Analysis Overview
SHA256
05214e5aa2516af0f07882ab92a4c9e7a565e721e16eb96c7fda7bd2f980dfbf
Threat Level: Known bad
The file 2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk was found to be: Known bad.
Malicious Activity Summary
DemonWare
Demonware family
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-19 01:08
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 01:08
Reported
2024-11-19 01:10
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
DemonWare
Demonware family
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe |
| PID 2532 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe |
| PID 2532 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:8989 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI25322\payload.exe.manifest
| MD5 | dd599af0347cd04ed71a484ac5e5ce8c |
| SHA1 | 0fb19ed1e1a753e6d4ce08a0abce998e7c15d862 |
| SHA256 | b3a30939dfb1abd2bdd1e06b9a0fb9dd1752984c42a0815ccfbb4f5541fc7455 |
| SHA512 | aed0715386cf78a76a2e98487ca624df00c6a8ff1f0620efb183a5955196ebe82f7f184e3708d7d9c8877c4f947abf4a2cb7a692a912832b8c8b6ca05293566f |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\ucrtbase.dll
| MD5 | 5b1c91b53ac3c3026d50de8c05aba139 |
| SHA1 | b9c2d160b1ce856d9904a340362236473a3d559c |
| SHA256 | d804ea40eacfc22a5e029b66d6d4f83d81f76a7ead80313b33839253f90af6b7 |
| SHA512 | 8e01056830e65320d684245bf055305e03ef136545efb51aad484a5b1b006f7d534c30b7973da8628f49c31710ae23d3420f941156c941172b97efe9e1ef9a1f |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 9b43f5733a98e5c6095996916f889987 |
| SHA1 | 01ba4d84cb2adf3536c31b1c41375d141dcd2ba1 |
| SHA256 | 2b7e6b54ebc2b9556e2f75e7372d4b2d16758f928b79395b8a55c7acdca93341 |
| SHA512 | b3497f31c155049c68b18d2f28383843bd8b8c078db119c07d63ec1900a6204e266a3bc1503734fd85c3766bddb25029880291e4f6060afe5df82717af6ae092 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 95b0eb891b1e869568a2bf9ab67eab0f |
| SHA1 | 09cf1cbb3089fc418eb933d1b4611cca0d4ad327 |
| SHA256 | 5129795d6e0aeca2fa56aaa56d71d2e9809c2ad77c14265abcb51fe832105e00 |
| SHA512 | 7b2a74278fb7e51242006dc1e60d0e7cc3ed763eb4e7ed7e9da87797ea81fdb05857de838b745fac03468f85c755fe86331746466c30f87f127172de5524f057 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-core-file-l1-2-0.dll
| MD5 | 31e207b01e67b6563d2cf9110d06a1d2 |
| SHA1 | f12832e055c0f0d70fc44b4cb0215c17aa948332 |
| SHA256 | 6b31a206c051815be9f7b366d2a9d2464747a56888a7307a924ecdac558271e1 |
| SHA512 | 8a19324c8719ad6e7509de44fe79c6614c064daa47c4206a2b6ba4124b45bc4d8785cd51b8877c9ae5a1e0768ee1bba8f98e8d8c17b700aa8dadbd2801035a92 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 69d1c46b9927d1c7cad8dfb5e18ab7ab |
| SHA1 | 1917be91adb466085678ebe036643cb187a7f4d5 |
| SHA256 | 23f035627abed3460e6dbe8436e5b608c7c30f69091011f655f10ee49ebfd282 |
| SHA512 | 365dbc3811b9bc2417937e433b7b748080c3ca1f4fc1b361117db46fd9dcfe49d948407dca33ca75d307b0e7f7919cc3550caa16e6950f10b0f46d16cbd36172 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-core-file-l2-1-0.dll
| MD5 | f2d12342c68e51aa748d4937f3ec7ded |
