2024-02-19_f18525d4c7edd1993b8a9f504eddd69f_ryuk

Sharing

Copy URL

Twitter E-mail

General

Target

2024-02-19_f18525d4c7edd1993b8a9f504eddd69f_ryuk
Size

2.1MB
MD5

f18525d4c7edd1993b8a9f504eddd69f
SHA1

f79b3d1c8c404dbc364aac316e2ca73685de6476
SHA256

682badf67d705b6dddcf4a217e42cc381b179692b5971a2bc55933f43dccfe94
SHA512

7a2cb195ef3fc3a71222b7019b34ee7f5f49191974443e7ca3e6c75d4b0d976239cda36ee2051c9331f94307700a55cf64564c16ee252ad08897987aea17c882
SSDEEP

49152:LrqC1pi100Zm5JsDfz5CsvHKu/Zwy1q6QK23p0FXP/9GV0:6CSZgsDtnxwgqw23eGV0

Score

1^/10

Malware Config

Signatures

Files

2024-02-19_f18525d4c7edd1993b8a9f504eddd69f_ryuk
.exe windows:6 windows x64 arch:x64

eedbc926e88475468ce716c11cf812b2

Code Sign

56:00:00:05:f7:94:54:54:01:93:b4:c7:75:00:00:00:00:05:f7
Certificate

Issuer

CN=Intel External Issuing CA 7B,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Not Before

08/03/2018, 16:55

Not After

07/03/2020, 16:55

Subject

CN=Intel(R) Open Source - Ylian Saint-Hilaire,OU=Open Source Manageability,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

06:9b:5e:99:27:72:84:c8:76:7f:13:68:a7:de:b0:f3
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

28/10/2015, 00:00

Not After

17/06/2021, 23:59

Subject

CN=Intel External Issuing CA 7B,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

30/05/2000, 10:48

Not After

30/05/2020, 10:48

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bf
Certificate

Issuer

CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM

Not Before

30/05/2014, 16:35

Not After

17/03/2021, 18:33

Subject

CN=QuoVadis Issuing CA G4,O=QuoVadis Limited,C=BM

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

28:a1:1e:74:fc:0b:87:54:58:0f:50:95:4c:47:c9:4e:67:75:4f:28
Certificate

Issuer

CN=QuoVadis Issuing CA G4,O=QuoVadis Limited,C=BM

Not Before

24/04/2015, 21:46

Not After

24/04/2018, 21:46

Subject

CN=timestamp.intel.com,OU=Thales TSS ESN:E892-D055-162F+OU=Thales TSS ESN:E892-D055-162F,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

52:33:85:4f:78:be:1d:48:02:07:7d:c1:37:d5:f0:7f:fd:db:6f:27:fa:a4:a0:51:14:40:f2:7d:dd:0a:2d:10
Signer

Actual PE Digest

52:33:85:4f:78:be:1d:48:02:07:7d:c1:37:d5:f0:7f:fd:db:6f:27:fa:a4:a0:51:14:40:f2:7d:dd:0a:2d:10

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Temp\bcpd_meshagent-meshagent2\Release\MeshService64.pdb

Imports

setupapi

SetupDiGetDeviceInterfaceDetailA
SetupDiGetClassDevsA
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList

dbghelp

StackWalk64
SymGetModuleBase64
SymInitialize
SymFunctionTableAccess64
SymGetLineFromAddr64
SymFromAddr

iphlpapi

ConvertLengthToIpv4Mask
SendARP
GetAdaptersAddresses
GetAdaptersInfo

ws2_32

setsockopt
ioctlsocket
socket
WSAGetLastError
listen
closesocket
bind
accept
__WSAFDIsSet
sendto
ntohl
ntohs
gethostname
htonl
htons
getsockname
WSACleanup
gethostbyname
select
WSASetLastError
WSASocketW
WSAStartup
inet_addr
gethostbyaddr
getservbyport
inet_ntoa
getservbyname
WSAIoctl
shutdown
send
connect
recvfrom
recv
getsockopt

wintrust

WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WinVerifyTrust
WTHelperGetProvCertFromChain

