N/A | 10.127.20.164:7 | udp | |
| N/A | 10.127.0.46:7 | udp | |
| N/A | 10.127.20.166:7 | udp | |
| N/A | 10.127.0.47:7 | udp | |
| N/A | 10.127.20.168:7 | udp | |
| N/A | 10.127.20.170:7 | udp | |
| N/A | 10.127.0.48:7 | udp | |
| N/A | 10.127.0.49:7 | udp | |
| N/A | 10.127.20.172:7 | udp | |
| N/A | 10.127.0.50:7 | udp | |
| N/A | 10.127.0.51:7 | udp | |
| N/A | 10.127.20.174:7 | udp | |
| N/A | 10.127.0.52:7 | udp | |
| N/A | 10.127.20.176:7 | udp | |
| N/A | 10.127.0.53:7 | udp | |
| N/A | 10.127.20.178:7 | udp | |
| N/A | 10.127.0.54:7 | udp | |
| N/A | 10.127.0.55:7 | udp | |
| N/A | 10.127.0.56:7 | udp | |
| N/A | 10.127.0.57:7 | udp | |
| N/A | 10.127.0.58:7 | udp | |
| N/A | 10.127.0.59:7 | udp | |
| N/A | 10.127.20.180:7 | udp | |
| N/A | 10.127.0.60:7 | udp | |
| N/A | 10.127.20.182:7 | udp | |
| N/A | 10.127.20.184:7 | udp | |
| N/A | 10.127.20.186:7 | udp | |
| N/A | 10.127.20.188:7 | udp | |
| N/A | 10.127.20.190:7 | udp | |
| N/A | 10.127.0.61:7 | udp | |
| N/A | 10.127.20.192:7 | udp | |
| N/A | 10.127.20.196:7 | udp | |
| N/A | 10.127.0.62:7 | udp | |
| N/A | 10.127.0.63:7 | udp | |
| N/A | 10.127.0.64:7 | udp | |
| N/A | 10.127.20.198:7 | udp | |
| N/A | 10.127.20.200:7 | udp | |
| N/A | 10.127.0.65:7 | udp | |
| N/A | 10.127.0.66:7 | udp | |
| N/A | 10.127.20.202:7 | udp | |
| N/A | 10.127.0.67:7 | udp | |
| N/A | 10.127.0.68:7 | udp | |
| N/A | 10.127.20.204:7 | udp | |
| N/A | 10.127.20.206:7 | udp | |
| N/A | 10.127.20.208:7 | udp | |
| N/A | 10.127.20.210:7 | udp | |
| N/A | 10.127.0.69:7 | udp | |
| N/A | 10.127.0.70:7 | udp | |
| N/A | 10.127.0.71:7 | udp | |
| N/A | 10.127.0.72:7 | udp | |
| N/A | 10.127.0.73:7 | udp | |
| N/A | 10.127.20.212:7 | udp | |
| N/A | 10.127.20.214:7 | udp | |
| N/A | 10.127.20.216:7 | udp | |
| N/A | 10.127.0.74:7 | udp | |
| N/A | 10.127.21.12:7 | udp | |
| N/A | 10.127.0.75:7 | udp | |
| N/A | 10.127.0.76:7 | udp | |
| N/A | 10.127.0.77:7 | udp | |
| N/A | 10.127.0.78:7 | udp | |
| N/A | 10.127.0.79:7 | udp | |
| N/A | 10.127.21.14:7 | udp | |
| N/A | 10.127.21.16:7 | udp | |
| N/A | 10.127.0.80:7 | udp | |
| N/A | 10.127.0.81:7 | udp | |
| N/A | 10.127.0.82:7 | udp | |
| N/A | 10.127.21.177:7 | udp | |
| N/A | 10.127.0.83:7 | udp | |
| N/A | 10.127.22.99:7 | udp | |
| N/A | 10.127.0.84:7 | udp | |
| N/A | 10.127.22.213:7 | udp | |
| N/A | 10.127.0.85:7 | udp | |
| N/A | 10.127.0.86:7 | udp | |
| N/A | 10.127.0.87:7 | udp | |
| N/A | 10.127.0.88:7 | udp | |
| N/A | 10.127.0.89:7 | udp | |
| N/A | 10.127.22.217:7 | udp | |
| N/A | 10.127.0.90:7 | udp | |
| N/A | 10.127.0.91:7 | udp | |
| N/A | 10.127.0.92:7 | udp | |
| N/A | 10.127.0.93:7 | udp |
Files
memory/1364-54-0x00000000766D1000-0x00000000766D3000-memory.dmp
\Users\Admin\AppData\Local\Temp\JyALUjoOQrep.exe
| MD5 | aaa963a1b4c71047d667f0c3d1760d44 |
| SHA1 | 90ce48d945427822647242d42678fb6fb5b77d73 |
| SHA256 | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de |
| SHA512 | c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8 |
\Users\Admin\AppData\Local\Temp\JyALUjoOQrep.exe
| MD5 | aaa963a1b4c71047d667f0c3d1760d44 |
| SHA1 | 90ce48d945427822647242d42678fb6fb5b77d73 |
| SHA256 | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de |