| SHA1 | 22368cebce89feb929004f73bd0f7236f7050e36 |
| SHA256 | 6ba964ad55822f55eea14f73a48deb164b337639a82da677fc6efc1c539fe81e |
| SHA512 | 1e1440c97237716a6ac63e038d932edd0e7962230bfd6956b8aafa378b344daf92da696f0d1a57b0d71fef3722296b0d02f59b0fc9551e7944c445cc6b2b26a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\python38.dll
| MD5 | 1f2688b97f9827f1de7dfedb4ad2348c |
| SHA1 | a9650970d38e30835336426f704579e87fcfc892 |
| SHA256 | 169eeb1bdf99ed93ca26453d5ca49339e5ae092662cd94cde09fbb10046f83fc |
| SHA512 | 27e56b2d73226e36b0c473d8eb646813997cbdf955397d0b61fcae37ed1f2c3715e589f9a07d909a967009ed2c664d14007ccf37d83a7df7ce2a0fefca615503 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\VCRUNTIME140.dll
| MD5 | 18571d6663b7d9ac95f2821c203e471f |
| SHA1 | 3c186018df04e875d6b9f83521028a21f145e3be |
| SHA256 | 0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f |
| SHA512 | c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | f576fd38085005b4ab2ff1dacd293c48 |
| SHA1 | 75074cfc7543b34f0bcace916370413055dee2ae |
| SHA256 | 6e794d0fad29cc5bdd5d0511fd923d3434ed122cff0ed697903900c93c807582 |
| SHA512 | 3887ba832965e3bbe248002e926b0ea8374b4755e6b736c25850088287790e20052d3334000eb7afc2c86fd2a14ba05d5e564c1bd811d8baa8e524f4f7fcfc25 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 28579ca40c9e19cc6dc23dfb8b6871cd |
| SHA1 | 804cdccdb65ad15e016072b5d6f9843096140864 |
| SHA256 | a57d8275c34c1094f6a4535e23c7bee4759532e08776ff84c5fe487c0f925eb4 |
| SHA512 | 9489cdc3d5df75dd2686ea82dd689aae0a4fd503d2831091c10bc53820320b4947cd9f321501448d258b219516e5d9aaf6790f13189248835ba20b2f86674b9c |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-string-l1-1-0.dll
| MD5 | e730cd977ac7f60f0824775e39c8fd2c |
| SHA1 | fdfaf759a360293687bd2838b7d9feb628edaf5b |
| SHA256 | 63de06332e8ff15a5bff699e70ed2537a9d273ba62463fa16265d261f3c5bb31 |
| SHA512 | d6a30e82a061f7e5f27aaa928819ebefff2bb5963ab7d4be33d41e0099576b1e7d0c671082fa08ce0e1bd8e89c4dc8ae427a22f0162ac05b8a0259392bb50fe8 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 1cec55e31418a818093c73e96bd41973 |
| SHA1 | 69a57fb9c17ccfd607749d8e9c8e80792904ea44 |
| SHA256 | 513bb1dd16be7491ced8fa2494b604257285f76062525685c2991391d0c048c3 |
| SHA512 | 31f0e1f4ec0e8b94f4fe403f182596839c916f5d810b8d81c1f399868d18c68192a1362f03f9983d92cb7b7c8575421da12c345838321c95d056c20517ee9b55 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | e3495c380c381670908355181787d7ea |
| SHA1 | 30b2d379cf483e3394a462a5824092e555974f26 |
| SHA256 | b353bd22b97fd3704557a99359c9ea0b4e0ad8b7e43b5e21700dabd1a1d84923 |
| SHA512 | be973074be09fb0e11d4819c0a04d07daad5bf82d3b2c689ab9a5a6d74d39bd24cf526bcfd926f69f5986f0dbfce2d3b4e21a2449ad8e6e9a8a2cfd52b572868 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 6c7d9c87af17330357fdb7f39751080b |
| SHA1 | 3a1dd4a6290d0c9764e43f430bb447ae4cce674d |
| SHA256 | 6a9dd5a4e52c1aa0e341e35e9dc1a6fbf476ebacd64add3a53c146f019a9a4c6 |
| SHA512 | d03b8c177b81dd7d55cb1c2dc76301d52ff6d0cbef61398bffd9d113814fa64801196414abefb2f635cbc3e28de3960a47f4b6d6170fe252ac0642701de75d27 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 4140ee5c6ea9f933c483615141fd54fe |
