ryuk | 58c50cebcd8465aff4672fdf8beae81678bd16409addfaa8135506ca90967822

Analysis

max time kernel
149s
max time network
56s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe
Size

545KB
MD5

352b1f3533ded8c575246d4466f68c49
SHA1

e430730620feec3673b9c38d87482c9294421b19
SHA256

b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da
SHA512

db9ab4315417679f6d1003e97067e87aae7f1c2b9f5a8358e32004d8322a997fc5f1627c3535517ca515e9493e9edb7292f1d1c6080e19d8ea71419fd4c6e9c9
SSDEEP

6144:GVnPzIGM2LsWO1LXmw42Upm5zc8VnPzIGM2LsWO1LXmw42Upm5zcZ:GVPzIGhAXBXLZgeVPzIGhAXBXLZgf

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '2neBqEej6'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk

Executes dropped EXE 2 IoCs

pid	Process
1668	wYMYSvaYOrep.exe
2728	qBiHqFQsYlan.exe

Loads dropped DLL 4 IoCs

pid	Process
2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe
2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe
2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe
2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
42788	icacls.exe
42764	icacls.exe
42756	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
195472	SCHTASKS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1668	2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe	31
PID 2500 wrote to memory of 1668	2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe	31
PID 2500 wrote to memory of 1668	2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe	31
PID 2500 wrote to memory of 1668	2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe	31
PID 2500 wrote to memory of 2728	2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe	32
PID 2500 wrote to memory of 2728	2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe	32
PID 2500 wrote to memory of 2728	2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe	32
PID 2500 wrote to memory of 2728	2500	b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe	32

C:\Users\Admin\AppData\Local\Temp\b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe
"C:\Users\Admin\AppData\Local\Temp\b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\wYMYSvaYOrep.exe
  "C:\Users\Admin\AppData\Local\Temp\wYMYSvaYOrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\qBiHqFQsYlan.exe
  "C:\Users\Admin\AppData\Local\Temp\qBiHqFQsYlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\jQAghYrMRlan.exe
  "C:\Users\Admin\AppData\Local\Temp\jQAghYrMRlan.exe" 8 LAN
  2⤵
  PID:18084
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:42756
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:42764
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:42788
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:64076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:64128
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:64296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:64416
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:63544
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:63388
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:64072
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:63820
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /CREATE /NP /SC DAILY /TN "PrintH0" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\Ogg0C.dll" /ST 10:25 /SD 12/23/2024 /ED 12/30/2024
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:195472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat

Filesize
44KB

MD5
abe0411bd1d14fbafcc99545ce7c8ad8

SHA1
e4fec81b6bbe93689130e59ca307c234920b80d8

SHA256
430a7381b8d2d68ac2177bbb306dcaa4cd5a70ad6081ccbc012f88aa86f4a9be

SHA512
a26a2790ee73fb1bcab75c332c82bdc6af15a5dba90b93eb675cd360d9e9cffbdece0ebc13f58521bb2722c699f2ba3eb0d44ea229114997403cf65af5a30c13

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat.RYK

Filesize
31KB

MD5
8b9f309621cabfe7073d156b930c7b25

SHA1
d4ec4ae37115d142995dc33fdf5d0504aee04556

SHA256
ff42e21aa66d8f9b0db3622d9837f70211d30f45c6ab15884047b7feb39d2e24

SHA512
548638f0226127d0949b019a0f1c1affba82e8fb3b521b0b74c0b4c04a397217a9520276da4da4b21f72b0635f402344df44b9f350ffa5896a0aaa440224adf0

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.RYK

Filesize
48KB

MD5
5a7d30674fd8866a1cb3cad0130d9707

SHA1
75fdc392993be686db1ca11790165ee4d40ca883

SHA256
342044a6372c8ec0d1c7c11f07baed707c1290c96d242c12df0522e5a210d803

SHA512
36849a1fc49ae2f57a05d77905751a5181ba5b2c3e76a0b2925d9a25e201bb0669fa5dbe0d8fa0068cb7c85f610660089d777e0a4bbfd7f802da60287825c4f6

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.RYK

Filesize
48KB

MD5
9fb617b4fba08df7ff22d1dcf8fecf69

SHA1
3ad13db194a8a5c0964a0166ba4724e808bd01b9

SHA256
7434ba3247fc3babca52351b4894d08fb87359e2d3b7aa5800cc45e2ecd9d1f0

SHA512
5d53f2e1009160959de4eb541167a01ab2aa729559c6256f96488231225adc38a060b476ef03720b8f6424e84b29b659ddc1284ad674a1e3010ec8a311c62ff9