| SHA512 | c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8 |
C:\Users\Admin\AppData\Local\Temp\JyALUjoOQrep.exe
| MD5 | aaa963a1b4c71047d667f0c3d1760d44 |
| SHA1 | 90ce48d945427822647242d42678fb6fb5b77d73 |
| SHA256 | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de |
| SHA512 | c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8 |
\Users\Admin\AppData\Local\Temp\XYiupUWvmlan.exe
| MD5 | aaa963a1b4c71047d667f0c3d1760d44 |
| SHA1 | 90ce48d945427822647242d42678fb6fb5b77d73 |
| SHA256 | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de |
| SHA512 | c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8 |
\Users\Admin\AppData\Local\Temp\XYiupUWvmlan.exe
| MD5 | aaa963a1b4c71047d667f0c3d1760d44 |
| SHA1 | 90ce48d945427822647242d42678fb6fb5b77d73 |
| SHA256 | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de |
| SHA512 | c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8 |
C:\Users\Admin\AppData\Local\Temp\XYiupUWvmlan.exe
| MD5 | aaa963a1b4c71047d667f0c3d1760d44 |
| SHA1 | 90ce48d945427822647242d42678fb6fb5b77d73 |
| SHA256 | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de |
| SHA512 | c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8 |
\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
| MD5 | aaa963a1b4c71047d667f0c3d1760d44 |
| SHA1 | 90ce48d945427822647242d42678fb6fb5b77d73 |
| SHA256 | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de |
| SHA512 | c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8 |
\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
| MD5 | aaa963a1b4c71047d667f0c3d1760d44 |
| SHA1 | 90ce48d945427822647242d42678fb6fb5b77d73 |
| SHA256 | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de |
| SHA512 | c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8 |
C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
| MD5 | aaa963a1b4c71047d667f0c3d1760d44 |
| SHA1 | 90ce48d945427822647242d42678fb6fb5b77d73 |
| SHA256 | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de |
| SHA512 | c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8 |
C:\users\Public\RyukReadMe.html
| MD5 | 61c9611d053287ee36b372a5f0afe7b6 |
| SHA1 | 3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1 |
| SHA256 | 5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4 |
| SHA512 | a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17 |
C:\$Recycle.Bin\RyukReadMe.html
| MD5 | 61c9611d053287ee36b372a5f0afe7b6 |
| SHA1 | 3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1 |
| SHA256 | 5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4 |
| SHA512 | a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17 |
C:\MSOCache\All Users\RyukReadMe.html
| MD5 | 61c9611d053287ee36b372a5f0afe7b6 |
| SHA1 | 3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1 |
| SHA256 | 5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4 |
| SHA512 | a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
| MD5 | 683de64d270a0e6809a23a82fc3e7379 |
| SHA1 | d26317ad29694d7ce314634b69c6273dc4625f85 |
| SHA256 | 9fc1cda22f8fcb36893fa1d4a75acd29bf4e080081770f924f84fef54260bea7 |
| SHA512 | 78ac50b6737cdf9d285fb64c1064e5f606d55102b6a718de02ea6ba02f4830a59d5e6b457c4ab10bc083f7eb96a4bb72a2bb54fe18f9ce0cb8774141273183fd |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
