ryuk | 59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

Resubmissions

25/12/2024, 03:42 UTC

241225-d9c21axjdn 10

25/12/2024, 03:39 UTC

241225-d74ryawqfw 10

25/12/2024, 03:37 UTC

241225-d6fzgswqbw 10

25/12/2024, 03:21 UTC

241225-dwt4cswpdj 10

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 03:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
Size

140KB
MD5

75a3cf8ced873ee7bc415e27e108496b
SHA1

ac94165d63c75f4adf1728aa2ecb776ac7c1c18e
SHA256

5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed
SHA512

7c3e166ff75ad32f70bfb355167333be4f9bc5b5740a231b4a1fb5c391bd8e137ebea6a3ba5370797f016cbdb83631bb5e459e0bc64beb3246ed9605b3bdb903
SSDEEP

1536:HhwpMRUR8gpO3fM/CvmHWvW7l4y0RPG4UnmPqAibDe7bvjk/J0LcJQ6f8EPhQmGD:ZZi++b0Hb6bDIbvjkmwRPhuHmrOB

Score

10^/10

ryuk discovery ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 3 IoCs

pid	Process
1804	qEiARbqfArep.exe
2504	asoXNECVHlan.exe
2044	BnMnUjFEflan.exe

Loads dropped DLL 6 IoCs

pid	Process
2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1012	icacls.exe
1264	icacls.exe
1000	icacls.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\T:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\M:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\L:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\H:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\X:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\V:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\S:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\Q:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\J:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\G:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\E:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\Z:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\U:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\R:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\O:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\K:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\I:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\W:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\P:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened (read-only)	\??\N:	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\RyukReadMe.html	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1804	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	31
PID 2152 wrote to memory of 1804	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	31
PID 2152 wrote to memory of 1804	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	31
PID 2152 wrote to memory of 1804	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	31
PID 2152 wrote to memory of 2504	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	32
PID 2152 wrote to memory of 2504	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	32
PID 2152 wrote to memory of 2504	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	32
PID 2152 wrote to memory of 2504	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	32
PID 2152 wrote to memory of 2044	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	33
PID 2152 wrote to memory of 2044	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	33
PID 2152 wrote to memory of 2044	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	33
PID 2152 wrote to memory of 2044	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	33
PID 2152 wrote to memory of 1264	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	34
PID 2152 wrote to memory of 1264	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	34
PID 2152 wrote to memory of 1264	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	34
PID 2152 wrote to memory of 1264	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	34
PID 2152 wrote to memory of 1012	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	35
PID 2152 wrote to memory of 1012	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	35
PID 2152 wrote to memory of 1012	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	35
PID 2152 wrote to memory of 1012	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	35
PID 2152 wrote to memory of 1000	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	36
PID 2152 wrote to memory of 1000	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	36
PID 2152 wrote to memory of 1000	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	36
PID 2152 wrote to memory of 1000	2152	5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe	36

C:\Users\Admin\AppData\Local\Temp\5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe
"C:\Users\Admin\AppData\Local\Temp\5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\qEiARbqfArep.exe
  "C:\Users\Admin\AppData\Local\Temp\qEiARbqfArep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\asoXNECVHlan.exe
  "C:\Users\Admin\AppData\Local\Temp\asoXNECVHlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\BnMnUjFEflan.exe
  "C:\Users\Admin\AppData\Local\Temp\BnMnUjFEflan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1264
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1012
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
1024KB

MD5
0c43908b6d3fcc8232829073f86675e4

SHA1
aa720aa4ea724c2eae1ce5325c6828126c9051b5

SHA256
4076cebaa87b37943d78bb1d969bf7059494a303d53362f89ef61d54b5f07257

SHA512
49db8d800000a89fe5ff331b90493451f82a7764fd2db82aa97df469e3a637324682d4558d32fa46132bc0f49fd1df8e56b97da3dccbedf6dee46a91dbf7e10d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
960KB

MD5
5596e892c082cad84099249483a8805f

SHA1
199dee679aacba526cdd448aa0931800e4548bcd

SHA256
43637b26d1390768cb491b325a6cf5de5c8a6a32b4d276f161784df485e4bdbd

SHA512
280be7471c2b7753778d3bee40d93e1b280d0dc14b8c6beb38fa667c04f3d75fc433ca7aff551181fac50b97bbd3d6d4b1d6b3da63e092556d952cb39b93057f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
9c931b242ee9ffcc8f11e0cf3f352a17

