Malware Analysis Report

2024-08-06 09:28

Sample ID 230523-t84rbsgb99
Target MTM4OWYz.exe
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
Tags
ryuk discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

Threat Level: Known bad

The file MTM4OWYz.exe was found to be: Known bad.

Malicious Activity Summary

ryuk discovery ransomware

Ryuk

Renames multiple (62) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Checks computer location settings

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2023-05-23 16:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-23 16:44

Reported

2023-05-23 16:47

Platform

win7-20230220-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe"

Signatures

Ryuk

ransomware ryuk

Renames multiple (62) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\History.txt C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.chm C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe
PID 1408 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe
PID 1408 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe
PID 1408 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe
PID 1408 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe
PID 1408 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe
PID 1408 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe
PID 1408 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe
PID 1408 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe
PID 1408 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe
PID 1408 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe
PID 1408 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe
PID 1408 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 1408 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 1408 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 1408 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 1408 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 1408 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 1408 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 1408 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe

"C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe"

C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe

"C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe

"C:\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe

"C:\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe" 8 LAN

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
FI 65.108.73.119:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp

Files

C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

C:\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

C:\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\users\Public\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\$Recycle.Bin\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5 7d493a393b4fcd1cb4c7c5906bf69a9c
SHA1 e16a949aeff5b98d15b10a0b2c1197f1817c5551
SHA256 c1673747163ae8fdb941a642d41570fafe8b69a2cc9f2fb81732f315713d6d5e
SHA512 d4b3df4839cd992dd00767bed3917d896e219f47a896ffdb67c3e4ee5d74fd1480b5e7a401579f7ba706659b97cd0f78af1e7cd6b27dfdd0997353ec4904eb3b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5 eb4ee510d8b76ba96333dcf6a4e7018c
SHA1 f69cb50ff40f92c5fc795de9e5fb763da5e35eb1
SHA256 6aa2213a44176f558e1a9b0d59e3ba534f419218ba7deb8f179cff3463051299
SHA512 74d4a301c319c8aca038b21a757f24cf9d37f63cf26683db18c1db0e2cefc609f9f8905a39fcbd23a71e2ebb198fa63c01553ae5631aa7122f0daf34c163377d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5 c42cd7a692e7ecab50789247622da8d3
SHA1 c548768df03d5ba2cfc847ebef561882553a9af1
SHA256 d4c230b737c848509650b9cb31620044f9fa389e96b334267d544ee9e3898779
SHA512 8a5747280a1933ffd079901c7d413c84304a08f2f83d56bd76fa07de9bef7739ed9298f67bc46326ed6dd3b14e9f05d465abaf161219cd7234ea755aa8818424

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK

MD5 8425a01507ad5da4b294e62876c5538b
SHA1 c83b576826198c5ba853ef140afefd0a16726ac8
SHA256 3da755aff37a3f368f877c24299f7e5944309b254468fba3432bab19d8bfa976
SHA512 b09fac71c761a568f361ac4f7cd8f5c5b1d03b9233a6df5409fee179a097975f81539dc6d32e183f24b5f363c22a2b07d1a38839503a025c0fe668c1fd67e23d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5 9fd8ef18b059a8ac8ba7407bcd4f2089
SHA1 4b288ddbc40ba7696cc01732aafbd0cdc610ff2d
SHA256 f1088386bd5866eacb2c739cbc00d6253d50cdbb39e0b453db02ecdf7160dd5c
SHA512 09ba4769e5a4b8b6f6a5095a5a3a8c9c9f9d2beba212e2d0870890f9b0f88542cfc4c779f8a9a4bd52ce536e46dd5418fbbff5a3a456260b0cfdb286eaac800c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

MD5 9bff559c5d468bb93107d1bd466d030a
SHA1 03db48fc1708a3d02999efeebd8a462348c1e91a
SHA256 7a17c9cfa52c1c0fb9a0dc3953c6d04c05b806ee13483b1f46a2b49ddc0ed5b9
SHA512 c2fb364e246b712ee551c777b11035954f4384e1a07235f9ed0272215a3ff862b446be9160451f056bf10e4d82f5d11670287190c3f27986b77131e1d36c55d3