| MD5 | e7ed59f0c2a1ffd6f554dde90d83d558 |
| SHA1 | f66a43c22a4a4d1ada9c55139ffb935bb6271535 |
| SHA256 | a0f0b88457c863a888cc7c5f3b2c5fbe2291af1de6b361425de5662a5feeb9cb |
| SHA512 | b67ae7d87a0b925a353d6766a67e5508ee50912145d25544bf6f88d1a005383c1ec03fec8cea7f7d0751ed64c7a4c25743cca3944b929ef16783030e7c207825 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK
| MD5 | 02da4d86d3f054b7c0328f0dfd661fa5 |
| SHA1 | 3881adaddbbb77c7b415a6881fdf4337d4c5d7da |
| SHA256 | 05f8d20cce7c231c68d7c9d77eee18b718aa91c33b6ecc925903856acd1c4cf7 |
| SHA512 | 480ab3cb1877bf7beb817108f59307513bcf3d0b1b94b75867d01f70c5cb695667b5213c69020284b5f6485175f59b15197a8a9bfbd3cf38e52661a587381643 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
| MD5 | 06599a7091c7551fc5b31955a7caa3fd |
| SHA1 | 8f4de43015862de54e97c8f4a8296e2425c94492 |
| SHA256 | 77bf2e08e4d1764734a3352b8ea02a6a60d7708cb2fc2137996e4feaf583793d |
| SHA512 | c9cbd64ab7e9335d3286cda5d1b8f21a9112d8156b659a780ac5122c88327b1072269234db7340a05db14f10514d564cc3d40216a67cc7e2fa069e0c0cd047db |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK
| MD5 | ffbacdd76e3648254576bdc98e4f78ec |
| SHA1 | 4d28fcd99f07e37d3ceacecb2ae74ba2f3655779 |
| SHA256 | a1d182ab6ba46d46a3547066ee79808db6b466268ab96a67a0e8d84fd7345147 |
| SHA512 | 9ab8e893acaad858990b7c5c8847d8d12499435142c60d4a31644fb735bb1691cb850a8562c118ea67f8492756d6fe5cbda8956906ec9205397a8da07cc6a858 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
| MD5 | dbaff791d67a94ce44486ad98904f9d6 |
| SHA1 | f9f2fd5f981753bbfb495a5704240fe573e4ff4a |
| SHA256 | b11158fe13ad68716f416bcb4761d9a2b26bbc10c39eed81ee005093f7a80e10 |
| SHA512 | dcaf7cf9b74394d47023d2cbf7935d4e2fa2da9c8020ead0e78d43eef4bf5b23add33468e3e3b82ced6e446c875b0538662ba594f14fd9e31cea9c5355423888 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 61c9611d053287ee36b372a5f0afe7b6 |
| SHA1 | 3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1 |
| SHA256 | 5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4 |
| SHA512 | a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK
| MD5 | 01e3e10e0c8b50812f2aef7fc38489c5 |
| SHA1 | 42c144d8cdc39783645c086560c0600e92d71805 |
| SHA256 | c1442e09708396daacdd8ece1a9967a00ca1f79c11a509715eafb67fc006b40d |
| SHA512 | 6077d265dbde5b719ec68c1284bee630d300bc8eeaa89caebfddfffcd1112f4f2717a05bf0b97ad0d651b6469a4cfdfb1872ffee8aa541af0c679ea52d2e893b |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK
| MD5 | a7c9e5b0775f0022bbe0b6eaf802c03b |
| SHA1 | 32b37a7dba413068b73f0e67b53bf4b1319632f2 |
| SHA256 | 06f0bd8be249eaef2ad8915c9bb87591ae6f004d2d2f7dfd70ac027d97ecf432 |
| SHA512 | 2c729fa7c75eb933993036bd77bc7c1a80862eafe01232b4d5f8c18dd2d1d56af0450d09e316ee8d9f34357ce10e210818d8e875459748f03c06f478cd2dbd3e |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | c956ee3fc7a24ce5ded06ff4cdc267c4 |
| SHA1 | 029e7f79aa91b90723cf6d2c776c55a20b0302cc |
| SHA256 | ce9317c2509a869011b9fab8a3645e1452ac73ba276269a4f7045f63de6728bd |
| SHA512 | f62a6cba93b571bd6cfc833e16c870797d143cd9b2a8c6d5a7304b5660819d2adddec45e7c54956d3f81ef556dfaf383934fda3d5bef0c3c1089a8c320a20b59 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