SHA1
7d90754cb6a1cf576e158e15f057b3ac9fc6cc69

SHA256
b58e21fb865367dbe985f99fd9d5625d22ef1081d8606f774dd6dbb5716c7ddf

SHA512
0c39ff788b651188746faef4d1a0090467f00e2fb739bb9e1cc14fcd9da87976dbfbbeb4fc4a6ba283e40f66d14ed7eb575bcffd16fbee403e3c1b0de5134a72

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

Filesize
960KB

MD5
4c89dff443637b84011d10772ab10a2b

SHA1
e1e7393baaebd3254e35f31b59f7e9234c394e08

SHA256
1d763704f9ce405e4d112a7550de4dddd69320d1b43d37ad00d4369b0f752970

SHA512
830e1bc9c3116fc3a545cb92f921ea094980ac7b6154e22fd16d047545a3afbfd012e29b3b3d1ec527c7ede6603539c4d5b781548f32fa6127d1bc3887ec3f7c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
8bd79c629be7c9a4c17be0668ab9e41a

SHA1
5ef633835e2120afc81cb8b27a348f50afcdee00

SHA256
feb47bda30a3c7e7aec00dad9203fef7e49bb1e94c95d7052ec0c204954b24b6

SHA512
cda4164bcfbdf68b9f1b4a70e3b16ecdad2a9f9d8cb4e9625a45c50931d968320fa4dc5db78ac72018bd0bcb2c116bc58605df706e7cd4a10816f3704f04cea4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
41b0006427b2224cb0987e1ad811073f

SHA1
85244d01ffe53dd2de7c036ea68a0c3a0df97c52

SHA256
8a91157dd04e5af550b716058cabde6a5dbd28d8a1b7c3f8d2a38b548a1317ee

SHA512
0b4c4377cfe800d6dfb8fd448fdc4c466d132a6173b3cc52b9a44914ca30759eff6208330fffaade3d2549855139cb4cd9612e79c6d3351790b21976f3e8a192

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
ac47e6d0aa7d124b478e8406bbe534f5

SHA1
2cf9f02d7f6084b852d4281f05be9f0aebbfaa96

SHA256
51e329b0a4efa0a8b75c9f9715b0a05e00df6ecb33268988a560112b37926a79

SHA512
3c08b3faf55845aa822baf8f0f28478e39677211301a3d986355e21dd99757576df52a0aa2aa6fa55ede3c3559ca3ee77f24ef696ed68d1bb6be379e0c919287

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
128KB

MD5
7f1276842b192de978f53a32d195abc1

SHA1
3926bff0c5c1f4fd23bcdc56d30e65d0b33a68d3

SHA256
1263c4457e86f0a9a91170af0553162595d54926e40faab89dd91131ce0a60f9

SHA512
4b86b863d3efa8a2c9f3a88ab1b1a97d91ce9d0de288ad54c882309439e2dd6c6daefcb68ab534780c2adc7a4634daa184cdb673fe3049baa731a89e9ca60d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEiARbqfArep.exe

Filesize
140KB

MD5
75a3cf8ced873ee7bc415e27e108496b

SHA1
ac94165d63c75f4adf1728aa2ecb776ac7c1c18e

SHA256
5de3d5a33745739259fc03cb5a7852440c135f960e8516d92181cd16ba76e2ed

SHA512
7c3e166ff75ad32f70bfb355167333be4f9bc5b5740a231b4a1fb5c391bd8e137ebea6a3ba5370797f016cbdb83631bb5e459e0bc64beb3246ed9605b3bdb903

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\RyukReadMe.html

Filesize
1KB

MD5
2a9ba975c5ce7e8d6f553a49d746ee9c

SHA1
16fbba3702510dd6968409993435405b9e6eb2ae

SHA256
04c99bec6e100960aa418f631239bcad1e58ea153fcf672f8a55e4395fb904cf

SHA512
7bfb2dbfa1155be795165fc17b269be566f8210b5c1a562f75a1dc2742f00c909cef027a466780cf8d786c11d0475f7c76fb761bd6e0c5af73d2c58ff0620d25

Download Submit