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5 ed94567d03f22a080bc50a3741e8cedf
SHA1 8d2fae602ad349bf3af4579eeecc9ca546d973ae
SHA256 5d3cfda361afcede041dc489aa48e797933c3d7d297dc1f1422e40f059ee6f68
SHA512 1c2ed33f0ca3a2e33a14e6511225e407554ebff94bd8558598afe0664e86c879b042a9d688d4c6d3e41999215d7aba4f0cda915cedbc3c66db1b0b0f7ec32b81

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

MD5 4b2da3a49155dc72d4ca89d2b6dd451e
SHA1 982f53b8d1e30dea5abc217dd45549d27b6565ad
SHA256 a20a189baca7f8f73700888354b53e38534fc65bd80ecaa7bb03413ba5f56f42
SHA512 25cd46943327bf0d96cbe4ecbe8393a96644a88238293e9ab9c40757a8d0e0957a82f5be0e2a2262d6c55e0ae0e6b9b57d8dfab4a6fcdcf1cb6fc88f4e10b5b0

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5 79c2cdf492776427c0b180015405539d
SHA1 4e72cbd03b73fd7995c7637a3fb775e4a6cd2398
SHA256 27d1e51fc5d08ea1a4055d61fc82a910e089b3dd48cb2c49f7a04104ab0b8240
SHA512 ccf317cbb0127e199abb7349c00b70cf31d33aa285abdeda7faab8e7541399c3462392dfcd5c2c434d558ed047fcbe3abdc740cd5162538b05a7d736ecae2f69

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 8948d1d87fb556856ad8be5040b0ce74
SHA1 1474a691494ab96873e9901ff95136860b051ba3
SHA256 3cf2021d721aac9ec986f4d7a824919ad44c6df4b1bb0d5bf286d64d10838406
SHA512 936b2ec236dcff39ba6cbeb2a5a381b3514b6eb45e7c3a76bfb55cdf95cfe6cc9df82ea535891e8027866bf6e2562f0c0cd67b1a95b8c716d349195e4b1a1d03

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5 38ad7f72b8b514a1e1fd780581d8a5ef
SHA1 e301b5aad1f33149b7f3531eb95bb63a6637ced0
SHA256 5a3ad00ea866282c4fc0fc531bb6f3b88300046d15f46b4b0f98cbde8da5c6f1
SHA512 3aac629abbab0f05afa7e107635a3479a399003906cc37fedf104238ebe5c1c45f9887be1fcecae1366845e9ba0409e36b03c9f88bea2f7584818dc65479dae8

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5 e2dd1b7cc26c6ab21828b216b2fcf889
SHA1 b6503be573b6096dec496923483c915b07a5e96a
SHA256 f213bfd2cbad93623f8ee4b0ccee3ffbf8020132676505b89b1f3cd543736eb1
SHA512 467055e8aa9dd6f2cd03b123c629cafa64a2749de62d61023c031275cb3f44fdc5f36ddf5ee77fe8cfddfdf188ee059f5580ebe66208029da139a35694d6b972

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5 a409614415b8c60b4f0bd9155872242b
SHA1 89a6da5020023646a828200cd9aff7bed9689be4
SHA256 ba8bd6740fa164571791fcbeb2a60c1c2c19a230ecca9ae61074159141a285db
SHA512 edfd5f91a801c7ffc0fb20b915208cbffc13f72bdcc3a12b2e72f97bc3f47ef6af8086d007d4c8dc8a11eab456eacac791562e59cdc396a06b958f61c044d191

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5 8541c85c16704284689eb4030a6054c3
SHA1 8cda719954070c370e06b2de565371466cd0f785
SHA256 7784a0c8c7bf07b52d5e5e483db35f01a3af9365993040026425c111742e6d7e
SHA512 75506101a0a7a01a543e20ec81acf719722137a464dac1f4861237f34585b629c72bbfbb0f17a072c4699897a05cf71c16a246318365ed4584e44c1b943b650f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5 da4dd8b6df4caa1e71b8995f544ccd23
SHA1 22b064b0bfaf4f38cf92650ac323da71ed237428
SHA256 4f384d0ea7fc054ae7c0ac4491b2ee9d54f8e9d9c7f1b82bf602a3dee1a421e5
SHA512 3df9866d436ead997f6c1fe63133253e2ba8808b5836e7a6bf3711d57d9475f5046ca2baffeeee58159530e984250a704beca5761b5d9f60f4060f5e08f6da72

