2024-04-17_772fcbeab423e3cb9688d9590a74e5f0_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-04-17_772fcbeab423e3cb9688d9590a74e5f0_ryuk
Size

2.1MB
MD5

772fcbeab423e3cb9688d9590a74e5f0
SHA1

1968174650bd076533e5f0a5bd76969e2b097123
SHA256

4d0249244f92ace953b7e87b27f06cb42164fe45ebf3136a8c6e3150ae19b0bc
SHA512

0f6d72c625507e64845eb61b14eb59420b4179e828c5ebf96bddeafb8eb2912a6cdfd019c699a1becb487d27fd134c3f8a6fe67fbff53e185f0bf7089248fffe
SSDEEP

49152:ILGneLZMzaBpowiqCXoTqFbfdHT+Tl7gBD:ILGneLZMOuwi1nL+

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-04-17_772fcbeab423e3cb9688d9590a74e5f0_ryuk

Files

2024-04-17_772fcbeab423e3cb9688d9590a74e5f0_ryuk
.exe windows:5 windows x64 arch:x64

bc485f3692e631d1a0a54ac2c837c5f7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

F:\gitwork\windows\lua\Zrlua64.pdb

Imports

kernel32

HeapCompact
CreateDirectoryW
QueryDosDeviceW
FindFirstFileW
GetFileSizeEx
FindFirstFileA
SetLastError
FindNextFileW
GetCurrentProcess
lstrlenW
WriteFile
ExpandEnvironmentStringsW
DeviceIoControl
TerminateProcess
RemoveDirectoryW
GetDriveTypeA
SetFilePointer
FindClose
GetVolumeInformationA
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetCurrentThreadId
GetModuleHandleA
OpenProcess
GetLogicalDriveStringsW
CreateToolhelp32Snapshot
MultiByteToWideChar
Sleep
Process32NextW
CreateFileA
lstrcatW
DeleteFileW
Process32FirstW
CloseHandle
GetSystemInfo
LoadLibraryW
GetLocalTime
GetLogicalDriveStringsA
GetProcAddress
LocalFree
VerSetConditionMask
GetCurrentProcessId
CreateProcessW
GetModuleHandleW
FreeLibrary
CopyFileW
WideCharToMultiByte
lstrcpyW
VerifyVersionInfoW
lstrcmpiW
GetTickCount
lstrcmpW
GetProcessTimes
GetFileTime
FlushFileBuffers
ReadFile
GetSystemTimeAsFileTime
GlobalMemoryStatus
QueryPerformanceCounter
GetComputerNameA
GetModuleFileNameA
GetLogicalDrives
LoadLibraryExA
ExitThread
GetDiskFreeSpaceExW
LoadLibraryA
GetConsoleWindow
FormatMessageA
GetDriveTypeW
GetCurrentDirectoryA
GetPrivateProfileStringW
GetSystemDirectoryA
HeapFree
CreateEventW
HeapAlloc
GetProcessHeap
IsBadWritePtr
ReadProcessMemory
IsBadReadPtr
HeapDestroy
EnterCriticalSection
LeaveCriticalSection
OpenFileMappingW
UnmapViewOfFile
CreateFileMappingW
MapViewOfFile
CreateDirectoryA
FileTimeToSystemTime
FileTimeToLocalFileTime
GetEnvironmentStringsW
CreateMutexW
ReleaseMutex
OpenMutexW
CreateThread
GetModuleFileNameW
GetVersionExW
GetCurrentDirectoryW
GetVersionExA
Thread32Next
Thread32First
FlushViewOfFile
ResumeThread
Module32FirstW
GetThreadContext
SetFilePointerEx
Module32NextW
VirtualFreeEx
OpenThread
VirtualQueryEx
GetWindowsDirectoryW
SetConsoleCtrlHandler
GetVolumeInformationW
GetVolumeNameForVolumeMountPointW
DeleteFileA
GetSystemTimes
FormatMessageW
GetNativeSystemInfo
GetComputerNameW
GlobalMemoryStatusEx
OutputDebugStringW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RtlPcToFileHeader
EncodePointer
RaiseException
RtlUnwindEx
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
ExitProcess
GetModuleHandleExW
QueryPerformanceFrequency
DuplicateHandle
CreateProcessA
GetTempPathW
FreeLibraryAndExitThread
GetStdHandle
GetCommandLineA
GetCommandLineW
GetACP
HeapSize
HeapValidate
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
GetConsoleCP
GetConsoleMode
GetExitCodeProcess
GetFileAttributesExW
GetStringTypeW
GetTimeZoneInformation
ReadConsoleW
SetStdHandle
GetCPInfo
CreatePipe
MoveFileExW
OutputDebugStringA
WaitForSingleObjectEx
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
FreeEnvironmentStringsW
SetEnvironmentVariableA
HeapReAlloc
HeapQueryInformation
WriteConsoleW
SetEndOfFile
UnlockFile
CreateFileMappingA
LockFileEx
GetFileSize
SystemTimeToFileTime
GetSystemTime
VirtualFree
CreateMutexA
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
UnlockFileEx
SuspendThread
AreFileApisANSI
TryEnterCriticalSection
HeapCreate
GetFullPathNameW
GetDiskFreeSpaceW
LockFile
GetProcessId
GetFullPathNameA
GetLastError
IsWow64Process
InitializeCriticalSection

