2024-04-06_eb2756f51331a619cfa92310e4979803_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-06_eb2756f51331a619cfa92310e4979803_ryuk
Size

2.6MB
MD5

eb2756f51331a619cfa92310e4979803
SHA1

0d176d2873a2c6f308e437593049214c2c51d5aa
SHA256

3977486acef2ce1323b7f8fda8541e5701b4815605b807b59976fa4b07796c39
SHA512

bb5b1826aeaea99849e23e7c5aabe494a8d361c8737adf5d88020ea19067bf69fffe9652d02d76c8ddd2a1eb0c495738e8393d301eb5ca2bf260de5ab8ea046d
SSDEEP

24576:qS35rikB3vXFdsXylr7Vy06KGBQHavfbZGPcJa/QYWVJhppppppppppppppppppP:qS3XvXFu0r7Vt6KGBQsfbx0WVJff

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-04-06_eb2756f51331a619cfa92310e4979803_ryuk

Files

2024-04-06_eb2756f51331a619cfa92310e4979803_ryuk
.exe windows:5 windows x64 arch:x64

e3f8741c2ee7b2e43b57a7e99faf92e9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\b\c\b\win_archive\src\out\Release\nacl_win64\nacl64.exe.pdb

Imports

advapi32

OpenProcessToken
GetTokenInformation
ConvertStringSecurityDescriptorToSecurityDescriptorW
CreateProcessAsUserW
InitializeAcl
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SystemFunction036
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
GetAce
GetKernelObjectSecurity
GetLengthSid
GetSecurityDescriptorSacl
SetKernelObjectSecurity
SetTokenInformation
SetSecurityInfo
ConvertStringSidToSidW
RevertToSelf
RegDisablePredefinedCache
CopySid
CreateWellKnownSid
CreateRestrictedToken
DuplicateToken
DuplicateTokenEx
EqualSid
LookupPrivilegeValueW
SetThreadToken
ConvertSidToStringSidW
SetEntriesInAclW
GetSecurityInfo

dbghelp

SymGetSearchPathW
SymInitialize
SymGetLineFromAddr64
SymSetOptions
SymFromAddr
SymSetSearchPathW

kernel32

GetCommandLineA
TransactNamedPipe
DuplicateHandle
GetCurrentProcess
GetStdHandle
GetLongPathNameW
CloseHandle
GetLastError
SetLastError
ResumeThread
IsProcessInJob
QueryInformationJobObject
GetModuleFileNameW
GetModuleHandleW
GetModuleHandleExW
HeapAlloc
HeapReAlloc
HeapFree
DebugActiveProcess
GetModuleHandleA
LocalFree
FormatMessageW
CreateFileW
CreateNamedPipeW
WaitNamedPipeW
GetCurrentProcessId
GetCurrentThreadId
ConnectNamedPipe
VirtualFree
UnmapViewOfFile
GetSystemInfo
VirtualAlloc
VirtualProtect
CreateEventW
ContinueDebugEvent
WaitForDebugEvent
SetEvent
TerminateProcess
SuspendThread
GetThreadContext
SetThreadContext
VirtualQueryEx
ReadProcessMemory
WriteProcessMemory
ReadFile
WriteFile
SetHandleInformation
OpenProcess
GetCurrentThread
GetProcAddress
SetThreadPriority
VirtualQuery
ExitProcess
GetCommandLineW
GetCurrentDirectoryW
DeleteFileW
OutputDebugStringA
GetTickCount
FormatMessageA
QueryPerformanceCounter
QueryPerformanceFrequency
Sleep
GetThreadPriority
GetSystemTimeAsFileTime
QueryThreadCycleTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
FileTimeToSystemTime
SystemTimeToFileTime
WaitForSingleObject
GetExitCodeProcess
IsDebuggerPresent
RaiseException
CreateThread
CreateProcessW
AssignProcessToJobObject
SetInformationJobObject
AttachConsole
AllocConsole
FreeLibrary
LoadLibraryW
lstrcmpiA
GetVersionExW
GetNativeSystemInfo
HeapSetInformation
GetProcessId
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeConditionVariable
WakeConditionVariable
SleepConditionVariableSRW
CreateFileMappingW
MapViewOfFile
ResetEvent
WaitForMultipleObjects
RtlCaptureStackBackTrace
SetUnhandledExceptionFilter
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
CreateDirectoryW
GetFileAttributesW
GetFileAttributesExW
QueryDosDeviceW
RemoveDirectoryW
SetFileAttributesW
GetTempPathW
MoveFileExW
GetUserDefaultLangID
ExpandEnvironmentStringsW
GetSystemPowerStatus
FlushFileBuffers
GetFileInformationByHandle
SetEndOfFile
SetFilePointerEx
SetFileTime
GetProcessTimes
ReleaseSRWLockShared
AcquireSRWLockShared
GetModuleHandleExA
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
UnregisterWaitEx
RegisterWaitForSingleObject
RtlAddFunctionTable
RtlDeleteFunctionTable
CreateRemoteThread
GetSystemDirectoryW
GetWindowsDirectoryW
GetNamedPipeInfo
CancelIo
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
InitOnceExecuteOnce
RtlVirtualUnwind
VirtualProtectEx
InitializeCriticalSection
DeleteCriticalSection
TerminateJobObject
GetUserDefaultLCID
GetFileType
ProcessIdToSessionId
GetProcessHandleCount
SignalObjectAndWait
CreateMutexW
VirtualAllocEx
VirtualFreeEx
CreateJobObjectW
DebugBreak
lstrlenW
SearchPathW
WideCharToMultiByte
GetThreadId
GetEnvironmentVariableW
SetEnvironmentVariableW
OutputDebugStringW
MultiByteToWideChar
FlushInstructionCache
CreateFileA
LockFileEx
UnlockFileEx
MapViewOfFileEx
SwitchToThread
GetThreadTimes
GetSystemTime
DisconnectNamedPipe
SetNamedPipeHandleState
PeekNamedPipe
GetNamedPipeHandleStateW
ReleaseSemaphore
CreateSemaphoreW
HeapSize
GetTimeZoneInformation
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetOEMCP
IsValidCodePage
WriteConsoleW
EnumSystemLocalesW
IsValidLocale
ReadConsoleW
GetACP
FreeLibraryAndExitThread
ExitThread
GetCurrentDirectoryA
SetCurrentDirectoryA
SetEnvironmentVariableA
GetFullPathNameA
GetFullPathNameW
GetConsoleMode
GetConsoleCP
SetStdHandle
GetDriveTypeW
GetProcessHeap
LoadLibraryExW
RtlPcToFileHeader
RtlUnwindEx
InitializeSListHead
GetStartupInfoW
IsProcessorFeaturePresent
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
GetCPInfo
GetLocaleInfoW
LCMapStringW
CompareStringW
DecodePointer
EncodePointer
GetStringTypeW