| MD5 | 81678580e0e7d5b2e94bffe03d89ac78 |
| SHA1 | 7785828e4b1ad56c10fa636499ab1cc41877553d |
| SHA256 | 690ac587b3aa494f45a9764ca89b3de2f70a38b1abdc252b7a3a7bb627dbf1ca |
| SHA512 | 01cc24eb5e66201e24af763ecf0d1be112bd6a40fd20d939057c9eedbaa03cb6dfb3d579dee0249a94cf154df96ef5f48ec2bdf36b3fd1bbba7eaf52ceb012ba |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
| MD5 | 727e997942952c06606f0cf3c1c64276 |
| SHA1 | 01502d9db076aedff80c2919e0d968ac573a8aec |
| SHA256 | 0b28034a3acdaf4884f7514464bf97789559543d892d07049042e3e483f09b7b |
| SHA512 | bae71d9a20a0b1bdc7c0e82eb79faadecab5ea2f2272feb45fbb6932d70aaf11618d8ec7f74729b7f01260b7ead0c993283f776fe27776370c00a3b9279b44a7 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
| MD5 | 588d974ddc614980c67fd41446676777 |
| SHA1 | 7083966df2e241f5cb20dda272ec853e36bb4c7c |
| SHA256 | 9ab3c1c3f1944b6816cd10ecdb4b947c0c7af351a9c385a222ff2428dca23c99 |
| SHA512 | 151756d3f5a06eeebfd02141ea87a1d9b70506d66f5f5fd31edc5bdbeab9348dc3eced675700dab9213dd1c74d81f2791eba37f851a6c7215cd8b5c716e6a697 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
| MD5 | 6451375992c91363a491928451308940 |
| SHA1 | b4d54efee1c9c72fc579ecd383e6b2076ab4c17f |
| SHA256 | 12e12f96597ea0f929d90d7a980f4d17c0d7bb29a628606807abfc4ad1aebb44 |
| SHA512 | e50fa44b7ffeef33a6be3727aab8e0646b05b9a739ba27e0420c666150d0cf38b6843177c26542a99fbf1dedb68635e75d9ef54d1d3ee652459f2e4ea1a818db |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 61c9611d053287ee36b372a5f0afe7b6 |
| SHA1 | 3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1 |
| SHA256 | 5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4 |
| SHA512 | a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK
| MD5 | 9056e6d7761d5abad6f49a892eb1c21a |
| SHA1 | c45196ecc6a55fa11e3330dd03e1d82534ce3e2f |
| SHA256 | 8a46428750d3e4c3468e97f3882d4557dd335d6dce1281748da0209143eb0267 |
| SHA512 | 1a63a5915cd583ab6f4f87864eb80609f5727f60746a94571cdf72be2d6f3cde0956bead1fa68ddfedf79d5ecba417d0a5803fce8ff7766d0c8d74a9cbc593ee |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
| MD5 | a9336abb1011aa47aa7964c69241409e |
| SHA1 | 10d62a0a1658791506dd8ab8f2aa1be859b2a3ba |
| SHA256 | c35efde7fe682cb60f85626223e267e328002f02885747f415f55cb3839357d9 |
| SHA512 | 191a6b4c1b87041c1a7347cc507154f4a6eb07f0fc1117fbfdf3d8f3af156f76866d27c444d020118d48f6e882b23dcf6f7ad9d67396443e1c4491bf7ac9ec03 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | f3711ce8a6c3840b65f9d04b0e4ba418 |
| SHA1 | 2cab0fa47208188ebc008b947a52bcc773eae36a |
| SHA256 | b9f2069d9b144198170c2fe268b28b74837ed6fb193345beab6c1aff5ef80135 |
| SHA512 | 93cd70fe9fe664a97bb834c67844a6ae108c539174838b91ae36d3946b59b835314291cc7c0b67deeba911848953405b38b7ddc3e185394d087503cb7fdae741 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 61c9611d053287ee36b372a5f0afe7b6 |
| SHA1 | 3fc282f6bb6dc1bb4ecf85174181f998e7cb2af1 |
| SHA256 | 5b8df0d55c2bccf2c3c646d98a0595cc1ef768b83bcd7bb5ff87046ba27383e4 |
| SHA512 | a1f7df991c526f04860ac5a6743c79f9edb7212d35742d125ba4594541ccb2797e64f20a47190e1b4d98b213b996c491f6e21c766c8d6baa692a11f135eb0a17 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
| MD5 | f058a31c858712ea3552f5057dbdca3b |
| SHA1 | ebac1c4a1d57c2b95c37944cfa476fe215755d85 |