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

Filesize
8KB

MD5
ab97dac5da42ede10a0da7e0991f21c2

SHA1
1d0af7a77c6035b4f322e2e72fd5ad3b8eeaa1ce

SHA256
632927921e5cd052ac631cc03117da82dcb9c7bae9cf10b9714486a1d31b4e0b

SHA512
9513efbe83d0611959d7e3220828a86496e2d247f046b85fa662ebe0dcb3667e12025f2b7a4b3ded08b4d82f981803db15db266f06f8ecb5f3d7058005e6eb98

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

Filesize
2KB

MD5
9c65bc3210aa0e89a81c839b6bcf7fac

SHA1
f2c653e1ce1da92c337201d61550345a7bb6cea1

SHA256
041f46cacb4f92f19d993d73ac463dfe09be50c9b358f90e9fcefa3c69eae9f0

SHA512
e0e8eea5b058ae8cb635245655ee68963b75f7ead720b870946e42fab201be21bd99e87edb5a1bbe81d8d957c45d16202e52744d283e1033bf2326d4357987c2

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

Filesize
2KB

MD5
cd10370465b592517a0799118ff64936

SHA1
7bafcae87cce22c682e5fc53b35baa62757d4837

SHA256
9d01570f398008f646bfb85c944382aeb4617abcb3034f259a1cf46975b346be

SHA512
1644410a8c14ca3a8805dfefd563d81d608f82a557fcb9fd615f5c5221e4ae4226bc84a628fe334f37749bd9ca9a21ccb3b72a84de0aa95639cfd3dbf488c87c

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

Filesize
64KB

MD5
36ba6bb541a52c2fbfa50b9aa13addfb

SHA1
d3f8b33855122cfa89cebb80a07d6d7dcacd6a9d

SHA256
395862b1287778434858e23618b614ee7fed5c50631956818ef4becaab577d9b

SHA512
792507c19101cd30a4dcfb7f8e174a53903dad7dd21c68d31aecfe88ae7da08acc87ca01cffc54d54d58daa48b0033e69207039f6da531355665d4d3ba8f3c8e

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db.RYK

Filesize
763KB

MD5
2a7167619766b0f918da46542c68b5c4

SHA1
5b2e26281d61b1da6744056743cd8df8f6cc16d7

SHA256
e482fa989499056e37838f670f32e11f56565ba6b3fb86e4473d28992635afe8

SHA512
a436bb4c4e3a58cd1e97c47ddb26f7a02f01a207b381ba937a1afadc4e3c96b1b8be28ecb08f8edf5f1bac181e1d4a0c9a63edda3fa26d9d58888c737cc0d255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms.RYK

Filesize
28KB

MD5
1e04b484bad0ad84705f70fca706197a

SHA1
0b451b8d87adb0554d95587a5c6583bf90561aa8

SHA256
889dc76ed2078b12f7faf891e3e0c28536c9188ae3ed53b905244db6e4c489c0

SHA512
cc92645af05967e2da390154357726f9d2822457456b583c219059c74d419673013c46966a1ede326fad12a73c8bf527e14831199e676f8855a177ed525491b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms.RYK

Filesize
28KB

MD5
158aa36a2f13d9d872a966cab5502cc3

SHA1
d4f96ec3439b64cb08b377112bd886a15e4eb8a7

SHA256
687e0b40fab423d57f943d58db0b1abb45ba73998fdcdd798f7a62aba767a13d

SHA512
c8e8564a7639ed2b6ed11231ba07058bb576751d660ecc5e706fbbc8bec68eb0f5651490bbf59b9d913d4f41cacf4f979e1fb72f96bc9a584455f8b7e13a380c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

Filesize
7KB

MD5
30cb9bda582b31ceea68a29a14d13a44

SHA1
70e61811f4748c710105e724acf84fbfdd2125b7

SHA256
8291caa08bd37a6b5394ab4cb956f5f40641557dfcf2ead96365dd1b83d547d7

SHA512
0bffc8723929f1907d50b565d1b9b09eb46a5ec31d66a8b88f54e2b64e0da5ea05d4c8ab50288d0cdb84c40dfeb78771f5f7fbf0c62d1b356f503f9932069b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.RYK