ole32

CoInitializeEx
CoTaskMemFree
CoUninitialize

shell32

CommandLineToArgvW
SHGetKnownFolderPath
SHGetFolderPathW

user32

wsprintfW
MessageBoxW
DefWindowProcW
UnregisterClassW
RegisterClassExW
CreateWindowExW
DestroyWindow
CloseDesktop
CloseWindowStation
CreateDesktopW
GetThreadDesktop
CreateWindowStationW
SetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

winmm

timeGetDevCaps
timeEndPeriod
timeGetTime
timeBeginPeriod

ws2_32

WSACleanup
WSAStartup
WSAEventSelect
WSACreateEvent
WSACloseEvent
WSAGetLastError
gethostbyname
socket
shutdown
setsockopt
send
select
ntohs
listen
htons
accept
bind
recv
closesocket
getsockname
htonl

userenv

GetProfileType
DestroyEnvironmentBlock
CreateEnvironmentBlock

Exports

Exports

ClearBreakpadPipeEnvironmentVariable
ClearCrashKeyValueImpl
CrashForException
DumpProcess
DumpProcessWithoutCrash
GetHandleVerifier
InjectDumpForHangDebugging
InjectDumpProcessWithoutCrash
IsSandboxedProcess
RegisterNonABICompliantCodeRange
SetCrashKeyValueImpl
TerminateProcessWithoutDump
UnregisterNonABICompliantCodeRange
_ovly_debug_event
nacl_global_xlate_base
nacl_thread_ids
nacl_user

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 69KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 25B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e3f8741c2ee7b2e43b57a7e99faf92e9

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

dbghelp

kernel32

ole32

shell32

user32

version

winmm

ws2_32

userenv

Exports

Exports

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 1.2MB - Virtual size: 1.2MB

.data Size: 11KB - Virtual size: 186KB

.pdata Size: 69KB - Virtual size: 68KB

.tls Size: 512B - Virtual size: 25B

.gfids Size: 1024B - Virtual size: 832B

_RDATA Size: 32KB - Virtual size: 32KB

.rsrc Size: 52KB - Virtual size: 51KB

.reloc Size: 9KB - Virtual size: 8KB

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 1.2MB - Virtual size: 1.2MB

.data
Size: 11KB - Virtual size: 186KB

.pdata
Size: 69KB - Virtual size: 68KB

.tls
Size: 512B - Virtual size: 25B

.gfids
Size: 1024B - Virtual size: 832B

_RDATA
Size: 32KB - Virtual size: 32KB

.rsrc
Size: 52KB - Virtual size: 51KB

.reloc
Size: 9KB - Virtual size: 8KB