| SHA1 | 3ef9da0df943f56f1838853fc5406280b2823516 |
| SHA256 | 29abdc8c5396132b004e6751464641b8f0562249333b2257a1d2eb4aecc8d9dc |
| SHA512 | 1cc86a050dcd1619e9e2cc9aa37c76da21e4a4d8f1700916c5ff6ed883d3c4218df17b1980a4875c803f5a5de5b80b45ebe5f0fd20b38726fe6cd8d8039d49a2 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 090027e2a3ef8d8ebf9ced36fdc7b492 |
| SHA1 | bc75462090e7b95a44c9d22ddec394da30d4b6e4 |
| SHA256 | 803b6f86f178e71f462dfdd6521c9f4791059c1fab5dc86de17c34c25e55f8bd |
| SHA512 | 4ba291e44be86ab8e2f3619155ad503d68e65f84eab0870844c23893b5c169a1fe85fb1feb6cd0ba692373d84b40db3e8fcec3ad231899a0f3ffbecc971fe48b |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 5746d1dc01f0a069f009ecd7f8738c41 |
| SHA1 | 5d8696c5cfab3b9c91806a95c9a84d539a4500a3 |
| SHA256 | 325e7bb5c8a3c7f9db8698a570b7d9d9424a028d51f937a2dff3dc5ff0b6e457 |
| SHA512 | c73d63216f0bfda185928172b737aa652ba30d88471b22c5161b162bd5d68d7b60c3b90af648cc7c1c2b409af416383db106abf8366733ba4c61f3f104c8db41 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 7c1742b5617456344965156c650af627 |
| SHA1 | 4b83cae841ca3360ed998c48816ec4ea71cb86f7 |
| SHA256 | e31fd2a662773f4b2d84d29dc312d5614992b8e1b700840a2f5ae539ad9a21c2 |
| SHA512 | 9fe82e00b1921e9566ae07226b7c4305aebacd169e8cae4a286183acdb70391ce64ca62fb029dff10a280775218ff0772e3fc953fc31b7fa2ace518904cd5ed8 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 3f14aadfaf34257f399ddb6c554d8a51 |
| SHA1 | 695f7a5d42fd16109ad744a2b215dbd4543e2b84 |
| SHA256 | edf658d7655b524f5158b69a189d9715f87ceac701a055acc23ce608e4ea0774 |
| SHA512 | 002a34bb9210401270f321eb973afd1fd807a3dc395fcd69adbcabca413d77ea748f78f70c61818da52902a74d38ffc9a5b655887d9336a02355072b421cae22 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | c8211d9a8f2595c9ee6f75c9b6d5cb29 |
| SHA1 | f90ee7350a2d922f5ab614a43c81a42604a86306 |
| SHA256 | b78607f566599e92bfa8ff5de0f28c439207abf17f274a045500a0d107287d41 |
| SHA512 | 846583349a448d2df8b4a9957a72b6734b0e394135cef6b03bdf197c6752c9e688e47c7d51ce4825f20f47d933ff9133b481b4daec6b0ec729a739b157617377 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\base_library.zip
| MD5 | a57bf309a834af323f02f9fc86f6041f |
| SHA1 | cbce0d3a238afe0d9c12b5315f31622922bacf69 |
| SHA256 | 124e2bf84d69508ebbb9a0e02dea974799cc886ee65e8cb7a8cfd46831fe0842 |
| SHA512 | e69bf1ff46bf34d2cdc1dfe1ee8d0fb28aa2e5b0e3af150f2a0dffeb3e277249459cb57f67cc45b2ac28acf86adb20cb594b5546ae6c4c51fc0374a511332e5b |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_ctypes.pyd
| MD5 | 8adb1345c717e575e6614e163eb62328 |
| SHA1 | f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3 |
| SHA256 | 65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8 |
| SHA512 | 0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_socket.pyd
| MD5 | 1d53841bb21acdcc8742828c3aded891 |
| SHA1 | cdf15d4815820571684c1f720d0cba24129e79c8 |
| SHA256 | ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b |
| SHA512 | 0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\select.pyd