Filesize
28KB

MD5
8311fd1ccf58e088d409eb42916c97c4

SHA1
00fffcea8d9dbde7982c4834c7e1198e475c1d54

SHA256
195c27ee9c455b8e907a9f9a29d8d11e472bc720273d86be18b95ec278d1623f

SHA512
e3ce7bce06f60dd6c732d0e0677c45517a7d1da3a922138933657825321694f4c8eeb0585499fb4506b9d8fe3670e018d58425323449575ce6d1bb10670f70f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms.RYK

Filesize
28KB

MD5
c76687979d35c5287f1cee4e13835968

SHA1
728b4f4e719f03ba07bf9a56288ac56b56229118

SHA256
889eec845ccc5f3a7cf88e3124641bf04d1fb5efdb5b8f5f1a072fcb38c8fa3b

SHA512
1aa07a77bda823fad5dcf515b18668afa468566559cdb81e00143adb1ee58feba52ebde177327c3d932dc6278a55fdf14d4c60852efb58140bfec0f356fbceae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms.RYK

Filesize
28KB

MD5
485ed06a1e6cfff07a80e16cd47b9318

SHA1
dae8e30618d90934cf772a93a4ff783490825932

SHA256
30226e65b25f35eb2714fa1ec8f0fc25d1552f136cdcbedab1c193c1d7bae34a

SHA512
f75e82230547f2efaaf8259138bb9cc77c19dcd6669a1f55d38b8c8f07d125d042fee20b266d1f1c3a18dcf8d32df12ba4031f596b0b1ac57739f74c6b1274f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms.RYK

Filesize
32KB

MD5
0235ef3a03a863c9fb8c1fe3d708b8e0

SHA1
e0da1309a777200efe7f856c6144e66c87b05ff3

SHA256
6afa26d18e7cd548a7c6959ff27301a8bd35ab22c4a71396d4d88c1e18f96844

SHA512
1ec05cc618dfb7f23ffc2dc0dd99a3bc02a23707ef1a52df6d16e1322e0707a15ad7db7031131092e04af57ce20f506be7ce59b28c9afeccad1bd6b2de26057d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms.RYK

Filesize
28KB

MD5
0faa06c6680f174d273b418e48014f5f

SHA1
11622c1f4849cd162f2815c0ecb5c77e50719efb

SHA256
8391294401c966e1325e442cd8bc7db16e97afb1c4dfa41d3104c77aea3bcc83

SHA512
720371b5a2619e98f3447d470bfa0e01bf493bc08963bd8481233b4d15038cc21d6fecc33745e80b21e8cb35177f68431a7edfdb0f24fc84ef5f63239b06deae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.RYK

Filesize
149KB

MD5
ab5a0041b2894b597bb1077bed1fc6ff

SHA1
0fc9acc3b5293b5bcedcb1c4f4b6c1a845b02a9a

SHA256
10615a7ce869217bd20da1cd76a3d5addcb29cd418e297b7a65c956ea31be756

SHA512
a096cef33328f5a047dfadaa33e3319a8580309a682359f95eb61df898b9e0abf97fefc36831a8525af0a7ae5154b8054bf06176a25fd34dc985928f47bc8af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9EFDDFD9-69B9-11EF-A0C3-D60C98DC526F}.dat.RYK

Filesize
5KB

MD5
7aa5ae7a825ebceee9494fef0f4ee385

SHA1
91b5fff4d5a7f4496b33f00720267e8ff8322ecd

SHA256
5e6c021cb1c23c53725738566cca1d1633d8324a466651bbf8bf45037851ff5b

SHA512
f8e1044b5b734aa91436c166864e0ade248b2de609afb81e028a71e13e4b5aebb6ac7a17d9486ef7e57307c4de6309709d97e075d152b30d28ea48c5491abf4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9EFDDFDB-69B9-11EF-A0C3-D60C98DC526F}.dat.RYK

Filesize
3KB

MD5
dbd1e1252b8412a6c1ddc6f8953f3a97

SHA1
595cb2c282331d1a52b0f4d16ad8b211bf7b693d

SHA256
572b565ea277a5bf231954dd9923aaa5d6d95174711f007e21f66c485a568eac

SHA512
5be6a3e4381dfb8515f18e29f23f4d12ba29e4416034ed4e3dd2cc428d5f27d91cec4b0240dcbfd06c0a787f99beec13f7a0641a9a1988117c0fc2c6f018f3e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9EFDDFDC-69B9-11EF-A0C3-D60C98DC526F}.dat.RYK

