2024-03-19_045528a0fc59ebf6d8e60f005dfdb028_ryuk

Sharing

Copy URL

Twitter E-mail

General

Target

2024-03-19_045528a0fc59ebf6d8e60f005dfdb028_ryuk
Size

5.5MB
MD5

045528a0fc59ebf6d8e60f005dfdb028
SHA1

46a3cfb77095a4121e7c1e87e4a908a09b76de2e
SHA256

e6604dae46c9857637f3067c8042879cbf5c6872c3b3c9b0150497aed7c63722
SHA512

6f198b93cbff727d7038d8ec15d2dcd21b6af628583880d0b44b2cf22902809d90cc56b0534583bee75cb09db669dc1ecf69734e7aa1422fe572ad94b76684c9
SSDEEP

49152:La8ZpIz6aFts94089MByEZ+pFjoGAS/jKP2nJdIKLmP82b/J27C0+KMUdPy2ycj1:RcMyEZqFNOe9mE2QCo9+OED8

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-03-19_045528a0fc59ebf6d8e60f005dfdb028_ryuk

Files

2024-03-19_045528a0fc59ebf6d8e60f005dfdb028_ryuk
.exe windows:5 windows x64 arch:x64

40f3e69ce8302ee6f2900b03fdd8be55

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\b\c\b\win_archive\src\out\Release\nacl_win64\nacl64.exe.pdb

Imports

advapi32

OpenProcessToken
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
CreateProcessAsUserW
SystemFunction036
InitializeAcl
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
GetAce
GetKernelObjectSecurity
GetLengthSid
GetSecurityDescriptorSacl
SetKernelObjectSecurity
SetTokenInformation
SetSecurityInfo
ConvertStringSidToSidW
RevertToSelf
RegDisablePredefinedCache
CopySid
CreateWellKnownSid
CreateRestrictedToken
DuplicateToken
DuplicateTokenEx
EqualSid
LookupPrivilegeValueW
SetThreadToken
ConvertSidToStringSidW
SetEntriesInAclW
GetSecurityInfo

dbghelp

SymGetSearchPathW
SymInitialize
SymGetLineFromAddr64
SymSetOptions
SymFromAddr
SymSetSearchPathW

gdi32

GetOutlineTextMetricsW
GdiFlush
GetTextFaceW
ExtTextOutW
CreateDIBSection
SetWorldTransform
GetTextMetricsW
SetTextAlign
SetTextColor
SetGraphicsMode
CreateCompatibleDC
CreateFontIndirectW
DeleteDC
DeleteObject
EnumFontFamiliesExW
GetCharABCWidthsW
GetFontData
GetGlyphOutlineW
GetFontUnicodeRanges
GetGlyphIndicesW
GetTextExtentPointI
AddFontMemResourceEx
RemoveFontMemResourceEx
SelectObject
SetBkMode

kernel32

IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetCommandLineA
TransactNamedPipe
DuplicateHandle
GetCurrentProcess
GetStdHandle
GetLongPathNameW
CloseHandle
GetLastError
SetLastError
ResumeThread
IsProcessInJob
QueryInformationJobObject
GetModuleFileNameW
GetModuleHandleW
GetModuleHandleExW
DebugActiveProcess
GetCurrentProcessId
GetCurrentThreadId
CreateFileW
CreateNamedPipeW
WaitNamedPipeW
LocalFree
ConnectNamedPipe
GetModuleHandleA
FormatMessageW
VirtualFree
UnmapViewOfFile
GetSystemInfo
VirtualAlloc
VirtualProtect
CreateEventW
ContinueDebugEvent
WaitForDebugEvent
SetEvent
TerminateProcess
SuspendThread
GetThreadContext
SetThreadContext
VirtualQueryEx
ReadProcessMemory
WriteProcessMemory
ReadFile
WriteFile
SetHandleInformation
OpenProcess
GetCurrentThread
GetProcAddress
SetThreadPriority
VirtualQuery
ExitProcess
HeapCreate
HeapDestroy
GetCommandLineW
GetCurrentDirectoryW
DeleteFileW
OutputDebugStringA
GetLocalTime
GetTickCount
FormatMessageA
GetProcessId
QueryPerformanceCounter
QueryPerformanceFrequency
Sleep
GetThreadPriority
GetSystemTimeAsFileTime
QueryThreadCycleTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
FileTimeToSystemTime
SystemTimeToFileTime
WaitForSingleObject
IsDebuggerPresent
RaiseException
CreateThread
CreateProcessW
AssignProcessToJobObject
SetInformationJobObject
AttachConsole
AllocConsole
FreeLibrary
LoadLibraryW
lstrcmpiA
GetVersionExW
GetNativeSystemInfo
HeapSetInformation
ResetEvent
WaitForMultipleObjects
CreateFileMappingW
MapViewOfFile
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
FlushFileBuffers
GetFileInformationByHandle
GetFileSizeEx
SetEndOfFile
SetFilePointerEx
SetFileTime
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
GetProcessTimes
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
GetThreadId
RtlCaptureStackBackTrace
SetUnhandledExceptionFilter
CreateDirectoryW
GetFileAttributesW
GetFileAttributesExW
QueryDosDeviceW
RemoveDirectoryW
SetFileAttributesW
GetTempPathW
MoveFileExW
GetUserDefaultLangID
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
GetSystemPowerStatus
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
UnregisterWaitEx
RegisterWaitForSingleObject
ReleaseSRWLockShared
AcquireSRWLockShared
GetModuleHandleExA
GetEnvironmentVariableW
SetEnvironmentVariableW
OutputDebugStringW
MultiByteToWideChar
WideCharToMultiByte
GetComputerNameExW
RtlAddFunctionTable
RtlDeleteFunctionTable
CreateRemoteThread
GetSystemDirectoryW
GetWindowsDirectoryW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
InitOnceExecuteOnce
RtlVirtualUnwind
CancelIo
GetLocaleInfoW
InitializeCriticalSection
GetTimeZoneInformation
CreateFileA
VirtualProtectEx
QueryFullProcessImageNameW
DeleteCriticalSection
TerminateJobObject
GetUserDefaultLCID
GetFileType
ProcessIdToSessionId
GetProcessHandleCount
SignalObjectAndWait
CreateMutexW
VirtualAllocEx
VirtualFreeEx
CreateJobObjectW
DebugBreak
lstrlenW
SearchPathW
FlushInstructionCache
LockFileEx
UnlockFileEx
MapViewOfFileEx
SwitchToThread
GetThreadTimes
GetSystemTime
DisconnectNamedPipe
SetNamedPipeHandleState
PeekNamedPipe
GetNamedPipeHandleStateW
ReleaseSemaphore
CreateSemaphoreW
WriteConsoleW
EnumSystemLocalesW
IsValidLocale
ReadConsoleW
FreeLibraryAndExitThread
ExitThread
GetCurrentDirectoryA
SetCurrentDirectoryA
SetEnvironmentVariableA
GetACP
GetFullPathNameA
GetFullPathNameW
GetConsoleMode
GetConsoleCP
SetStdHandle
GetDriveTypeW
LoadLibraryExW
RtlPcToFileHeader
RtlUnwindEx
GetStartupInfoW
InitializeSListHead
IsProcessorFeaturePresent
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
WaitForSingleObjectEx
GetCPInfo
LCMapStringW
CompareStringW
DecodePointer
EncodePointer
GetStringTypeW