| MD5 | a2ab334e18222738dcb05bf820725938 |
| SHA1 | 2f75455a471f95ac814b8e4560a023034480b7b5 |
| SHA256 | 7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7 |
| SHA512 | 72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_hashlib.pyd
| MD5 | 5fa7c9d5e6068718c6010bbeb18fbeb3 |
| SHA1 | 93e8875d6d0f943b4226e25452c2c7d63d22b790 |
| SHA256 | 2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155 |
| SHA512 | 3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 6bc85715c6a0006cdeff1b3d7ffd796f |
| SHA1 | fac4bdf44990b06c7a1c2ffed214ebd710264b3f |
| SHA256 | 7a578dd2ceb4387ae8f67f6a82ab553ca1570d1588ab6645859e5625585af95c |
| SHA512 | a8ed5d78d973efd248971795dc1e3a6e27421746d2c7d47740e846a7e19f3153e7a7e508327a20edf9a2354dbc82da6985e1e212474a066c905a00a32de99bc7 |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_bz2.pyd
| MD5 | fc0d862a854993e0e51c00dee3eec777 |
| SHA1 | 20203332c6f7bd51f6a5acbbc9f677c930d0669d |
| SHA256 | e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863 |
| SHA512 | b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\_lzma.pyd
| MD5 | 60e215bb78fb9a40352980f4de818814 |
| SHA1 | ff750858c3352081514e2ae0d200f3b8c3d40096 |
| SHA256 | c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806 |
| SHA512 | 398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230 |
\Users\Admin\AppData\Local\Temp\_MEI25322\_elementtree.pyd
| MD5 | 4d1c727663b949fa6aba4f9a71693dc9 |
| SHA1 | fe77deb2b1da2bd30206e50d48d67ac8b9c84fd6 |
| SHA256 | bcd6f366a7125de7e33ade6f20032cb134e530883c5af9fca74fcdfa2151648a |
| SHA512 | df51023da0de97624b354451829b2b2c6bb9d90db5c022dd3d38cdb5e3d4c329c5250e2c34879e95af2e270d454e4bc599a52b4ebaf8ca023f5d60f1a1537ffe |
C:\Users\Admin\AppData\Local\Temp\_MEI25322\pyexpat.pyd
| MD5 | 11a886189eb726d5786926cc09f9e116 |
| SHA1 | d94295368a1285681fb03bac0553eb1495d43805 |
| SHA256 | dc38bdbe10cfaa99799e0c87aa8444fc062d445b87686d6593ffca46cc938031 |
| SHA512 | 405c56487a91ad1209029ca6ea125642076251f0a8c069eef0e30ce484381db7bf24d2f5cd74b83d1c8c1358f92f35fa6ed7b75601ace611cf36bb2331588684 |
C:\Users\Admin\Desktop\README.txt
| MD5 | 827f7da7ad47cb8c6647c0478042301e |
| SHA1 | 7e45a7f3bdc0eb7e98bab2dfd020cb796efd8d84 |
| SHA256 | 35e838bc9daeb0357da9211c4da95d3e557a9600d986cf6e74deabd1ac8db839 |
| SHA512 | 370a5b6e2622945353ae12b5d25ae0be7baa7cf19006e4dba68e8fe629e284d062a3ba9911aa4243de837de921c97eab008524b3d2122f41f9a24401eb0a45b0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 01:08
Reported
2024-11-19 01:10
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
141s
Command Line
Signatures
DemonWare
Demonware family
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe |
| PID 3008 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_4d3ab23846b9dedc7b0ed695e873fced_ponmocup_ryuk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:8989 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI30082\payload.exe.manifest
| MD5 | dd599af0347cd04ed71a484ac5e5ce8c |
| SHA1 | 0fb19ed1e1a753e6d4ce08a0abce998e7c15d862 |
