2024-01-11_ff04ddd27176a127946fd92c99d98ff1_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-01-11_ff04ddd27176a127946fd92c99d98ff1_ryuk
Size

4.0MB
MD5

ff04ddd27176a127946fd92c99d98ff1
SHA1

60c82f5ad52da407b2907972edc4273d5485d9b0
SHA256

dce0f5e85c473c2eac281b1ad40577fdbb572467846cbdd3f170d15333d7d04d
SHA512

6fe5e0993ab75c0dadedab79349a7e92a67ba48522758ee1cc5eb98e25bcb82d986af7008e3d8d50896ce554c29ca518b92708a3dc045a93f2eb93cc6c0bf6f3
SSDEEP

49152:pu/XB7x93QvF4wuPHGWhJNMszX/pF3VYSvZ1rrjoJinwkchBX09fvp:794wcVzBnjUE9H

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-01-11_ff04ddd27176a127946fd92c99d98ff1_ryuk

Files

2024-01-11_ff04ddd27176a127946fd92c99d98ff1_ryuk
.exe windows:6 windows x64 arch:x64

a084c24b9afedbfd2310bbf0374b3b19

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetModuleHandleW
EncodePointer
CompareStringW
LCMapStringW
GetLocaleInfoW
GetCPInfo
IsDebuggerPresent
OutputDebugStringW
ResetEvent
WaitForSingleObjectEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetStartupInfoW
InitializeSListHead
SignalObjectAndWait
SwitchToThread
CreateThread
SetThreadPriority
GetThreadPriority
GetLogicalProcessorInformation
CreateTimerQueueTimer
ChangeTimerQueueTimer
DeleteTimerQueueTimer
GetNumaHighestNodeNumber
GetProcessAffinityMask
SetThreadAffinityMask
RegisterWaitForSingleObject
UnregisterWait
GetCurrentThread
GetThreadTimes
FreeLibraryAndExitThread
GetModuleHandleA
LoadLibraryExW
GetVersionExW
VirtualAlloc
VirtualFree
VirtualProtect
DuplicateHandle
ReleaseSemaphore
InterlockedPopEntrySList
InterlockedPushEntrySList
InterlockedFlushSList
QueryDepthSList
TlsGetValue
CreateTimerQueue
WaitForSingleObject
RtlPcToFileHeader
RtlUnwindEx
GetCommandLineA
GetCommandLineW
ExitProcess
GetModuleHandleExW
GetDriveTypeW
GetFullPathNameW
GetFullPathNameA
SetEnvironmentVariableA
GetCurrentDirectoryW
MoveFileExW
GetStdHandle
GetACP
GetDateFormatW
GetTimeFormatW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
GetTimeZoneInformation
FlushFileBuffers
GetConsoleCP
GetConsoleMode
ReadFile
GetTickCount
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
OutputDebugStringA
SetStdHandle
ReadConsoleW
WriteConsoleW
TlsAlloc
InitializeCriticalSectionAndSpinCount
QueryPerformanceFrequency
QueryPerformanceCounter
TryEnterCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetStringTypeW
FormatMessageW
AreFileApisANSI
CopyFileW
GetFileInformationByHandle
GetFileAttributesExW
FindNextFileW
FindFirstFileExW
FileTimeToSystemTime
FileTimeToLocalFileTime
WTSGetActiveConsoleSessionId
CreateProcessW
GetCurrentProcess
GetExitCodeProcess
ProcessIdToSessionId
GetTempPathW
LocalFree
LocalAlloc
GetProcAddress
LoadLibraryW
FreeLibrary
GetSystemDirectoryW
CreateFileW
CreateDirectoryW
SetLastError
DeleteFileW
RemoveDirectoryW
SetFileAttributesW
GetFileAttributesW
FindFirstFileW
FindClose
ExpandEnvironmentStringsW
WideCharToMultiByte
MultiByteToWideChar
Sleep
SetEvent
CreateEventW
GetModuleFileNameW
SetEndOfFile
GetCurrentThreadId
WriteFile
UnlockFileEx
GetFileSizeEx
LockFileEx
GetCurrentProcessId
SetFilePointerEx
CloseHandle
AllocConsole
GetProcessHeap
DeleteCriticalSection
HeapDestroy
DecodePointer
HeapAlloc
FreeConsole
RaiseException
HeapReAlloc
HeapFree
AttachConsole
GetLastError
ExitThread
HeapSize
InitializeCriticalSectionEx
GetSystemTimeAsFileTime
TlsFree
GetExitCodeThread
GetTempFileNameA
SetFileAttributesA
ReplaceFileW
TlsSetValue
MoveFileW
GlobalAddAtomW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GlobalFindAtomW
AcquireSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockShared
ReleaseSRWLockExclusive
InitializeSRWLock
QueryFullProcessImageNameW
GlobalMemoryStatusEx
DeviceIoControl
HeapCreate
GetDiskFreeSpaceW
LockFile
HeapValidate
GetTempPathA
GetDiskFreeSpaceA
GetFileAttributesA
FlushViewOfFile
CreateFileA
LoadLibraryA
SetDefaultDllDirectories
UnregisterWaitEx
DeleteFileA
GetSystemInfo
HeapCompact
UnlockFile
CreateFileMappingA
SystemTimeToFileTime
GetSystemTime
FormatMessageA
DosDateTimeToFileTime
SetFileTime
LocalFileTimeToFileTime
MapViewOfFile
UnmapViewOfFile
MapViewOfFileEx
CreateFileMappingW
GetEnvironmentVariableW
GetSystemDefaultLocaleName
GetComputerNameW
GetWindowsDirectoryW
WritePrivateProfileStringW
WritePrivateProfileStructW
GetLongPathNameW
GetLocalTime
CreateMutexW
SetFilePointer
ReleaseMutex
VirtualQuery
GetFileSize
lstrlenW
GlobalAlloc
InitializeCriticalSection
OpenProcess
GetGeoInfoW
GetUserGeoID
GlobalFree
FindResourceW
SizeofResource
LockResource
LoadResource
FindResourceExW
VerSetConditionMask
VerifyVersionInfoW

user32

UnregisterClassW
SetWindowLongPtrW
GetWindowLongPtrW
PostMessageW
RegisterClassExW
DefWindowProcW
CreateWindowExW
DestroyWindow
MsgWaitForMultipleObjectsEx
PeekMessageW
TranslateMessage
DispatchMessageW
SetTimer
KillTimer
MsgWaitForMultipleObjects

crypt32

CertFreeCertificateContext
CertAddStoreToCollection
CertOpenStore
CertGetCertificateChain
CertFindCertificateInStore
CertGetEnhancedKeyUsage
CryptDecodeObject
CertGetCertificateContextProperty
CryptFindOIDInfo
CertNameToStrW
CertGetNameStringW
CertFreeCertificateChain
CertCloseStore
CryptMsgClose
CertVerifyCertificateChainPolicy
CryptQueryObject
CryptMsgGetParam
CryptBinaryToStringW
CryptMsgOpenToDecode
CertGetSubjectCertificateFromStore
CryptMsgUpdate

wintrust

WTHelperGetProvCertFromChain
WTHelperGetProvSignerFromChain
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle
CryptCATAdminEnumCatalogFromHash
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext
CryptCATAdminReleaseContext
WinVerifyTrust
WTHelperProvDataFromStateData

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

advapi32

RegQueryValueExW
RegQueryValueExA
RegSetValueExA
RevertToSelf
SetServiceStatus
RegOpenKeyExA
RegCreateKeyExA
AllocateAndInitializeSid
FreeSid
RegCreateKeyExW
CryptDestroyHash
CryptHashData
CryptCreateHash
OpenSCManagerW
CreateServiceW
OpenServiceW
ChangeServiceConfigW
ChangeServiceConfig2W
QueryServiceStatus
ControlService
DeleteService
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW
CloseServiceHandle
RegGetValueW
RegSetKeyValueW
RegOpenKeyW
CryptEncrypt
CryptImportKey
CryptGetHashParam
CryptSetKeyParam
CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
QueryServiceConfigW
RegDeleteKeyW
RegFlushKey
RegGetKeySecurity
RegNotifyChangeKeyValue
RegSetKeySecurity
RegSetValueExW
UnregisterTraceGuids
TraceEvent
RegisterTraceGuidsW
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegEnumValueW
RegQueryInfoKeyW
ImpersonateLoggedOnUser
DuplicateTokenEx
CreateProcessAsUserW
EqualSid
CreateWellKnownSid
GetTokenInformation
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueW
RegEnumKeyExW
RegOpenKeyExW
RegCloseKey
RegDeleteValueW

ole32

CoCreateInstance
CoSetProxyBlanket
CoTaskMemFree
CoUninitialize
CoInitializeEx
CoGetClassObject
CLSIDFromString
CoCreateGuid
StringFromGUID2
CLSIDFromProgID

bcrypt

BCryptCreateHash
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptVerifySignature
BCryptImportKeyPair
BCryptDeriveKeyPBKDF2
BCryptGetProperty
BCryptFinalizeKeyPair
BCryptGenerateKeyPair
BCryptExportKey
BCryptSignHash
BCryptEncrypt
BCryptDestroyKey
BCryptDecrypt
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptOpenAlgorithmProvider
BCryptFinishHash
BCryptHashData

winhttp

WinHttpOpenRequest
WinHttpConnect
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpSetOption
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpCloseHandle
WinHttpQueryHeaders
WinHttpDetectAutoProxyConfigUrl
WinHttpAddRequestHeaders
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpCrackUrl
WinHttpSetCredentials

cabinet

ord22
ord20
ord23

wtsapi32

WTSEnumerateProcessesW
WTSQueryUserToken
WTSFreeMemory
WTSEnumerateSessionsW

psapi

EnumProcessModules
GetModuleInformation
GetModuleFileNameExW

shlwapi

PathFindExtensionW
StrRChrW
PathFileExistsW
PathAppendW
PathStripToRootW
PathRemoveFileSpecW
PathAddExtensionA
SHDeleteKeyW
PathRemoveFileSpecA
PathRemoveExtensionA
PathFindFileNameA
PathFileExistsA

ws2_32

getpeername
getnameinfo
gethostname
getsockname
getaddrinfo
getservbyport
getservbyname
ioctlsocket
connect
listen
inet_pton
accept
WSAGetLastError
WSACleanup
WSAStartup
inet_ntop
freeaddrinfo
htons
getprotobyname
getsockopt
setsockopt
closesocket
socket
shutdown
getprotobynumber
recv
recvfrom
select
sendto
send
bind

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

rpcrt4

UuidCreate
UuidToStringW
RpcStringFreeW

setupapi

SetupDiGetDeviceRegistryPropertyW
SetupDiGetDeviceInterfaceDetailW
SetupDiOpenDeviceInterfaceW
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList
SetupDiCreateDeviceInfoList
SetupDiGetClassDevsW

shell32

SHGetFolderPathW
SHGetSpecialFolderPathW
SHCreateDirectoryExW
SHGetKnownFolderPath

oleaut32

SysFreeString
SysAllocString
VariantInit
VariantClear
SysAllocStringLen
SysStringLen
LoadTypeLi
LoadRegTypeLi
VariantCopy
SystemTimeToVariantTime
VariantTimeToSystemTime
VarUdateFromDate

Sections

.text
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 871KB - Virtual size: 871KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 72KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 131KB - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 252KB - Virtual size: 480KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a084c24b9afedbfd2310bbf0374b3b19

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

crypt32

wintrust

userenv

advapi32

ole32

bcrypt

winhttp

cabinet

wtsapi32

psapi

shlwapi

ws2_32

version

rpcrt4

setupapi

shell32

oleaut32

Sections

.text Size: 2.6MB - Virtual size: 2.6MB

.rdata Size: 871KB - Virtual size: 871KB

.data Size: 72KB - Virtual size: 92KB

.pdata Size: 131KB - Virtual size: 131KB

.gfids Size: 4KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 24KB - Virtual size: 23KB

.reloc Size: 252KB - Virtual size: 480KB

.text
Size: 2.6MB - Virtual size: 2.6MB

.rdata
Size: 871KB - Virtual size: 871KB

.data
Size: 72KB - Virtual size: 92KB

.pdata
Size: 131KB - Virtual size: 131KB

.gfids
Size: 4KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 24KB - Virtual size: 23KB

.reloc
Size: 252KB - Virtual size: 480KB