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

gdiplus

GdipCloneImage
GdipGetImageEncoders
GdipAlloc
GdiplusStartup
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GdipGetImageEncodersSize
GdiplusShutdown
GdipLoadImageFromStream

winhttp

WinHttpGetIEProxyConfigForCurrentUser

kernel32

RtlUnwindEx
GetStartupInfoW
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetModuleFileNameA
GetStdHandle
WriteFile
GetFullPathNameA
GetSystemPowerStatus
SetCurrentDirectoryA
Sleep
GetLastError
CloseHandle
CreateProcessA
LoadLibraryA
GetProcAddress
FreeLibrary
ReadFile
GetCurrentThreadId
GetVersionExA
CreateThread
SleepEx
SetSystemPowerState
GetCurrentProcess
SetThreadExecutionState
FileTimeToSystemTime
QueryPerformanceFrequency
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
GetSystemTime
QueryPerformanceCounter
CancelIo
GetFileAttributesExA
FindFirstFileA
GetDriveTypeA
FindNextFileA
FindFirstVolumeA
FindClose
GetVolumePathNamesForVolumeNameA
CreateFileA
ReadDirectoryChangesW
RemoveDirectoryA
FindNextVolumeA
FindVolumeClose
GetDiskFreeSpaceExA
CreateEventA
DeviceIoControl
QueueUserAPC
GetOverlappedResult
IsDebuggerPresent
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
WaitForSingleObject
CancelSynchronousIo
SetEvent
WaitForSingleObjectEx
GetEnvironmentStrings
FreeEnvironmentStringsA
CopyFileA
RtlCaptureContext
GetModuleHandleA
GetCurrentThread
GetSystemDirectoryA
DeleteFileA
GetTickCount
OpenThread
CreateNamedPipeA
TerminateProcess
WaitForMultipleObjectsEx
WTSGetActiveConsoleSessionId
GetExitCodeProcess
SetConsoleCtrlHandler
GetModuleFileNameW
GlobalFree
FreeConsole
CreateDirectoryA
GetFileType
GetModuleHandleW
MultiByteToWideChar
SwitchToFiber
DeleteFiber
CreateFiber
WideCharToMultiByte
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
GetCurrentProcessId
GlobalMemoryStatus
GetEnvironmentVariableW
GetConsoleMode
ReadConsoleA
ReadConsoleW
SetConsoleMode
SetLastError
RtlVirtualUnwind
SetFilePointerEx
RtlLookupFunctionEntry
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
ExitProcess
GetConsoleCP
GetStringTypeW
HeapReAlloc
DeleteFileW
MoveFileExW
CreateDirectoryW
GetCPInfo
FlushFileBuffers
SetStdHandle
FindFirstFileExA
FindNextFileW
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
GetModuleHandleExW
GetTimeZoneInformation
GetCommandLineA
GetCommandLineW
GetACP
HeapFree
HeapAlloc
GetDateFormatW
GetTimeFormatW
CompareStringW
GetProcessHeap
WriteConsoleW
CreateFileW
RaiseException
HeapSize
SetEndOfFile
LCMapStringW
DuplicateHandle
FindFirstFileW
GetDriveTypeW
PeekNamedPipe
GetCurrentDirectoryW
GetFullPathNameW
RtlPcToFileHeader
ResetEvent
EncodePointer

user32

GetUserObjectInformationW
GetProcessWindowStation
EndDialog
DialogBoxParamA
SetWindowTextA
MessageBoxA
GetDlgItem
MessageBoxW
MessageBeep
ExitWindowsEx
GetDC
ReleaseDC
GetUserObjectInformationA
CloseWindowStation
EnumDisplayMonitors
EnableWindow
SetForegroundWindow
SendInput
GetForegroundWindow
MapVirtualKeyA
FindWindowA
GetSystemMetrics
SetThreadDesktop
GetThreadDesktop
CloseDesktop
SendMessageA
OpenInputDesktop
SetProcessWindowStation
OpenWindowStationA
OpenDesktopA
GetMonitorInfoA