| SHA256 | b3a30939dfb1abd2bdd1e06b9a0fb9dd1752984c42a0815ccfbb4f5541fc7455 |
| SHA512 | aed0715386cf78a76a2e98487ca624df00c6a8ff1f0620efb183a5955196ebe82f7f184e3708d7d9c8877c4f947abf4a2cb7a692a912832b8c8b6ca05293566f |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\ucrtbase.dll
| MD5 | 5b1c91b53ac3c3026d50de8c05aba139 |
| SHA1 | b9c2d160b1ce856d9904a340362236473a3d559c |
| SHA256 | d804ea40eacfc22a5e029b66d6d4f83d81f76a7ead80313b33839253f90af6b7 |
| SHA512 | 8e01056830e65320d684245bf055305e03ef136545efb51aad484a5b1b006f7d534c30b7973da8628f49c31710ae23d3420f941156c941172b97efe9e1ef9a1f |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\python38.dll
| MD5 | 1f2688b97f9827f1de7dfedb4ad2348c |
| SHA1 | a9650970d38e30835336426f704579e87fcfc892 |
| SHA256 | 169eeb1bdf99ed93ca26453d5ca49339e5ae092662cd94cde09fbb10046f83fc |
| SHA512 | 27e56b2d73226e36b0c473d8eb646813997cbdf955397d0b61fcae37ed1f2c3715e589f9a07d909a967009ed2c664d14007ccf37d83a7df7ce2a0fefca615503 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\VCRUNTIME140.dll
| MD5 | 18571d6663b7d9ac95f2821c203e471f |
| SHA1 | 3c186018df04e875d6b9f83521028a21f145e3be |
| SHA256 | 0b040a314c19ff88f38fd9c89dca2d493113a6109adb8525733c3f6627da888f |
| SHA512 | c8cbca1072b8cb04f9d82135c91ff6d7a539cb7a488671cecb6b5e2f11a4807f47ad9af5a87ebee44984ab71d7c44fc87850f9d04fd2c5019ec1b6a1b483ca21 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\base_library.zip
| MD5 | a57bf309a834af323f02f9fc86f6041f |
| SHA1 | cbce0d3a238afe0d9c12b5315f31622922bacf69 |
| SHA256 | 124e2bf84d69508ebbb9a0e02dea974799cc886ee65e8cb7a8cfd46831fe0842 |
| SHA512 | e69bf1ff46bf34d2cdc1dfe1ee8d0fb28aa2e5b0e3af150f2a0dffeb3e277249459cb57f67cc45b2ac28acf86adb20cb594b5546ae6c4c51fc0374a511332e5b |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\_ctypes.pyd
| MD5 | 8adb1345c717e575e6614e163eb62328 |
| SHA1 | f1ee3fff6e06dc4f22a5eb38c09c54580880e0a3 |
| SHA256 | 65edc348db42347570578b979151b787ceebfc98e0372c28116cc229494a78a8 |
| SHA512 | 0f11673854327fd2fcd12838f54c080edc4d40e4bcb50c413fe3f823056d189636dc661ea79207163f966719bf0815e1ffa75e2fb676df4e56ed6321f1ff6cae |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\_socket.pyd
| MD5 | 1d53841bb21acdcc8742828c3aded891 |
| SHA1 | cdf15d4815820571684c1f720d0cba24129e79c8 |
| SHA256 | ab13258c6da2c26c4dca7239ff4360ca9166ea8f53bb8cc08d2c7476cab7d61b |
| SHA512 | 0266bcbcd7ca5f6c9df8dbeea00e1275932dacc38e5dd83a47bfbb87f7ca6778458a6671d8b84a63ae9216a65975da656ba487ac28d41140122f46d0174fa9f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\select.pyd
| MD5 | a2ab334e18222738dcb05bf820725938 |
| SHA1 | 2f75455a471f95ac814b8e4560a023034480b7b5 |
| SHA256 | 7ba95624370216795ea4a087c326422cfcbccc42b5ada21f4d85c532c71afad7 |
| SHA512 | 72e891d1c7e5ea44a569283b5c8bd8c310f2ee3d3cc9c25c6a7d7d77a62cb301c822c833b0792c3163cf0b0d6272da2f667e6bc74b07ed7946082433f77d9679 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\_hashlib.pyd
| MD5 | 5fa7c9d5e6068718c6010bbeb18fbeb3 |
| SHA1 | 93e8875d6d0f943b4226e25452c2c7d63d22b790 |
| SHA256 | 2e98f91087f56dfdffbbdd951cd55cd7ea771cec93d59cadb86b964ed8708155 |
