2024-02-23_edc1df1229b6286d1f2f38e006ffda0d_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-02-23_edc1df1229b6286d1f2f38e006ffda0d_ryuk
Size

3.2MB
MD5

edc1df1229b6286d1f2f38e006ffda0d
SHA1

de753c9bc7681dc6fd7a0e6cf4beb9664dfbf2ac
SHA256

009104b0ede6517dc8cdb2511e3b023f81391856d51b213bed39b627e81009a1
SHA512

bff07408c1b2ede5e79d3171af3d6fdfa44ce5b94368f981061f2e7101dc2bcfa1b78b3080d718f9d6c8f05f63df52d2a5545860f5fec19bcc13e865ae69596c
SSDEEP

49152:kiRFAlEU3fKB58D+3l68ZvrqMq1/DByEW5JZqW3ORW2iS:kiRuL3fa8f1/NMqWeRyS

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-02-23_edc1df1229b6286d1f2f38e006ffda0d_ryuk

Files

2024-02-23_edc1df1229b6286d1f2f38e006ffda0d_ryuk
.exe windows:6 windows x64 arch:x64

ffacd569473052b8b18f860f81eebce2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

wa_3rd_party_host_64.pdb

Imports

kernel32

GetTempPathA
FormatMessageW
GetDiskFreeSpaceA
GetLastError
GetFileAttributesA
GetFileAttributesExW
OutputDebugStringW
FlushViewOfFile
CreateFileA
LoadLibraryA
WaitForSingleObjectEx
DeleteFileA
DeleteFileW
HeapReAlloc
CloseHandle
GetSystemInfo
LoadLibraryW
HeapAlloc
HeapCompact
HeapDestroy
UnlockFile
GetProcAddress
LocalFree
LockFileEx
GetFileSize
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
SystemTimeToFileTime
FreeLibrary
WideCharToMultiByte
GetSystemTimeAsFileTime
GetSystemTime
FormatMessageA
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
GetTickCount
FlushFileBuffers
GetTickCount64
SizeofResource
GetModuleHandleExW
GetModuleFileNameW
LocalAlloc
FreeResource
LockResource
LoadResource
FindResourceW
SetErrorMode
LoadLibraryExW
InitializeCriticalSectionEx
RaiseException
Sleep
GetWindowsDirectoryW
GetEnvironmentStringsW
GetCurrentDirectoryW
SetCurrentDirectoryW
FindFirstFileW
FindNextFileW
FindClose
FileTimeToSystemTime
GetFileTime
GetVolumeNameForVolumeMountPointW
GetLogicalDriveStringsW
GetDriveTypeW
DeviceIoControl
GetSystemWindowsDirectoryW
lstrcpyW
GetModuleHandleW
WaitForMultipleObjects
CreateEventW
SetEvent
CreateNamedPipeW
OpenProcess
CreateThread
GetOverlappedResult
ConnectNamedPipe
GetExitCodeProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
DisconnectNamedPipe
CreateDirectoryW
GetCurrentProcess
CreateProcessW
CopyFileW
SetLastError
lstrcpynW
GetLocaleInfoW
TerminateProcess
GetTempFileNameW
ExpandEnvironmentStringsW
GetVersionExW
GetTimeZoneInformation
GetSystemDirectoryW
ReleaseMutex
CreateMutexA
VirtualAlloc
VirtualFree
VirtualQuery
WriteConsoleW
ReadConsoleW
SetStdHandle
MultiByteToWideChar
HeapSize
HeapValidate
UnmapViewOfFile
GetCurrentThreadId
GetFileAttributesW
CreateFileW
WaitForSingleObject
CreateMutexW
GetTempPathW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
AreFileApisANSI
InitializeCriticalSection
LeaveCriticalSection
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
GetFullPathNameW
EnterCriticalSection
HeapFree
HeapCreate
TryEnterCriticalSection
ReadFile
DecodePointer
FreeEnvironmentStringsW
FindFirstFileExW
SetEnvironmentVariableW
SetFilePointerEx
GetFileSizeEx
GetConsoleMode
GetConsoleOutputCP
GetOEMCP
GetACP
IsValidCodePage
GetFileType
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetCommandLineW
GetCommandLineA
GetStdHandle
ExitProcess
ExitThread
RtlUnwindEx
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
ReleaseSemaphore
VirtualProtect
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
GetThreadPriority
SetThreadPriority
SwitchToThread
SignalObjectAndWait
GetModuleHandleA
FreeLibraryAndExitThread
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
ResetEvent
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
GetStringTypeW
DuplicateHandle
GetCurrentThread
GetExitCodeThread
GetNativeSystemInfo
QueryPerformanceFrequency
RtlPcToFileHeader
EncodePointer
QueueUserWorkItem
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
CompareStringW
LCMapStringW
GetCPInfo
CreateTimerQueue
GetThreadTimes
LoadLibraryExA

