2024-03-05_e568bbf46b123b996a52f5484170b0e9_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-03-05_e568bbf46b123b996a52f5484170b0e9_ryuk
Size

2.7MB
MD5

e568bbf46b123b996a52f5484170b0e9
SHA1

60b05d3de54eb46be9ba30e98e0f5f85155ed38a
SHA256

bc581b54603c9596373ec86969473d1f117a6a244a23168f5cd88e20f4e609d9
SHA512

4cc93a783ae6cbaca1ae2a520a46d552497f8b292f51b446a3b440a0d2e9a23b345018e04506edc34a4aad0fc218874d9a34f099f8cf834abc1dc4d02ee87b95
SSDEEP

49152:CFxyhqH3YcPypTcRXOqx3Obd2CXlUuGr:aSjbd2H

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-03-05_e568bbf46b123b996a52f5484170b0e9_ryuk

Files

2024-03-05_e568bbf46b123b996a52f5484170b0e9_ryuk
.exe windows:5 windows x64 arch:x64

de4e86ad0a51b491626f9d885eae3554

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\b\build\slave\Win\build\src\out\Release\nacl_win64\nacl64.exe.pdb

Imports

advapi32

OpenProcessToken
GetTokenInformation
RevertToSelf
ConvertStringSecurityDescriptorToSecurityDescriptorW
CreateProcessAsUserW
ConvertSidToStringSidW
InitializeAcl
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
SystemFunction036
GetAce
GetKernelObjectSecurity
GetLengthSid
GetSecurityDescriptorSacl
SetKernelObjectSecurity
SetTokenInformation
SetSecurityInfo
ConvertStringSidToSidW
RegDisablePredefinedCache
CopySid
CreateWellKnownSid
CreateRestrictedToken
DuplicateToken
DuplicateTokenEx
EqualSid
LookupPrivilegeValueW
SetThreadToken
SetEntriesInAclW
GetSecurityInfo

dbghelp

SymSetOptions
SymGetLineFromAddr64
SymInitialize
SymGetSearchPathW
SymFromAddr
SymSetSearchPathW

kernel32

FreeEnvironmentStringsW
GetCommandLineA
GetEnvironmentStringsW
DuplicateHandle
GetCurrentProcess
GetStdHandle
GetLongPathNameW
CloseHandle
GetLastError
SetLastError
ResumeThread
IsProcessInJob
QueryInformationJobObject
GetModuleFileNameW
GetModuleHandleW
GetModuleHandleExW
CreateEventW
GetProcessTimes
OpenProcess
GetSystemTimeAsFileTime
ReadProcessMemory
UnregisterWaitEx
CreateFileW
WriteFile
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
SetEvent
ResetEvent
WaitForMultipleObjects
GetCurrentProcessId
GetCurrentThreadId
ReadFile
ConnectNamedPipe
DisconnectNamedPipe
CreateNamedPipeW
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
CreateMutexW
Sleep
RegisterWaitForSingleObject
FreeLibrary
GetProcAddress
LoadLibraryW
RtlCaptureContext
SetUnhandledExceptionFilter
ReleaseSemaphore
WaitForSingleObject
CreateSemaphoreW
CreateThread
SuspendThread
GetProcessId
GetThreadContext
VirtualQueryEx
RtlAddFunctionTable
RtlDeleteFunctionTable
GetCommandLineW
GetTempPathW
TerminateProcess
CreateRemoteThread
CreateProcessW
VirtualProtect
HeapAlloc
HeapReAlloc
HeapFree
DebugActiveProcess
RtlVirtualUnwind
CreateDirectoryW
DeleteFileW
GetFileAttributesW
LockFileEx
SetEndOfFile
UnlockFileEx
GetFileType
SetHandleInformation
RaiseException
FlushInstructionCache
VirtualAllocEx
VirtualProtectEx
WriteProcessMemory
SetFilePointerEx
GetNamedPipeInfo
QueryPerformanceCounter
QueryPerformanceFrequency
FormatMessageA
CreateIoCompletionPort
PostQueuedCompletionStatus
GetSystemInfo
LocalFree
GetModuleHandleA
FormatMessageW
VirtualFree
UnmapViewOfFile
VirtualAlloc
ContinueDebugEvent
WaitForDebugEvent
SetThreadContext
GetCurrentThread
SetThreadPriority
VirtualQuery
ExitProcess
GetCurrentDirectoryW
OutputDebugStringA
GetTickCount
GetThreadPriority
QueryThreadCycleTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
FileTimeToSystemTime
SystemTimeToFileTime
GetExitCodeProcess
IsDebuggerPresent
AssignProcessToJobObject
SetInformationJobObject
AttachConsole
AllocConsole
lstrcmpiA
GetVersionExW
GetNativeSystemInfo
GetEnvironmentVariableW
SetEnvironmentVariableW
HeapSetInformation
CreateFileMappingW
MapViewOfFile
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
ExpandEnvironmentStringsW
FlushFileBuffers
GetFileInformationByHandle
SetFileTime
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
GetFileAttributesExW
QueryDosDeviceW
RemoveDirectoryW
SetFileAttributesW
MoveFileExW
InitializeConditionVariable
WakeConditionVariable
SleepConditionVariableSRW
RtlCaptureStackBackTrace
GetUserDefaultLangID
GetSystemPowerStatus
ReleaseSRWLockShared
AcquireSRWLockShared
GetModuleHandleExA
RtlLookupFunctionEntry
GetSystemDirectoryW
GetWindowsDirectoryW
CancelIo
InitializeCriticalSectionAndSpinCount
InitOnceExecuteOnce
TerminateJobObject
GetUserDefaultLCID
ProcessIdToSessionId
GetProcessHandleCount
SignalObjectAndWait
VirtualFreeEx
CreateJobObjectW
DebugBreak
lstrlenW
SearchPathW
WideCharToMultiByte
GetThreadId
OutputDebugStringW
MultiByteToWideChar
CreateFileA
MapViewOfFileEx
SwitchToThread
GetThreadTimes
GetSystemTime
PeekNamedPipe
GetNamedPipeHandleStateW
GetOEMCP
IsValidCodePage
WriteConsoleW
HeapSize
GetTimeZoneInformation
EnumSystemLocalesW
IsValidLocale
ReadConsoleW
GetACP
FreeLibraryAndExitThread
ExitThread
GetCurrentDirectoryA
SetCurrentDirectoryA
SetEnvironmentVariableA
GetFullPathNameA
GetFullPathNameW
GetConsoleMode
GetConsoleCP
SetStdHandle
GetDriveTypeW
GetProcessHeap
LoadLibraryExW
RtlPcToFileHeader
RtlUnwindEx
InitializeSListHead
GetStartupInfoW
IsProcessorFeaturePresent
UnhandledExceptionFilter
GetCPInfo
GetLocaleInfoW
LCMapStringW
CompareStringW
DecodePointer
EncodePointer
GetStringTypeW
GetQueuedCompletionStatus