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5 3f48539cdab145a3c17fc9044b87c83a
SHA1 c8d555f0f731881e6d5d0dd412ec2b084aa2e727
SHA256 d913a233091ba6f2c3f7f494a808cd38e1172b1370d39a4296e78a25147a2ac3
SHA512 e3d53d33aba39001a7c39f6d62f0ea2c7e281699d5f81a3982e1d4da1a9188feba2230b78b3068203c34ceb8a29cc594624f5add1add69726268aeb07cfab922

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5 669fd4995855e89ec2420eb1373b0e7a
SHA1 d053d5718f651dc69670480795b7910a9a1e6b38
SHA256 c9748dcd128ff2688995e440493ac8afb0710c23694f8c053d6b19d156705258
SHA512 4192e468a46b77d24e232d70f844319cc89528b14e67c41470e561e51ccff0b3e1728e65d0479f31b931888b529673b68fa28ad51e9c5fece5d53b4e20175c9d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5 7ac0ce6d4ce60b008ea6e3ed83a00e05
SHA1 962f86fa03b24dfba2725b34ab1f504cbb09a852
SHA256 80214432e35a8df6db358ac4cbf47a5873ea0c6b4c66dafc5b0f3ca273880f03
SHA512 e5e3be07671de53835df04234bebb22c48048e89225fead8710a658da93a930694fcab2c194abf06d04e19a4484715e36352979ca8b57624a5f78ac9bd6b32b5

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5 aecd65b38d8663d13fcec71d8588297a
SHA1 fdcac85a1422e68005743183226babc24ba16f4a
SHA256 3f4d27f8d80bf71781c71d5a5893b414880e88668eb3d506ba201da9e7b88f6f
SHA512 710749449ce98069250e956587993a8345da3b02a254eff7754f51f87cbd6bdd2cc8c3e9c1ba2a6f5a75a5f202017709c31cb644494b7efe76ea11a5005938f7

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5 5d1ce8997f982afb87486bbe3dfa267f
SHA1 14a0ea20849d5ca50c5c201711bab61258178357
SHA256 5c32d7489b5fb39e4d9e52d5d3897ee34d2d7dc5171a977a126ac64548fdddb4
SHA512 7c1da58437e7c95d1b7ea81d43475cb5460f9601710a13ae4d1553fd70ef72de26c9cff97d60e3928f9f85664c730ec20a963a0fdafa1a3ef486e8877291f298

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5 aa4b9ff2c76ce7617a97b2831e3e0ff5
SHA1 9e69cad85a8e3ff115bd68b92b4ca788ff9ee8a2
SHA256 5d61a63afaa0e328eb0aada2fa53d6a9d55b8d8e1c3b6eb9d9a1cf050ec03cbb
SHA512 3b3aabd5c4c5b12121b1f394a18b2e26c3c58fe089e71fb277d1159db980a1c99e3a0bfff24b8ccd3e2ab4a352583667ca783ea31ff902cb9811b026fb0b4e3d

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5 f1efe794b1047789d61ab00c58718a1c
SHA1 75cab5e5bc81e2d620662051c4535d691f8f3a45
SHA256 c7faa78a6c8171c183e7ada11d888e18a55f8188982cb30c5d3d52e15225ec0b
SHA512 18335e5b72434aa81e3aac10fb788aa90b47ebfe1abfa7cc4d838f647621351094908e22d704a7ddf55e9c35aaa42bde74dd39f309bb7da9d356954518341071