ole32

CoInitializeEx
CoTaskMemFree
CoCreateGuid
CoUninitialize

psapi

GetMappedFileNameW

shell32

SHGetFolderPathW
SHGetKnownFolderPath
CommandLineToArgvW

user32

SystemParametersInfoW
GetUserObjectInformationW
GetProcessWindowStation
SetProcessWindowStation
CreateWindowStationW
GetThreadDesktop
CreateDesktopW
wsprintfW
MessageBoxW
TranslateMessage
DispatchMessageW
PeekMessageW
PostMessageW
PostQuitMessage
GetQueueStatus
MsgWaitForMultipleObjectsEx
SetTimer
KillTimer
DefWindowProcW
UnregisterClassW
RegisterClassExW
CreateWindowExW
DestroyWindow
GetWindowLongPtrW
SetWindowLongPtrW
CloseDesktop
CloseWindowStation

usp10

ScriptFreeCache
ScriptItemize
ScriptShape

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

winmm

timeGetTime
timeGetDevCaps
timeBeginPeriod
timeEndPeriod

ws2_32

ntohs
listen
htons
htonl
getsockname
closesocket
bind
accept
recv
select
send
setsockopt
shutdown
WSAStartup
WSAEventSelect
WSACreateEvent
WSACloseEvent
WSACleanup
WSAGetLastError
gethostbyname
socket

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock
GetProfileType

Exports

Exports

ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
CrashForException
DumpProcess
DumpProcessWithoutCrash
GetHandleVerifier
InjectDumpForHangDebugging
InjectDumpForHungInput
InjectDumpForHungInputNoCrashKeys
InjectDumpProcessWithoutCrash
IsSandboxedProcess
RegisterNonABICompliantCodeRange
SetCrashKeyValueImpl
TerminateProcessWithoutDump
UnregisterNonABICompliantCodeRange
_ovly_debug_event
nacl_global_xlate_base
nacl_thread_ids
nacl_user

Sections

.text
Size: 3.6MB - Virtual size: 3.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 17KB - Virtual size: 200KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 217KB - Virtual size: 216KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 29B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 1024B - Virtual size: 840B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

40f3e69ce8302ee6f2900b03fdd8be55

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

dbghelp

gdi32

kernel32

ole32

psapi

shell32

user32

usp10

version

winmm

ws2_32

userenv

Exports

Exports

Sections

.text Size: 3.6MB - Virtual size: 3.6MB

.rdata Size: 1.6MB - Virtual size: 1.6MB

.data Size: 17KB - Virtual size: 200KB

.pdata Size: 217KB - Virtual size: 216KB

.tls Size: 512B - Virtual size: 29B

.gfids Size: 1024B - Virtual size: 840B

_RDATA Size: 32KB - Virtual size: 32KB

.rsrc Size: 52KB - Virtual size: 51KB

.reloc Size: 22KB - Virtual size: 22KB

.text
Size: 3.6MB - Virtual size: 3.6MB

.rdata
Size: 1.6MB - Virtual size: 1.6MB

.data
Size: 17KB - Virtual size: 200KB

.pdata
Size: 217KB - Virtual size: 216KB

.tls
Size: 512B - Virtual size: 29B

.gfids
Size: 1024B - Virtual size: 840B

_RDATA
Size: 32KB - Virtual size: 32KB

.rsrc
Size: 52KB - Virtual size: 51KB

.reloc
Size: 22KB - Virtual size: 22KB