ole32

CoUninitialize
CoInitializeEx
CoTaskMemFree

shell32

SHGetFolderPathW
SHGetKnownFolderPath
CommandLineToArgvW

user32

wsprintfW
DefWindowProcW
MessageBoxW
RegisterClassExW
CreateWindowExW
DestroyWindow
CloseDesktop
CloseWindowStation
CreateDesktopW
GetThreadDesktop
CreateWindowStationW
SetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW
UnregisterClassW

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

winmm

timeGetTime
timeEndPeriod
timeGetDevCaps
timeBeginPeriod

ws2_32

ntohs
listen
htons
htonl
recv
closesocket
socket
accept
select
send
setsockopt
getsockname
shutdown
gethostbyname
WSAGetLastError
WSACloseEvent
WSACreateEvent
WSAEventSelect
WSAStartup
WSACleanup
bind

userenv

DestroyEnvironmentBlock
GetProfileType
CreateEnvironmentBlock

Exports

Exports

ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
CrashForException
DumpProcess
DumpProcessWithoutCrash
GetHandleVerifier
InjectDumpForHangDebugging
InjectDumpProcessWithoutCrash
IsSandboxedProcess
RegisterNonABICompliantCodeRange
SetCrashKeyValueImpl
TerminateProcessWithoutDump
UnregisterNonABICompliantCodeRange
_ovly_debug_event
nacl_global_xlate_base
nacl_thread_ids
nacl_user

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 184KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 65KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

CPADinfo
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 41B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

de4e86ad0a51b491626f9d885eae3554

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

dbghelp

kernel32

ole32

shell32

user32

version

winmm

ws2_32

userenv

Exports

Exports

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 1.3MB - Virtual size: 1.3MB

.data Size: 11KB - Virtual size: 184KB

.pdata Size: 65KB - Virtual size: 65KB

CPADinfo Size: 512B - Virtual size: 48B

.tls Size: 512B - Virtual size: 41B

.gfids Size: 1024B - Virtual size: 832B

_RDATA Size: 32KB - Virtual size: 32KB

.rsrc Size: 52KB - Virtual size: 51KB

.reloc Size: 8KB - Virtual size: 8KB

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 1.3MB - Virtual size: 1.3MB

.data
Size: 11KB - Virtual size: 184KB

.pdata
Size: 65KB - Virtual size: 65KB

CPADinfo
Size: 512B - Virtual size: 48B

.tls
Size: 512B - Virtual size: 41B

.gfids
Size: 1024B - Virtual size: 832B

_RDATA
Size: 32KB - Virtual size: 32KB

.rsrc
Size: 52KB - Virtual size: 51KB

.reloc
Size: 8KB - Virtual size: 8KB