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

MD5 41a48010976bde2e7989bad18211972b
SHA1 ac3b438f31bbb73aecbeeaa78e5797686a4d8352
SHA256 d0cbe4aff7edec54e6b8d3ffc37d3583c3c36bc45f19359302630fd0de392c29
SHA512 e0dba8fe4267c9c2df5f64109d0d4e9dc26ed39c26d4eacdda9ee7c95ca98a288ae5af9045f54ff445ae5ff2b46c39b1324b99ef32f3ae41e381d72abc95bbd1

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 12b61beb3434e4f269ff4190bfaa7735
SHA1 d8525eecc6379f8107e3239dc3d73a407fd04810
SHA256 30263b49ebec86ebf3d4cdb0f209223c176f9e6a95e20d05fc18e09615798a7e
SHA512 a53d4225e5e66913bb01eaaf8c70087ddfafcedde9b5d55584e384258a9bcc9ad9d52e46157b6f4bb06896e01069dfca3c1b5f8ed11586f399bee6250dd4a4c7

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 e79cb2d72c7c84ef8b257c0dac37a7d8
SHA1 d715801a0cc2e3989a3ab7382e66937bdeb45ecf
SHA256 36ad9e77e07e444896d2dea57303da4a89794f5d84d8064f10a6f60134d2404d
SHA512 b36f1581f9ad40b131d2194cb56703f3baf7a5550f40bf46884dd1c27cb5524848f18208267b6cb4c7738b2f5e8cf255c75e012b53514d552e850932473117a0

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5 3623b59d685656a2987d24be542f90ce
SHA1 db7fbf2315747d4a64a1a6221f55c4b3fad56222
SHA256 0f6f8d8921d7fe73b75330774a9a4640636b506f050fbc93b3b822348b1d0645
SHA512 6ddcf1b144f2cc642ae8aa3ed3461d853a867e86fb9d042f88e632cbef34f9db5f43d32cd257eaffac14a42d522be841d4b90cc1ada77293f8626ecc6f091a40

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5 fc5a0ceed36785e6452c616d309d90c9
SHA1 1070837ebbd7e896c3563f4052fead72efd4bbeb
SHA256 cfed341c79faf0b9855c1dded09849aa1faa04d96d5319c6490164b82f5866bc
SHA512 7c09a1de4e9fbdf5ee117d73bee0428d57402bf3ab80f00017a54aa5a3ee9b742d04f54ff2b28fb2c9e2430a7fe343e0299156ce81e6aed1bee4c7630e545457

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5 b60a4d4871cc9204986e4add2ebbc97d
SHA1 c437947f4cc1c14ff4b712767eb5c07c8b45af43
SHA256 22cb6a9610a1e3c1e0f7160b4c04fb8016653e0b5cbf04c4f92f8fe578032809
SHA512 f07fe1083e83358ed86181daf3f2a6fa3ecd83d429c07dc56553fd87f8a41eb3e2455c396633773fc8f8c139b704145062af31a8739f56d0ca24d74790bc2228

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 552ad370fcb552f66e9c3976cc07e202
SHA1 766bb86734fb25f12ca11263407d4f087ab34c41
SHA256 0a51a847a8e145465c0a56d42992c557779f9927663d9b4416cc0cb477e152fd
SHA512 797ba80de1a12a54da5679e2b72bc8342a9b495937e52318a63e6ddac6350ee54c4eb9aa20f6fc7d85cbe5a4cc416f31a46ec32136eb7de6074f9febc675fce6

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5 85802cd3bc75836e1530df647a8f6c3d
SHA1 bac2caefb58f8178c9b5c950375c4e447f52ffcd
SHA256 d5b08e3d266c3422b68ab219ad77188e8d28a050e483e47b97dcfc27bb8a785f
SHA512 4ed8287874435322d70d615893db5a46a94513c0d4e95b49c880639860f0967310b153c2eaaf3552de2bb45640906faedbb495cc026d923b04315276072e7e9e

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5 2ccaede187c74ea915e1037162f7051c
SHA1 0d186936ad16fa9483062f384ade6ae0643e658e
SHA256 f15ff7a9a6493df00eb01253e6769cf35c5283bf4cafe8b3bd721353814ee234
SHA512 47dc8fcceb854944b84794da4c0c116c7161c09196d718581ae93becc0938bfc8b42f9eae034776ae5c14a51f62e60a25954f36edf9605a102e8765d8c15eeeb