Filesize
3KB

MD5
186eff5ccc1601a299fece8fedb54636

SHA1
b5b6a19c5f241798fc3d172f4c74d9533e975083

SHA256
ae3deac8920e98e58f0f210c3310d0e2c2e96d784a96c259c42077b7e3f55465

SHA512
0e184cdfb51a20433fc6f640036b0b016a20e638791be4555de18762f49b1bad14b430e2c2737d92ed2ad66383276b6ba9b1c9a2e59a21865c4f014f589fe015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{7911E3A0-69B4-11EF-B301-62CB582C238C}.dat.RYK

Filesize
4KB

MD5
955309790dd52ca20e4ca8667b21ec37

SHA1
07120b37a7f15df0438fc9838bec7341cbd28a70

SHA256
5ed7bb09e6fad9d465d0010d4336495f434b4df9ce57a0bca8330604c8f5f9e3

SHA512
6edf1dbfb01d505d80ceababe41c9f5ef88fc9b003bac898d3971bd4c3be869cda75cd5f9f46472ebc06979de3ad4bb744d9cfe2980bc5a8f41d5f9e1ef0f86f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK

Filesize
12KB

MD5
9a0aa07bd58ad2fdcc57562cdce4c3dd

SHA1
599d49b99e1e2751d9d27274c04f35bd7b5b3d27

SHA256
7a26587ef93f81f3542fd5b54fdd3b77189b0203d4d3a5903aa1a7fc2f90b9bb

SHA512
8d3515249d8f496d253150e07d5525b95bbdcd67fff9c054f4f6e37404c13293062f87e54b6cccb5dfc34101191de8bbe5aec8c39bee07c2f217bf1e764f22d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK

Filesize
6KB

MD5
354598909f708e01b16e20bf3e0ffe55

SHA1
78f9b1424a45850b86e76b9d1872ab343369b4a2

SHA256
2ba11a009fbe4aa9dd39fcd2b9c2ede7927cc77769965bf679b9ad1ac519feb4

SHA512
164b06a6c38bad0d6d774f320761baaeab19d00814242fe05c4d5fadcfca9f2137dde89774b62a3952e0cf56521fcb2ae59d0399c44fab93bcf201f41449de63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\favicon[1].ico.RYK

Filesize
4KB

MD5
8b175b2e03d5a179d35846c0a71ae6eb

SHA1
40d611b73ee7a8e54e1e7fa0ee882f2259e2a304

SHA256
3c9f6a9b99f86936d3ef585a01a021c1d6ede69722e2087b7c4389a6e9f29110

SHA512
2a917de4a457d54d168c418cf97127bb168f1848ffabd71ee20a93073d3a03e486de6a48b4b33a42bace81f3809d818a28212ab6e7a15f5112e0f38e633004d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat.RYK

Filesize
32KB

MD5
36558103158e75e796ff10ac4cbf1fbd

SHA1
ea052e0ebcfe0a43c81f5fbed7637f0733140373

SHA256
88cc5a9d9b66924223b7b0f4a90f13790f9b36fe68dc55d46c0f959cc12abbae

SHA512
2fa4aaa6213055d2a78f49770eaf29240dca5a610522a23cb7666ce0f7e25ef0a162fbbc973eb2be77d5e0b457d633f1b75ba235d624f83482e29cd31f16e50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYMYSvaYOrep.exe

Filesize
545KB

MD5
352b1f3533ded8c575246d4466f68c49

SHA1
e430730620feec3673b9c38d87482c9294421b19

SHA256
b513cfbd101e728ec41c9d6f6515278434820466bfe8e4bc1849f2418d3f86da

SHA512
db9ab4315417679f6d1003e97067e87aae7f1c2b9f5a8358e32004d8322a997fc5f1627c3535517ca515e9493e9edb7292f1d1c6080e19d8ea71419fd4c6e9c9

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.RYK

Filesize
807KB

MD5
8d90af74a7066af6bf17346aeee924a4

SHA1
0c6a9e4aba717ceee6a9fcb77f5efc43e2afc948

SHA256
6d4f2ebf560ed0bb23b4bbf3eb7074b2d1e9f930ccab18e2e4c5c4cb39e4b521

SHA512
a7c04144e01ac351259498c96a6112ca1dbde778ab833a96ac04a88d8ff8640f37f4346771e35dac45b72081f0091606908f39296e767ecae016155cd9054694

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.RYK

Filesize
598KB

MD5
70bec85fabf23b6578cab61c8e0e7266

SHA1
99dccf4b9447523da653e358815ba00fbf95a561

SHA256
3ed34ca715d53355ea95e5b01e9283c62c741d2537b41df40ccfba21214cbf42

SHA512
fae1dbf647453f32356301263041212696a5e40af5dd63248bb424d68f5896ddde128fd630e1273cae3935c061c433928187d4b20e17dda16c8be880a5b9f8a5