| SHA512 | 3104aa8b785740dc6a5261c27b2bdc6e14b2f37862fa0fba151b1bc1bfc0e5fb5b6934b95488fa47c5af3fc2b2283f333ff6517b6f8cf0437c52cf171da58bf5 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\_lzma.pyd
| MD5 | 60e215bb78fb9a40352980f4de818814 |
| SHA1 | ff750858c3352081514e2ae0d200f3b8c3d40096 |
| SHA256 | c4d00582dee45841747b07b91a3e46e55af79e6518ec9f0ce59b989c0acd2806 |
| SHA512 | 398a441de98963873417da6352413d080620faf2ae4b99425d7c9eaf96d5f2fdf1358e21f16870bdff514452115266a58ee3c6783611f037957bfa4bcec34230 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\pyexpat.pyd
| MD5 | 11a886189eb726d5786926cc09f9e116 |
| SHA1 | d94295368a1285681fb03bac0553eb1495d43805 |
| SHA256 | dc38bdbe10cfaa99799e0c87aa8444fc062d445b87686d6593ffca46cc938031 |
| SHA512 | 405c56487a91ad1209029ca6ea125642076251f0a8c069eef0e30ce484381db7bf24d2f5cd74b83d1c8c1358f92f35fa6ed7b75601ace611cf36bb2331588684 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\PIL\_imaging.cp38-win_amd64.pyd
| MD5 | c66d257279177dee61c361915692cc7c |
| SHA1 | 6c1e096368e486fb135eed1f4b8a3aca5bd641ef |
| SHA256 | a12143791b0afdd56cf213eafe826119932a52bd41569def6d9fe001f0379dbc |
| SHA512 | 1aea89ec2cb5b2757c06f0e9225ebdf88f05beb5e5c1f73363058f5c0925637a17c463f8e8dead470aba38ac4906ed777182907a4bc8c188c2c54870a0e9d0a1 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\tk86t.dll
| MD5 | fdc8a5d96f9576bd70aa1cadc2f21748 |
| SHA1 | bae145525a18ce7e5bc69c5f43c6044de7b6e004 |
| SHA256 | 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5 |
| SHA512 | 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Cipher\_raw_cfb.cp38-win_amd64.pyd
| MD5 | 6f1d3ed33d7dfeae5642406d76ff2084 |
| SHA1 | 014cfee7d754564928ed2df2fef933aeda915918 |
| SHA256 | f5918822781473d44f69030a9b32bcaeffa8671f1328c48085c9671f140d1273 |
| SHA512 | e55f57ef9411979ab164d5c3faca609856ddaa273ee817225ba77a12ddad02da464378ca0cbd98ddec708aeac96845ab8c718d35edc88b0ab06bb14ed53647ca |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Protocol\_scrypt.cp38-win_amd64.pyd
| MD5 | 2c9b60c7800d640ddbfa6f2aad83c41e |
| SHA1 | 4778df5386fa9e676cec84f6a144212323eb5817 |
| SHA256 | a6c6e4735cc74b83bb97a94452bcbdd46e825ba485d9ab5cf2f134e7addaa48f |
| SHA512 | 38e3993a4e63abb47fbfd266925ca8c588f553cd46799910ea337d00b29240a412bf33fc5486760c3e4d87577d836bdf1b45395cdba8fecc3bec4da92b2bf8b6 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Hash\_ghash_portable.cp38-win_amd64.pyd
| MD5 | fdd4207ea3c8938d4c1150a9a15b5987 |
| SHA1 | 2f4b87a20474a825c5b4c45d0bec15b1911f54ce |
| SHA256 | f7ce5ed7d00bed3c9c9f41a75d616930bc06973a86f721aaebe1529719c48a0f |
| SHA512 | 4b6d8b76edbd4a4bb0b6e704c8ef58474975f4b2c09e7ca0364d40f154ba1e1d2511b5d4757071fbcb0b98f0a39dd182bc05ee1118deb7fd8ce9f47428bd6fcb |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Util\_cpuid_c.cp38-win_amd64.pyd
| MD5 | 7178bf889c059dd34240c73a87d7e2c8 |
| SHA1 | 3c8a3bcd0c60c33b74719536b42323cb183bb05f |
| SHA256 | 04d50a58068b32790015186c55cc83d204dbfb94e245eae131806576f2d4da24 |