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5 f4d6ada3ff4ae7d1b2929fca8fa92a36
SHA1 1117cdda10a3ea55d4ad22c536cc1e76f17c06f0
SHA256 d8e27abfde6f74254611ccfb6c1d788a381981c530213342f2fb29c4d0bac0c6
SHA512 6451b0742a58283743a11dabaaf5f62a9943733811194bd58797f323aca4db15559421bfe0eded909a4fff3e8a2f8c4834653dbd793f13ec96a1ddf3e22cb592

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 62d99a083b93209c018d9fd3e94d0d9d
SHA1 54027addc3409476fba7e0a5698e9dab5db079ec
SHA256 f7d8c5bdac7d553317aab8d7392c349e1462b81f188be4da0953ad08ed230cd8
SHA512 4b0749e8a6dc2d726dd1b3aa6ef93c4e61a91eeeaa69075079bcc55f56f07ac9e7cdc0955792e0b1da761d830a92372434f007a85275ca596f2afb3eea34e094

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5 5f28b60c50abb6089e924961aad7b660
SHA1 fe4d927668bace9965a0df489891b80e7054921a
SHA256 54fb4b6c292367b1786f893359fe2a0debbd4a565008f035ece222f2633633c7
SHA512 b7457c633b178b08ffde16c3b91f710e17d0f46e47006ffc36ca7504096fba26f420f838f3f3f900c957e654558ab3edb5b41822dcecc65275d29fbf8dddd339

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5 e04b40b6ccfc6f496547cf1ddefd1965
SHA1 391416523f882a6dabfe2e5d81a1d6476eb10d74
SHA256 111f7ede6b6bdb4721c899eacc7d1acfeaaaae6d89d81cf78a098bfcab975c2f
SHA512 22c4a6fbd41da1d4bcd8df7cc5ce47272fcbf9b42067ad932ac78dde775f5eef96a847e38d8444a243929b94fc5ce0e4d0f8a01701504c51941068975fca854c

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5 2873ca514b9514cf786d721945a886d4
SHA1 3faa04bd344207d9e8c4fc48c469796ed6380179
SHA256 cac1e75586046dbcf747d0f4f378dfaf3b36463637edb46e8154202cbbee9b72
SHA512 39cf78389c4553a0656393baa26c89d937cf784c27bf6e9ead7550e511e9281095d7f6ccc5f8d15e38dc5d4939613497da8bd68a19204aa138788ab7dc891d86

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 991c58f1513197a70754dbe310b7fe7c
SHA1 f33abb4f4fbc05343260f94d58050d8082b4a162
SHA256 82718eeb7d3f045d6c6184751d9a5757f0f56cdbdeea8d8f3744a8156e64bd4d
SHA512 80486b1539da61c0166923a0ee7e4af3d92369dafb7392cde07707eb69fb3eb24266fd349d7c7e85ae6c16ae7f1ef0364bc4e6c59bbcd707fefa4b78a8a62a67

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5 6c69a1e175c2a1aa7f22ba36c48e8c05
SHA1 a0bf765f60bee1d50c69620f57b25c5309afaa85
SHA256 dcc6613683e0210faf922a286607e113efd8ef58f37715786314bc3866b1a180
SHA512 5e5bebf4f417c215cfb22e59b663a809be8f986db5dbc5d337e05c600053eb0e7cf19f1e2c4610ef869a050f3acf97f1b1f80c570916bd973faafebc164d98cc

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5 689b02bf612616458c5c87a7504842f9
SHA1 748d8906636f1003d78808832abe7136d911dff0
SHA256 35e5e553e90b02e632df0972d35acd42dbd2bde6e07b8e73cba42d21d30e4bde
SHA512 c4639f1e92a764ad157f573360e128d4012bda71aa4adeae5b7cc603bf27a775936b46c0d3964d0b3f11d3caa11012b0f66c4807388e2c467e5eb9e24b065bdb