user32

PostThreadMessageW
wsprintfW

advapi32

RegQueryValueExW
EqualSid
AllocateAndInitializeSid
FreeSid
CheckTokenMembership
QueryServiceStatus
OpenServiceW
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
CloseServiceHandle
OpenSCManagerW
GetSidSubAuthorityCount
GetSidSubAuthority
GetTokenInformation
AccessCheck
GetFileSecurityW
DuplicateToken
MapGenericMask
LookupPrivilegeValueW
AdjustTokenPrivileges
RegSaveKeyW
OpenProcessToken

ole32

CoSetProxyBlanket
CoUninitialize
CoInitializeEx
CoCreateInstance
IIDFromString
CLSIDFromString
CoAddRefServerProcess
CoReleaseServerProcess
OleRun

oleaut32

GetErrorInfo
VariantTimeToSystemTime
VariantClear
SafeArrayCreateVector
SafeArrayCreate
SafeArrayLock
VariantCopy
SafeArrayPutElement
SysAllocString
SysFreeString
SafeArrayGetDim
SysStringLen
SysAllocStringLen
SafeArrayDestroy
VariantInit
SafeArrayGetElement
SafeArrayUnlock

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

shlwapi

StrStrIW

wininet

HttpSendRequestW
InternetConnectW
InternetCloseHandle
InternetOpenW
InternetSetOptionW
InternetReadFile
HttpOpenRequestW

Exports

Exports

QHChangeOnAccessScanState
QHEnableOnAccessScan
QHFreeThreatHistoryListA
QHFreeThreatHistoryListW
QHGetAppLanguageA
QHGetAppLanguageW
QHGetDigitalCertSignerA
QHGetDigitalCertSignerW
QHGetEngineVersionA
QHGetEngineVersionW
QHGetExpDate
QHGetLastFullScanTime
QHGetProductInstallDirA
QHGetProductInstallDirW
QHGetSASQHStatus
QHGetSigDatabaseDirA
QHGetSigDatabaseDirW
QHGetSigDatabaseTime
QHGetSigDatabaseVersionA
QHGetSigDatabaseVersionW
QHGetThreatHistoryA
QHGetThreatHistoryW
QHInitUpdate
QHInitiateFileScanA
QHInitiateFileScanW
QHInitiateFolderScanA
QHInitiateFolderScanW
QHInitiateFullScan
QHIsAVInstalled
QHIsFullScanRunning
QHIsLicenseExpired
QHIsOnAccessScanEnabled
QHIsUpdateInProgress
QHOpenScanner

Sections

.text
Size: 1.9MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 633KB - Virtual size: 632KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 88KB - Virtual size: 87KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gehcont
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 576KB - Virtual size: 580KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

ffacd569473052b8b18f860f81eebce2

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

ole32

oleaut32

version

shlwapi

wininet

Exports

Exports

Sections

.text Size: 1.9MB - Virtual size: 1.9MB

.rdata Size: 633KB - Virtual size: 632KB

.data Size: 38KB - Virtual size: 57KB

.pdata Size: 88KB - Virtual size: 87KB

.didat Size: 512B - Virtual size: 32B

.tls Size: 512B - Virtual size: 9B

.gehcont Size: 512B - Virtual size: 36B

.rsrc Size: 16KB - Virtual size: 15KB

.reloc Size: 576KB - Virtual size: 580KB

.text
Size: 1.9MB - Virtual size: 1.9MB

.rdata
Size: 633KB - Virtual size: 632KB

.data
Size: 38KB - Virtual size: 57KB

.pdata
Size: 88KB - Virtual size: 87KB

.didat
Size: 512B - Virtual size: 32B

.tls
Size: 512B - Virtual size: 9B

.gehcont
Size: 512B - Virtual size: 36B

.rsrc
Size: 16KB - Virtual size: 15KB

.reloc
Size: 576KB - Virtual size: 580KB