| SHA512 | 15539b3ef516eca7823884ffbca61cb0cac9143d9ff39778985d1e980da0184f85c38ebd627935aa332c7f55e87216ff9040b21b61664f454dce630621dd9e35 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Cipher\_Salsa20.cp38-win_amd64.pyd
| MD5 | 9fb7daedd82bdde61d467b7a568bf577 |
| SHA1 | 8772a438d9735498be7ed4d566bb0439361aaa56 |
| SHA256 | cf235e8f929568ee0c24c676be7fb15e6a8820cb8437cd06bee1e038b80deb2b |
| SHA512 | 456db61224d9f3ee5786173be2998ecd54d05bc29919ec8e1a7a917eb5f42fbb3edb1aee374d9b97b4db94591be440f58ddbd0f32aab1a2977db28573223e806 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Hash\_MD5.cp38-win_amd64.pyd
| MD5 | 7b4db40a5af596c7b685b1bff8c85a63 |
| SHA1 | bdc1ca3a817731ab89fcc0ff8f9ed540b8fe016d |
| SHA256 | 938aa6f71988f899c605dfe09a0882403af0564eb1937316bf50bda5b63659af |
| SHA512 | 8d995a342eecbb4278ea02ca84b0c5d3446b06952c1ce29e3d3eb1aa95c7b31cbd88976bd6bdb2c92c4e5e25103d392aa911a5f718cca3cb6e9e0c2d9e8695fb |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Hash\_SHA256.cp38-win_amd64.pyd
| MD5 | 4c16bb062911f8d38d881022dba921dc |
| SHA1 | fed09bcb06fa5bb604bfb81d4aecbd012548f5f9 |
| SHA256 | d72174d81ef9e6c8c9c2b2c9a0392e85195a1fde81757a8fa61e7561b8689f84 |
| SHA512 | 2ca19b324011f1957f2182b6d57a687cff1805e94c27118452d7b579ea4dc9bdf2f409c03cb97b71e312593c41312bd278c25d52cac1cf0eecc72ce79ba0d08d |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Hash\_SHA1.cp38-win_amd64.pyd
| MD5 | abc7d549b8974a93e441b45b118a3f8e |
| SHA1 | 1b78c6022f03550ca48a67aa2b2edc0add3a5fd7 |
| SHA256 | 059e3b26c6816c5f2e3a3d6fdfcc0298077221cd8ae8a17fc9fe6d67ef2bfc3a |
| SHA512 | 8ac63714eebbe6c4ff7da73ebe1e03be1aaee194d635df068108956bf009b872bad1357a5c41e5780d053903784c10797d417f90f941e362f3d3774e91bbb98e |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Hash\_BLAKE2s.cp38-win_amd64.pyd
| MD5 | 2101eb8948ad5b50feeceb0865169d48 |
| SHA1 | fd55a3553d0c0416cd733ae732361685c0d23c59 |
| SHA256 | 962a6e4baf1fe8579b815c059abd924563835fc2139fa16d4ba191c291d033ec |
| SHA512 | 122c8ba5df3d3c2b6ddb6de8415634c02c296285e629f780e1f9d9a4afaf1ef3bef0863f83748f2ad5847385e349b4d39c4c54ed7d4246f502603080c5b973e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Util\_strxor.cp38-win_amd64.pyd
| MD5 | c718722a0c7e48a91b492b604ca15125 |
| SHA1 | 6fa5b7da8366bfd7ae575452d389d01bfa25e6b4 |
| SHA256 | 248962dbfabfd47f79df23f22754e6644404ccd10f152420a639de12215a615f |
| SHA512 | 953aa4827746ad544e799976724f657a56337407bebcc0c721b926caa74fae6bfc42acbd194c4220f3e0e4edc5e325674be3f0773859f9ed40ad943a359058dd |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Cipher\_raw_ctr.cp38-win_amd64.pyd
| MD5 | c04554cf7f89e2d360ebcc39f85a2970 |
| SHA1 | 42ac403bd2a854d7f6ac60a299594a9c4a793f35 |
| SHA256 | 264ed03313efc36ef0794e3c716319e0aa4774c3d0a26c522dcfa7be1f46349f |
| SHA512 | 668928abb8510d36dcc2e9ff7cd10353c3cbc10af199ca4c909770921fdcbe4aeedc5dfb106c91cf480c86a2ab78e2da6278d859aae93cb72bc50de432411ed9 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Cipher\_raw_ofb.cp38-win_amd64.pyd
| MD5 | b537c5216bd68311d50b10d62d02b9bb |
| SHA1 | eb613bdabc18ee0f43afa4a13e684d0f8bc57817 |