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5 0c7b2fa4bbeec3cc60ef101985384d84
SHA1 694a027fe967fe7017faa952cb42c7e66dcacdf4
SHA256 c92c3e2f5b4621f82b757d4d2b836998a73cad53e969b48267919b6875bc3a78
SHA512 ece44ebef5ab71dfb4ed1e46f3c476e8282a15f3e9ffc38a6f0d11871fead7f05029f533b92cbc2eb2dc9ed784fc2fd3b5c8a85629047e08aa0ae03fea55d4e2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 f77448cb47007a7dcd568fc97c0b3b86
SHA1 1647a8d5e1da22f3d5945218c86101b6cd1b45cc
SHA256 d858ecf37e059ff230a23ccf6a1f9c6add31a0e811bfc79c373a488127d71a09
SHA512 6c33001c8cad3372a454bbbaf2e6c1f43984e22ed0f7098358a127ba5a35a13b5c3da1075fe78700a50c2ba51a97347ecd78ce9c28fd3b4abbb0cc554b0800c3

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5 76db3d5fb41271ad4775f9a45411521f
SHA1 8e4e3336d0a1b4f48b57a26161853d6bdd83609e
SHA256 7286e07315e4554396e596213e22de5a31fad22667de9f6903e6df52cb4102de
SHA512 0f3341b1b75e8965635cb1bec7d37902a3a8a053f109f140278b794577bc3b1d3d0ea477423aa90b53cac3289d13a436a620cf7a7db90c7717a916ac40e1959e

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-23 16:44

Reported

2023-05-23 16:47

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe"

Signatures

Ryuk

ransomware ryuk

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.chm C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe
PID 3760 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe
PID 3760 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe
PID 3760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe
PID 3760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe
PID 3760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe
PID 3760 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe
PID 3760 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe
PID 3760 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe
PID 3760 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 3760 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 3760 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 3760 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 3760 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe
PID 3760 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe

"C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe"

C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe

"C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe

"C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe

"C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe" 8 LAN

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
IE 13.69.239.74:443 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
NL 8.238.178.126:80 tcp
N/A 10.127.0.1:7 udp
FI 65.108.73.119:7 udp
US 8.8.8.8:53 119.73.108.65.in-addr.arpa udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.251:7 udp

Files

C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

C:\Users\Admin\AppData\Local\Temp\WTChKkIEnlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

C:\Users\Admin\AppData\Local\Temp\UIWtBesmTlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

C:\Users\Admin\AppData\Local\Temp\CegPfucaZlan.exe

MD5 e8673c8a299d1647ead6f3da4565ac54
SHA1 71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256 d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

C:\$Recycle.Bin\S-1-5-21-1675742406-747946869-1029867430-1000\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\users\Public\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\PerfLogs\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\odt\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

C:\odt\config.xml.RYK

MD5 b01fd9c14c529f6088dabe2e148011bf
SHA1 58b135b018085c326e628475a862a574660ffd41
SHA256 d9b8b59962d60b195dd1e0e58f34e3083f5ecff3d6d33ff0246ac6c08aa8e64a
SHA512 490cabd151372670c4ac568c86e3e0bf5b3b9a53accb769bb880ef86d65cb8fe4d7afbc72cab473e4acd48e1c5b714a820a9c7788b289ace50eef95ef734cb6f

C:\DumpStack.log.tmp.RYK

MD5 a3334dd1df7dc52149c07a558563272e
SHA1 4a649ab1d9351a619902cec9db452d19f87ed3f0
SHA256 c94a179747b06357d75238398d2b15442009dfe48d7de071df4a7576ce6f96bb
SHA512 7c6d535d61f1b704a8f183a73b188616ad2cf6efb8a7eff93dae8b5716f210fd55b549b5c2dcc6198cf2577b600f7a486784f0db46e06b315a34374d30d627dd

C:\$Recycle.Bin\RyukReadMe.html

MD5 aad27a2b7aafd7847fa58ddbf07a2d25
SHA1 5a367ec3a44b5c079d80e414555675e316947d28
SHA256 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d
SHA512 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3