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.RYK

Filesize
581KB

MD5
bae8dbdd4df47c624784c25a28a9e57d

SHA1
827235209c79b78989c93831249a59830184d54e

SHA256
35af7fc6546287f1e12262c9ad2fe91d02adc319612851d36c44da0a500855ee

SHA512
2bb12b00a1ebf8850a6329ac9ca4a0feafbea52e5954bb0fa9be22db3f300a9b8cca78f897417a77446bc63f7b1ba5fbc2a6b1309bad8d842891e6d4e8684eed

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.RYK

Filesize
660KB

MD5
4d4ec9046cd7eaab1f82f0b3a07dbf81

SHA1
a1d1090e6a7e6fcea3bf34783354fe2347845209

SHA256
f2bae7404c17d1592cd79f9611b357fbf9169350bbcc13dae2bd689872706ec7

SHA512
bb962a90424697b30b8b9ddf7699040ffa4c0e0233dea7c3b79178bb0ba283ff32804d54adca0ea941ccac0431f1ae0d1157179f97287c56f0ab7d4bd2560832

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.RYK

Filesize
500KB

MD5
916325adcc45b279c1b07c0d75f5206f

SHA1
42e5ffbb25330d8c976b8ebe25c1c41509cdc05c

SHA256
5f045a5d583b366d819470cdb9528aa661652437da3efb406144369baeea3c9d

SHA512
6cc52a6013771c871bcb78c117f75f98663afe5779f8ee805982bc935b8de99ae729f6a529e9b5786c5d0912cd018ec8cd5b8a4578fc745faa520b5a5f08b8fa

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.RYK

Filesize
548KB

MD5
d66905045319a1225971aa783df5678b

SHA1
cb0c7f38f3c3e647f4ed005a69a8151af54c3469

SHA256
be2167dcc178ae6ef21fd0f77c3508abbd273d8c4ec1903de14b0e1460d015f6

SHA512
1899d006248308a33101cc7ce1785a4b4bb8c0c6ea3eba79d41a7ac739dc44d5019af169111046cba302f9dceda9a3c660083025d0aba74e7c5f03ff1c4b95b5

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.RYK

Filesize
648KB

MD5
bacc8334baf2fea9e9711cda76ae5e4a

SHA1
10efaa5800b4c1c803d391e3cc6c6be15ded8ea8

SHA256
105eac38f346d02908f5688a37731fbaf2264a68085a6c83668956631b324141

SHA512
a244be9727b7b696f306c6954a12c409d1968a847721fd6065c5499ae465b896d6f9bddc2c5f56fa5e1036e7d89f75fe97134d7c979fcd52592569e93203afd9

Download Submit
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.RYK

Filesize
606KB

MD5
dff1f3cffdd3457f5464d017ab9d1c6e

SHA1
6ddf4607d0530cad7b4a11dd60e99a2280dcac42

SHA256
9ebf8e3edaf66f2e3bbec60a3b02ac663230a1cf32a84464703461d33a4e70b7

SHA512
9aaa067c3f96d2b2ae2b1bcc1dcdf6a4d8f3221d3a147d790d4a7d37933d52dba8149406cc9f09f450902066cb99900b738685afdcaaffcdcabcfd965ddf4790

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
ec045fdae3dae1842abdb56beab2c896

SHA1
e29c48f8dbf1b5fe202afda1af9ccc0a676ca614

SHA256
5338e35c0f70a220c4627bc8917c562014db2b537c2b5fe2817a7595a7caa92f

SHA512
40e19f1bc6d62f8c5165ef881250be8167d4110a49d129e09b2670893f335ca5faf122f0da82259738d50ae9060614c91781bce3b3a3a18645671aee789d7165

Download Submit
memory/1668-14769-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/1668-2098-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/1668-18-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/1668-32-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/1668-46-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/1668-19723-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-2-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2500-15491-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-3-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-33-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-21753-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-17-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-4-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2500-21706-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-8559-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-2179-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-21746-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-20194-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-1-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2500-48-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2500-21680-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2728-34-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2728-21702-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2728-21707-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/2728-49-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/18084-21705-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/18084-51-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/18084-21752-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download
memory/18084-2099-0x0000000035000000-0x00000000376DF000-memory.dmp

Filesize
38.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads