2024-01-25_eceaca6beea679c889d0d01d06f0a7c4_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-01-25_eceaca6beea679c889d0d01d06f0a7c4_ryuk
Size

2.8MB
MD5

eceaca6beea679c889d0d01d06f0a7c4
SHA1

96e50510ae1d885fd56d39bf6a938a6ef56a6527
SHA256

b4ef695b554a0b55198517d227ca1075964a6c96d31b696511e1e466e50e35d0
SHA512

7c5b1f4518f10250820e10ec8303a514c17ab6aa42b5f744da40a9b572cf0e02ef9e4e55850ffde70836b59537c69b2044ebe730145f5176f0d1b9a6a6c6e291
SSDEEP

49152:LGtlq/XVwASONiIU6iTZ86RMnksoKU4/FC2h7wP8IIc7ILMChtaKvLcAdPWnihFx:nF++Lnkbel7sghl4Akni

Score

1^/10

Malware Config

Signatures

Files

2024-01-25_eceaca6beea679c889d0d01d06f0a7c4_ryuk
.exe windows:6 windows x64 arch:x64

3174bdb60085c984c065c359fc2b38b9

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

Issuer

CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

25/05/2021, 00:00

Not After

31/12/2028, 23:59

Subject

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:e8:5b:bc:6e:d8:14:e7:61:b8:54:88:9e:3c:7a:53
Certificate

Issuer

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Not Before

03/10/2022, 00:00

Not After

02/10/2025, 23:59

Subject

CN=SonicWall Inc.,O=SonicWall Inc.,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

Issuer

CN=Sectigo Public Code Signing Root R46,O=Sectigo Limited,C=GB

Not Before

22/03/2021, 00:00

Not After

21/03/2036, 23:59

Subject

CN=Sectigo Public Code Signing CA R36,O=Sectigo Limited,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

12/01/2016, 00:00

Not After

11/01/2031, 23:59

Subject

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12
Certificate

Issuer

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

23/12/2017, 00:00

Not After

22/03/2029, 23:59

Subject

CN=Symantec SHA256 TimeStamping Signer - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

5e:f7:2b:51:2d:3f:2a:61:14:bd:b8:11:09:fa:78:bf:42:c8:b8:16:8b:02:82:b4:16:4f:b5:4f:94:22:2e:77
Signer

Actual PE Digest

5e:f7:2b:51:2d:3f:2a:61:14:bd:b8:11:09:fa:78:bf:42:c8:b8:16:8b:02:82:b4:16:4f:b5:4f:94:22:2e:77

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

fltlib

FilterUnload
FilterSendMessage
FilterConnectCommunicationPort
FilterAttach
FilterDetach
FilterGetMessage

version

VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA

ws2_32

WSASetLastError
closesocket
WSAGetLastError
recv
send
WSACleanup

shlwapi

StrStrIW

kernel32

FormatMessageW
GetFileAttributesA
MoveFileExA
QueryFullProcessImageNameA
GetSystemDirectoryA
DeleteFileA
Process32Next
RemoveDirectoryA
VerSetConditionMask
FindVolumeClose
GetModuleHandleW
GetVolumePathNamesForVolumeNameW
CreateDirectoryA
GetSystemWindowsDirectoryW
FindNextVolumeW
LoadLibraryExW
CopyFileExA
MoveFileA
CopyFileA
FindFirstVolumeW
FindFirstFileA
Process32First
QueryDosDeviceW
LocalFree
GetProcAddress
GetVersionExA
LoadLibraryA
LocalAlloc
GetCurrentProcess
GetModuleFileNameA
GetFileTime
GetFileSize
GetShortPathNameA
SleepEx
CreateThread
GetExitCodeThread
WideCharToMultiByte
CreateToolhelp32Snapshot
GetSystemTimeAsFileTime
OpenMutexA
ReleaseMutex
WaitForSingleObject
CreateMutexA
GetLocalTime
FlushFileBuffers
ConnectNamedPipe
FormatMessageA
DeleteCriticalSection
GetOverlappedResult
CancelIoEx
CreateFileA
CancelSynchronousIo
Sleep
DisconnectNamedPipe
InitializeCriticalSection
LeaveCriticalSection
WaitForMultipleObjects
WriteFile
EnterCriticalSection
CreateNamedPipeA
WaitNamedPipeA
ReadFile
CreateEventA
ResetEvent
CloseHandle
WaitForSingleObjectEx
SetEvent
GetLastError
OpenEventA
LoadLibraryW
GetProcessHeap
OpenProcess
GetSystemWindowsDirectoryA
GetSystemDirectoryW
ReadConsoleA
SetConsoleMode
FindFirstFileW
ConvertFiberToThread
DeleteFiber
GetEnvironmentVariableW
FindClose
QueryDosDeviceA
FindNextFileA
MultiByteToWideChar
TerminateProcess
HeapAlloc
HeapFree
SetConsoleCtrlHandler
GetExitCodeProcess
CreateProcessA
FreeLibrary
TerminateThread
SetEndOfFile
HeapSize
WriteConsoleW
SetEnvironmentVariableA
QueryPerformanceCounter
EncodePointer
DecodePointer
SetLastError
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
CompareStringW
LCMapStringW
GetLocaleInfoW
GetStringTypeW
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetCurrentProcessId
GetCurrentThreadId
InitializeSListHead
RtlPcToFileHeader
RaiseException
RtlUnwindEx
CreateFileW
GetDriveTypeW
GetFileType
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
HeapReAlloc
ExitProcess
GetModuleHandleExW
GetStdHandle
GetCommandLineA
GetCommandLineW
GetACP
GetConsoleCP
GetConsoleMode
GetCurrentDirectoryW
GetFullPathNameW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
SetStdHandle
SetFilePointerEx
ReadConsoleW
GetTimeZoneInformation
FindFirstFileExA
FindNextFileW
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW

user32

GetProcessWindowStation
wsprintfA
GetUserObjectInformationW
DestroyIcon
MessageBoxW

advapi32

DeregisterEventSource
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
ConvertSidToStringSidA
SetNamedSecurityInfoA
SetNamedSecurityInfoW
GetNamedSecurityInfoW
GetNamedSecurityInfoA
RegEnumKeyA
RegGetKeySecurity
RegCloseKey
SetSecurityDescriptorOwner
RegDeleteKeyA
RegQueryValueExA
RegCreateKeyExA
RegSetKeySecurity
RegSetValueExA
RegOpenKeyExA
RegEnumValueA
RegDeleteValueA
AddAccessAllowedAce
QueryServiceConfig2A
CryptEnumProvidersW
CreateServiceA
ConvertSecurityDescriptorToStringSecurityDescriptorA
GetSecurityDescriptorDacl
StartServiceCtrlDispatcherA
GetAclInformation
QueryServiceStatus
GetAce
EqualSid
CloseServiceHandle
QueryServiceConfigA
SetServiceStatus
RegisterServiceCtrlHandlerA
OpenSCManagerA
ConvertStringSecurityDescriptorToSecurityDescriptorA
DeleteService
SetServiceObjectSecurity
ControlService
StartServiceA
IsValidSid
AddAce
ReportEventA
InitializeAcl
QueryServiceConfigW
AddAccessAllowedAceEx
GetLengthSid
SetSecurityDescriptorControl
ChangeServiceConfig2A
QueryServiceStatusEx
OpenServiceA
LookupAccountNameW
RegisterEventSourceA
SetSecurityDescriptorDacl
AdjustTokenPrivileges
AllocateAndInitializeSid
LookupPrivilegeValueA
OpenProcessToken
FreeSid
CheckTokenMembership
InitializeSecurityDescriptor
GetTokenInformation

shell32

SHGetSpecialFolderLocation
ExtractIconExA
SHGetMalloc
ShellExecuteExA
SHGetPathFromIDListA
SHGetFileInfoA

ole32

CoSetProxyBlanket
CoInitializeEx
CoUninitialize
CoCreateInstance
CoInitializeSecurity

oleaut32

SysFreeString
SysAllocString
VariantClear

crypt32

CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertDuplicateCertificateContext
CertFreeCertificateContext
CertGetCertificateContextProperty
CertOpenStore

bcrypt

BCryptGenRandom

Exports

Exports

LZ4F_compressBegin
LZ4F_compressBound
LZ4F_compressEnd
LZ4F_compressFrame
LZ4F_compressFrameBound
LZ4F_compressUpdate
LZ4F_compressionLevel_max
LZ4F_createCompressionContext
LZ4F_createDecompressionContext
LZ4F_decompress
LZ4F_flush
LZ4F_freeCompressionContext
LZ4F_freeDecompressionContext
LZ4F_getErrorName
LZ4F_getFrameInfo
LZ4F_getVersion
LZ4F_isError
LZ4F_resetDecompressionContext
LZ4_attach_HC_dictionary
LZ4_attach_dictionary
LZ4_compress
LZ4_compressBound
LZ4_compressHC
LZ4_compressHC2
LZ4_compressHC2_continue
LZ4_compressHC2_limitedOutput
LZ4_compressHC2_limitedOutput_continue
LZ4_compressHC2_limitedOutput_withStateHC
LZ4_compressHC2_withStateHC
LZ4_compressHC_continue
LZ4_compressHC_limitedOutput
LZ4_compressHC_limitedOutput_continue
LZ4_compressHC_limitedOutput_withStateHC
LZ4_compressHC_withStateHC
LZ4_compress_HC
LZ4_compress_HC_continue
LZ4_compress_HC_extStateHC
LZ4_compress_continue
LZ4_compress_default
LZ4_compress_destSize
LZ4_compress_fast
LZ4_compress_fast_continue
LZ4_compress_fast_extState
LZ4_compress_fast_extState_fastReset
LZ4_compress_limitedOutput
LZ4_compress_limitedOutput_continue
LZ4_compress_limitedOutput_withState
LZ4_compress_withState
LZ4_create
LZ4_createHC
LZ4_createStream
LZ4_createStreamDecode
LZ4_createStreamHC
LZ4_decoderRingBufferSize
LZ4_decompress_fast
LZ4_decompress_fast_continue
LZ4_decompress_fast_usingDict
LZ4_decompress_fast_withPrefix64k
LZ4_decompress_safe
LZ4_decompress_safe_continue
LZ4_decompress_safe_partial
LZ4_decompress_safe_usingDict
LZ4_decompress_safe_withPrefix64k
LZ4_freeHC
LZ4_freeStream
LZ4_freeStreamDecode
LZ4_freeStreamHC
LZ4_loadDict
LZ4_loadDictHC
LZ4_resetStream
LZ4_resetStreamHC
LZ4_resetStreamState
LZ4_resetStreamStateHC
LZ4_resetStream_fast
LZ4_saveDict
LZ4_saveDictHC
LZ4_setStreamDecode
LZ4_sizeofState
LZ4_sizeofStateHC
LZ4_sizeofStreamState
LZ4_sizeofStreamStateHC
LZ4_slideInputBuffer
LZ4_slideInputBufferHC
LZ4_uncompress
LZ4_uncompress_unknownOutputSize
LZ4_versionNumber
LZ4_versionString

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 685KB - Virtual size: 685KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 74KB - Virtual size: 74KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 1024B - Virtual size: 804B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 120KB - Virtual size: 120KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3174bdb60085c984c065c359fc2b38b9

Code Sign

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16Certificate

Extended Key Usages

Key Usages

07:e8:5b:bc:6e:d8:14:e7:61:b8:54:88:9e:3c:7a:53Certificate

Extended Key Usages

Key Usages

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0aCertificate

Extended Key Usages

Key Usages

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12Certificate

Extended Key Usages

Key Usages

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12Certificate

Extended Key Usages

Key Usages

5e:f7:2b:51:2d:3f:2a:61:14:bd:b8:11:09:fa:78:bf:42:c8:b8:16:8b:02:82:b4:16:4f:b5:4f:94:22:2e:77Signer

Headers

DLL Characteristics

File Characteristics

Imports

fltlib

version

ws2_32

shlwapi

kernel32

user32

advapi32

shell32

ole32

oleaut32

crypt32

bcrypt

Exports

Exports

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 685KB - Virtual size: 685KB

.data Size: 14KB - Virtual size: 33KB

.pdata Size: 74KB - Virtual size: 74KB

.gfids Size: 1024B - Virtual size: 804B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 120KB - Virtual size: 120KB

.reloc Size: 24KB - Virtual size: 24KB

48:fc:93:b4:60:55:94:8d:36:a7:c9:8a:89:d6:94:16
Certificate

07:e8:5b:bc:6e:d8:14:e7:61:b8:54:88:9e:3c:7a:53
Certificate

62:1d:6d:0c:52:01:9e:3b:90:79:15:20:89:21:1c:0a
Certificate

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12
Certificate

5e:f7:2b:51:2d:3f:2a:61:14:bd:b8:11:09:fa:78:bf:42:c8:b8:16:8b:02:82:b4:16:4f:b5:4f:94:22:2e:77
Signer

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 685KB - Virtual size: 685KB

.data
Size: 14KB - Virtual size: 33KB

.pdata
Size: 74KB - Virtual size: 74KB

.gfids
Size: 1024B - Virtual size: 804B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 120KB - Virtual size: 120KB

.reloc
Size: 24KB - Virtual size: 24KB