| SHA256 | e25e28b5c0a65943ea7e22ed95759559609727aad9dae98fd7ab5a8ffb63aaaf |
| SHA512 | e2eb93a407c880f4cca0c851540f651dab38d8ecc88eaa9c34e7c99846ee86396f4c7d1cc9e8b3afb3922f95583ca9dc19d41ddfad72f702e0ef483f92001d72 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
| MD5 | 5954862be7bed3c9f3b157d4154511c3 |
| SHA1 | 01d99c71281a7a0e2444bf21fa7d024f4ac7c3e4 |
| SHA256 | c14e404107916af4e232572c2c768b4c5ffe07693303d43c0f6c18d747e02510 |
| SHA512 | 79ffc2970780d85924a7eb0dcc853c1302d7497d4552baf0b08e136f8d5f56434d9daff2a3fa125d473e1b47a87ed2d66bec724099df0eb0527883dcf6b7dbf0 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK
| MD5 | 876b1392498f5cc88b535c861dfa3a06 |
| SHA1 | b64d9d0a1f5b68660a74bba1edefa8f7b4a1f16c |
| SHA256 | d60a548f8a042153b844d37a52d9f849c36566f5c2c5dab797b2c798a29715ca |
| SHA512 | 6124230f735594d920a0fbf96da9b64e5fe88a9467414230051b593b62ea70113d105d3ececcef2245016a2f5bfbb20e178c5c373a0ac10b5741d03126dba455 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | b81c29297c04f8e839dfe1c9ec891d99 |
| SHA1 | 55d6e9bb0d841bc9c835ee709b56616dc487928f |
| SHA256 | e2cf218cbfec5ce573ea725de3961a4a1bd1580e6baf9b58aecec38ec5c78f12 |
| SHA512 | 9501afb9c19645568d8d7e930f894897e6db51cbb19c5523afc6d82746863938d8feca0bc01f19fa853e01034e02361f2740f79965a67787d8004d5129b260fc |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 04:58
Reported
2022-02-20 05:38
Platform
win10v2004-en-20220113
Max time kernel
203s
Max time network
238s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lyDyPhencrep.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4520 wrote to memory of 4576 | N/A | C:\Users\Admin\AppData\Local\Temp\87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe | C:\Users\Admin\AppData\Local\Temp\lyDyPhencrep.exe |
| PID 4520 wrote to memory of 4576 | N/A | C:\Users\Admin\AppData\Local\Temp\87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe | C:\Users\Admin\AppData\Local\Temp\lyDyPhencrep.exe |
| PID 4520 wrote to memory of 4576 | N/A | C:\Users\Admin\AppData\Local\Temp\87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe | C:\Users\Admin\AppData\Local\Temp\lyDyPhencrep.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe
"C:\Users\Admin\AppData\Local\Temp\87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de.exe"
C:\Users\Admin\AppData\Local\Temp\lyDyPhencrep.exe
"C:\Users\Admin\AppData\Local\Temp\lyDyPhencrep.exe" 9 REP
Network
| Country | Destination | Domain | Proto |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| NL | 67.26.111.254:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\lyDyPhencrep.exe
| MD5 | aaa963a1b4c71047d667f0c3d1760d44 |
| SHA1 | 90ce48d945427822647242d42678fb6fb5b77d73 |
| SHA256 | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de |
| SHA512 | c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8 |
C:\Users\Admin\AppData\Local\Temp\lyDyPhencrep.exe
| MD5 | aaa963a1b4c71047d667f0c3d1760d44 |
| SHA1 | 90ce48d945427822647242d42678fb6fb5b77d73 |
| SHA256 | 87d24edd168572f28d262c9edc2b825ea628f86e39c2d1407e9fbc42685119de |
| SHA512 | c3cfc8f91ac084ba4ed03e615bd0c55ef65dae3c0618dade3eccd1e2aada1edf30b6cd03e7240b2fce19b5f4f3071ee8c39ab57b0bd073d8049982eb9aea54c8 |