user32

MessageBoxW
GetDC
GetIconInfo
wsprintfW
ReleaseDC
GetWindowThreadProcessId
DrawIconEx
GetWindowRect
IsWindowVisible
EnumWindows
GetClassNameW
GetParent
GetWindowTextW
MessageBoxA
ShowWindow

ole32

CoInitializeSecurity
CoInitializeEx
CoInitialize
CoUninitialize
CoCreateInstance
CoSetProxyBlanket

dbghelp

MiniDumpWriteDump
SymCleanup
SymGetModuleBase64
SymGetOptions
SymGetModuleInfo64
SymFunctionTableAccess64
SymInitialize
SymFromAddr
SymSetOptions
StackWalk64

ws2_32

sendto
WSACleanup
WSAGetLastError
ioctlsocket
htons
connect
gethostname
inet_ntoa
gethostbyname
ntohl
WSAStartup
__WSAFDIsSet
closesocket
select
inet_addr
socket
WSAStringToAddressW

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

shlwapi

PathFindFileNameW

netapi32

NetUserGetGroups
NetUserEnum
NetApiBufferFree
NetUserGetInfo
NetUserGetLocalGroups
NetShareEnum

psapi

EnumProcesses
GetProcessImageFileNameW

iphlpapi

GetExtendedUdpTable
GetIfTable
GetBestInterface
GetAdaptersAddresses
GetAdaptersInfo
GetExtendedTcpTable

pdh

PdhAddCounterW
PdhCollectQueryData
PdhCloseQuery
PdhOpenQueryW
PdhGetFormattedCounterValue
PdhEnumObjectItemsW

wintrust

WinVerifyTrust

advapi32

AllocateAndInitializeSid
ConvertStringSidToSidW
ControlService
RegQueryValueExA
GetUserNameA
RegOpenKeyExA
RegEnumKeyExW
OpenProcessToken
FreeSid
RegOpenKeyExW
CreateProcessAsUserW
OpenServiceW
GetLengthSid
DuplicateTokenEx
LookupAccountSidW
RegEnumValueW
RegQueryValueExW
GetSecurityInfo
GetTokenInformation
SetTokenInformation
OpenSCManagerW
CloseServiceHandle
RegQueryInfoKeyW
RegCloseKey
AdjustTokenPrivileges
LookupPrivilegeValueW
QueryServiceStatusEx
EnumServicesStatusW
QueryServiceConfig2W
QueryServiceConfigW
DeleteService
ConvertSidToStringSidA
EnumServicesStatusExW
RegSetValueExW
RegCreateKeyExW
RegDeleteKeyW
GetUserNameW

shell32

SHGetMalloc
ord680
SHGetFileInfoW
SHGetPathFromIDListW

oleaut32

SysFreeString
SafeArrayGetLBound
VariantClear
SafeArrayDestroy
VariantInit
SafeArrayGetUBound
SafeArrayGetElement

setupapi

SetupDiGetClassDescriptionExW
SetupDiBuildClassInfoListExW
SetupDiGetDeviceInfoListDetailW
SetupDiGetClassDevsExW
SetupDiLoadClassIcon
CM_Get_Device_ID_ExW
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetDeviceRegistryPropertyW
SetupDiGetClassRegistryPropertyW
SetupDiOpenDeviceInfoW
SetupDiClassNameFromGuidExW
SetupDiGetDeviceInstanceIdW
SetupDiClassGuidsFromNameExW
CM_Get_DevNode_Status_Ex

gdi32

CreateDIBSection
CreateCompatibleDC
DeleteDC
GetObjectW
DeleteObject
SelectObject

Exports

Exports

luaopen_cjson
luaopen_cjson_safe
luaopen_llthreads

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 431KB - Virtual size: 430KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 82KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 268B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

bc485f3692e631d1a0a54ac2c837c5f7

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

ole32

dbghelp

ws2_32

userenv

shlwapi

netapi32

psapi

iphlpapi

pdh

wintrust

advapi32

shell32

oleaut32

setupapi

gdi32

Exports

Exports

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 431KB - Virtual size: 430KB

.data Size: 13KB - Virtual size: 38KB

.pdata Size: 82KB - Virtual size: 81KB

.gfids Size: 512B - Virtual size: 268B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 6KB - Virtual size: 6KB

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 431KB - Virtual size: 430KB

.data
Size: 13KB - Virtual size: 38KB

.pdata
Size: 82KB - Virtual size: 81KB

.gfids
Size: 512B - Virtual size: 268B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 6KB - Virtual size: 6KB