gdi32

CreateCompatibleDC
SelectObject
GetDIBits
DeleteDC
SetStretchBltMode
DeleteObject
CreateCompatibleBitmap
BitBlt
StretchBlt

advapi32

CreateServiceA
StartServiceCtrlDispatcherA
QueryServiceStatus
CloseServiceHandle
AllocateAndInitializeSid
FreeSid
CheckTokenMembership
ChangeServiceConfig2A
OpenServiceA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
AdjustTokenPrivileges
LookupPrivilegeValueA
InitiateSystemShutdownA
OpenProcessToken
RegCreateKeyA
RegCloseKey
RegDeleteKeyA
RegQueryValueExA
RegSetValueExA
RegOpenKeyExA
RegDeleteValueA
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptAcquireContextW
CryptReleaseContext
CryptDestroyKey
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
CryptSignHashW
CryptEnumProvidersW
CryptGenRandom
ControlService
DeleteService
OpenSCManagerA
RegisterServiceCtrlHandlerA
SetServiceStatus
StartServiceA

shell32

SHGetFolderPathA

ole32

CoInitializeEx
CoUninitialize
CreateStreamOnHGlobal
CoCreateInstance

oleaut32

SysAllocString
SysFreeString
SysStringLen

crypt32

CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CertFindCertificateInStore

Sections

.text
Size: 1.5MB - Virtual size: 1.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 458KB - Virtual size: 457KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 164KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 83KB - Virtual size: 82KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 196B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

eedbc926e88475468ce716c11cf812b2

Code Sign

56:00:00:05:f7:94:54:54:01:93:b4:c7:75:00:00:00:00:05:f7Certificate

Extended Key Usages

Key Usages

06:9b:5e:99:27:72:84:c8:76:7f:13:68:a7:de:b0:f3Certificate

Extended Key Usages

Key Usages

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22Certificate

Key Usages

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bfCertificate

Key Usages

28:a1:1e:74:fc:0b:87:54:58:0f:50:95:4c:47:c9:4e:67:75:4f:28Certificate

Extended Key Usages

Key Usages

52:33:85:4f:78:be:1d:48:02:07:7d:c1:37:d5:f0:7f:fd:db:6f:27:fa:a4:a0:51:14:40:f2:7d:dd:0a:2d:10Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

setupapi

dbghelp

iphlpapi

ws2_32

wintrust

version

gdiplus

winhttp

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

crypt32

Sections

.text Size: 1.5MB - Virtual size: 1.5MB

.rdata Size: 458KB - Virtual size: 457KB

.data Size: 13KB - Virtual size: 164KB

.pdata Size: 83KB - Virtual size: 82KB

.gfids Size: 512B - Virtual size: 196B

.rsrc Size: 18KB - Virtual size: 17KB

.reloc Size: 16KB - Virtual size: 15KB

56:00:00:05:f7:94:54:54:01:93:b4:c7:75:00:00:00:00:05:f7
Certificate

06:9b:5e:99:27:72:84:c8:76:7f:13:68:a7:de:b0:f3
Certificate

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
Certificate

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bf
Certificate

28:a1:1e:74:fc:0b:87:54:58:0f:50:95:4c:47:c9:4e:67:75:4f:28
Certificate

52:33:85:4f:78:be:1d:48:02:07:7d:c1:37:d5:f0:7f:fd:db:6f:27:fa:a4:a0:51:14:40:f2:7d:dd:0a:2d:10
Signer

.text
Size: 1.5MB - Virtual size: 1.5MB

.rdata
Size: 458KB - Virtual size: 457KB

.data
Size: 13KB - Virtual size: 164KB

.pdata
Size: 83KB - Virtual size: 82KB

.gfids
Size: 512B - Virtual size: 196B

.rsrc
Size: 18KB - Virtual size: 17KB

.reloc
Size: 16KB - Virtual size: 15KB