2024-04-08_4e1843a1c6ccb2b7c67866b6b6d6667e_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-08_4e1843a1c6ccb2b7c67866b6b6d6667e_ryuk
Size

858KB
MD5

4e1843a1c6ccb2b7c67866b6b6d6667e
SHA1

4ac2ff20faab041bf77a392ece758d248a9eff4b
SHA256

8344078ccf168e4b3c70fef5e8c1cf16f55445996be7bce5c7644dc0b9f0e506
SHA512

bdfa061fef0ed1504ed364cc281cbab3a25181acc82f1469248ea3d5d37b6dacc3ed7e7b3d8549815c7a3bbdb3f03602695760b811d4162447b167494eb717b1
SSDEEP

12288:JrRg4b4a8MlFiKp1KTPLyCYQOdP6G2OfKoXbyXD5GmYD0:Q4b4aLlFVvqPlHOdP6GgXT5I0

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-04-08_4e1843a1c6ccb2b7c67866b6b6d6667e_ryuk

Files

2024-04-08_4e1843a1c6ccb2b7c67866b6b6d6667e_ryuk
.exe windows:5 windows x64 arch:x64

3deb194d81399469830665d5c294d2d1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

Y:\inventory\InventoryC++\x64\Release\DirectoryCredentialsQuery64.pdb

Imports

kernel32

WriteFile
MapViewOfFile
UnmapViewOfFile
OpenFileMappingW
GetCurrentThread
TerminateThread
CreateToolhelp32Snapshot
Thread32First
Thread32Next
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
ReadFile
GetLocalTime
SystemTimeToFileTime
FileTimeToSystemTime
GetTimeFormatW
GetDateFormatW
FreeLibrary
GetProcAddress
GetLongPathNameW
GetFileSize
FindClose
LoadLibraryA
GetModuleFileNameW
GetModuleHandleW
CreateFileW
GetFileAttributesW
GetFileAttributesExW
GetStdHandle
GetTickCount
ReleaseMutex
CreateMutexW
OpenMutexW
GetComputerNameW
OpenEventW
GetSystemInfo
Sleep
TerminateProcess
FlushFileBuffers
GetACP
GetOEMCP
GetStringTypeW
GetCPInfo
EncodePointer
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
CompareStringW
LCMapStringW
GetLocaleInfoW
WaitForSingleObjectEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
QueryPerformanceCounter
InitializeSListHead
OutputDebugStringW
RtlPcToFileHeader
RtlUnwindEx
LoadLibraryExW
ExitProcess
GetModuleHandleExW
CreateThread
ExitThread
FreeLibraryAndExitThread
GetCommandLineA
GetCommandLineW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
GetConsoleCP
GetConsoleMode
SetStdHandle
FindFirstFileExW
IsValidCodePage
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetFilePointerEx
WriteConsoleW
GetCurrentThreadId
GetCurrentProcessId
CreateEventW
DuplicateHandle
CloseHandle
WaitForSingleObject
ResetEvent
SetEvent
GetCurrentProcess
WideCharToMultiByte
MultiByteToWideChar
FormatMessageW
LocalFree
GlobalFree
GetProcessHeap
DeleteCriticalSection
HeapDestroy
DecodePointer
HeapAlloc
RaiseException
HeapReAlloc
GetLastError
HeapSize
HeapFree
FindNextFileW
InitializeCriticalSectionAndSpinCount

user32

CharLowerBuffW
CharUpperBuffW

rpcrt4

UuidFromStringW

netapi32

NetServerGetInfo
NetApiBufferFree
NetShareGetInfo
NetWkstaGetInfo
NetGetJoinInformation
NetRemoteTOD

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

imagehlp

ImageUnload
ImageLoad

ws2_32

htons
htonl

advapi32

GetTokenInformation
OpenThreadToken
SetThreadToken
RevertToSelf
MakeAbsoluteSD
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
SetSecurityDescriptorDacl
StartServiceW
QueryServiceStatus
QueryServiceConfig2W
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
EnumDependentServicesW
LookupAccountSidW
ControlService
CloseServiceHandle
ChangeServiceConfig2W
ChangeServiceConfigW
RegConnectRegistryW
LookupAccountNameW
LookupPrivilegeValueW
AdjustTokenPrivileges
RegUnLoadKeyW
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegLoadKeyW
RegEnumValueW
RegEnumKeyExW
RegDeleteValueW
DuplicateTokenEx
RegDeleteKeyW
RegCreateKeyW
RegCloseKey
SetNamedSecurityInfoW
MakeSelfRelativeSD
GetSecurityDescriptorLength
GetSecurityDescriptorControl
InitializeSecurityDescriptor
AddAce
GetAclInformation
InitializeAcl
CopySid
GetLengthSid
GetSidSubAuthority
InitializeSid
GetSidLengthRequired
IsValidSid
OpenProcessToken
ConvertStringSidToSidW
ConvertSidToStringSidW
EqualSid
GetAce
ImpersonateLoggedOnUser

shell32

CommandLineToArgvW

ole32

CoUninitialize
CoInitializeEx

oleaut32

SystemTimeToVariantTime
SysStringLen
SysFreeString
SysAllocString
SysAllocStringLen

Sections

.text
Size: 543KB - Virtual size: 542KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 254KB - Virtual size: 253KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 352B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3deb194d81399469830665d5c294d2d1

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

rpcrt4

netapi32

version

imagehlp

ws2_32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 543KB - Virtual size: 542KB

.rdata Size: 254KB - Virtual size: 253KB

.data Size: 13KB - Virtual size: 25KB

.pdata Size: 37KB - Virtual size: 37KB

.gfids Size: 512B - Virtual size: 352B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 543KB - Virtual size: 542KB

.rdata
Size: 254KB - Virtual size: 253KB

.data
Size: 13KB - Virtual size: 25KB

.pdata
Size: 37KB - Virtual size: 37KB

.gfids
Size: 512B - Virtual size: 352B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 6KB - Virtual size: 6KB