| SHA256 | 2b4fefd3688f5e92b1c3ef745d3463d44d9c071b9e2e190a7179191cd3b1e3a5 |
| SHA512 | 1a3a8e9454646d7ac87f0acc34092da9c3873e4912ea8cb7c335d58a1bf7336d370dda9da13fdc6148ebfe93e3b75ceebc0684a5ee7b4ae24e8e2b5d053afe38 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Cipher\_raw_cbc.cp38-win_amd64.pyd
| MD5 | 03c703a8f4c2a1443cccc8316af8940c |
| SHA1 | 046d8c846d9393e472064aa1250826994a785577 |
| SHA256 | ca09e03d93f3a330a467afd7fb998ad81dfd75fa7a1c2e202d6898f229c269d4 |
| SHA512 | a65bf31452e984de1f951a3bca97c9dc27ac113e5fd4e0d29fa2b67e6c1b24d48ba6513d1e2ceaa7617e92305171e9675379a0e97980a3ceec209c49cd687329 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\Crypto\Cipher\_raw_ecb.cp38-win_amd64.pyd
| MD5 | d4535f5b8683cd4b523d1f97232d3772 |
| SHA1 | 1a6ce4eeb5acd1762f629478db14dfe8e361967f |
| SHA256 | a8bd1b23f25393b26570a23f3083227dca1e2a6c4422581ff3e46cea3c4ac4ad |
| SHA512 | 447c9b1772f4a4f91961268e1b87c3576415f5257197db16336a3be8601dcfc8cd01dd1bb0676403633c58b8593aa9f558bbd53ccd994f5702df38c265358730 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\tcl\encoding\cp1252.enc
| MD5 | 5900f51fd8b5ff75e65594eb7dd50533 |
| SHA1 | 2e21300e0bc8a847d0423671b08d3c65761ee172 |
| SHA256 | 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0 |
| SHA512 | ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\tcl86t.dll
| MD5 | c0b23815701dbae2a359cb8adb9ae730 |
| SHA1 | 5be6736b645ed12e97b9462b77e5a43482673d90 |
| SHA256 | f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768 |
| SHA512 | ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725 |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\_tkinter.pyd
| MD5 | 7577b428063ea0eda1e0937f4976b078 |
| SHA1 | 6256415033aae978835fe3dc4523a462d5932873 |
| SHA256 | 7fdbb5a713a3de7413564a2ec15c8715f3ba203bfe2b944c9cda610155c511d1 |
| SHA512 | a36e09535579e5cc2fcc86659ae60fa7a779bfd577b6dc9d27fec78e8be1e095f52320fe0822fcb080b96d71729e97c6f07c8728565e8aea708426289485147c |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\_elementtree.pyd
| MD5 | 4d1c727663b949fa6aba4f9a71693dc9 |
| SHA1 | fe77deb2b1da2bd30206e50d48d67ac8b9c84fd6 |
| SHA256 | bcd6f366a7125de7e33ade6f20032cb134e530883c5af9fca74fcdfa2151648a |
| SHA512 | df51023da0de97624b354451829b2b2c6bb9d90db5c022dd3d38cdb5e3d4c329c5250e2c34879e95af2e270d454e4bc599a52b4ebaf8ca023f5d60f1a1537ffe |
C:\Users\Admin\AppData\Local\Temp\_MEI30082\_bz2.pyd
| MD5 | fc0d862a854993e0e51c00dee3eec777 |
| SHA1 | 20203332c6f7bd51f6a5acbbc9f677c930d0669d |
| SHA256 | e5de23dbac7ece02566e79b3d1923a8eeae628925c7fb4b98a443cad94a06863 |
| SHA512 | b3c2ade15cc196e687e83dd8d21ce88b83c8137a83cfc20bc8f2c8f3ab72643ef7ca08e1dc23de0695f508ba0080871956303ac30f92ab865f3e4249d4d65c2f |
C:\Users\Admin\Pictures\README.txt
| MD5 | 827f7da7ad47cb8c6647c0478042301e |
| SHA1 | 7e45a7f3bdc0eb7e98bab2dfd020cb796efd8d84 |
| SHA256 | 35e838bc9daeb0357da9211c4da95d3e557a9600d986cf6e74deabd1ac8db839 |
| SHA512 | 370a5b6e2622945353ae12b5d25ae0be7baa7cf19006e4dba68e8fe629e284d062a3ba9911aa4243de837de921c97eab008524b3d2122f41f9a24401eb0a45b0 |