2024-04-20_80f38ca9c86dc6feb7f7b4a9e684b39c_ryuk

Sharing

Copy URL

Twitter E-mail

General

Target

2024-04-20_80f38ca9c86dc6feb7f7b4a9e684b39c_ryuk
Size

1.4MB
MD5

80f38ca9c86dc6feb7f7b4a9e684b39c
SHA1

a292f47800bdb686cb10606c27c5e342cddc56fa
SHA256

a68ce1eda3373c5d05109a689e0243e9dc75ae550e6a08eefd7152f08ab9136d
SHA512

e4d491a243dad28e26a62b28951c5167b011b033622045b499d0dd5d05e887b4d4b8f2f3a581052864eab2c27d2cf1ddcabeada2e546ec9f45497458030b74c2
SSDEEP

24576:0QDgzCNS50RlbnSJPU8wtmvWKiMoWJ4TFf55RycoFB:0sgzuS50Rlbn22vMoW2TNUcov

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-04-20_80f38ca9c86dc6feb7f7b4a9e684b39c_ryuk

Files

2024-04-20_80f38ca9c86dc6feb7f7b4a9e684b39c_ryuk
.exe windows:5 windows x64 arch:x64

fde412b4c4f2ebb2c8aa0abeec785f82

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\build\nw24_sdk_win64\node-webkit\src\outst\nw\initialexe\nw.exe.pdb

Imports

nw_elf

SignalChromeElf
GetInstallDetailsPayload

advapi32

ImpersonateNamedPipeClient
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
SystemFunction036
OpenProcessToken
GetTokenInformation
GetAce
GetKernelObjectSecurity
GetLengthSid
GetSecurityDescriptorSacl
SetKernelObjectSecurity
SetTokenInformation
SetSecurityInfo
ConvertStringSidToSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RevertToSelf
RegDisablePredefinedCache
CopySid
CreateWellKnownSid
CreateRestrictedToken
DuplicateToken
DuplicateTokenEx
EqualSid
LookupPrivilegeValueW
CreateProcessAsUserW
SetThreadToken
ConvertSidToStringSidW
SetEntriesInAclW
GetSecurityInfo

kernel32

GetCurrentThreadId
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetLastError
SetLastError
CreateEventW
DuplicateHandle
WaitForSingleObject
GetCurrentProcess
GetProcessId
SetCurrentDirectoryW
GetCurrentDirectoryW
SetProcessShutdownParameters
LoadLibraryExW
VirtualAlloc
VirtualFree
MultiByteToWideChar
WideCharToMultiByte
HeapCreate
HeapDestroy
CreateFileW
DeleteFileW
WriteFile
OutputDebugStringA
CloseHandle
GetCurrentProcessId
GetLocalTime
GetTickCount
FormatMessageA
QueryPerformanceCounter
QueryPerformanceFrequency
Sleep
GetCurrentThread
GetSystemTimeAsFileTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
FileTimeToSystemTime
SystemTimeToFileTime
GetCommandLineW
LocalFree
GetModuleHandleW
ExpandEnvironmentStringsW
GetVersionExW
GetNativeSystemInfo
TerminateProcess
GetExitCodeProcess
OpenProcess
FlushFileBuffers
GetFileInformationByHandle
GetFileSizeEx
ReadFile
SetEndOfFile
SetFilePointerEx
SetFileTime
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
IsDebuggerPresent
RaiseException
CreateThread
GetThreadId
RtlCaptureStackBackTrace
SetUnhandledExceptionFilter
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetSystemDirectoryW
GetWindowsDirectoryW
CreateDirectoryW
GetFileAttributesW
GetLongPathNameW
QueryDosDeviceW
RemoveDirectoryW
SetFileAttributesW
GetTempPathW
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
MoveFileW
ReplaceFileW
UnregisterWaitEx
RegisterWaitForSingleObject
GetUserDefaultLangID
GetModuleHandleExW
FlushViewOfFile
FindClose
FindFirstFileW
GetThreadLocale
FindNextFileW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
VirtualQuery
HeapSetInformation
GetProcessTimes
GetSystemInfo
VirtualQueryEx
LoadLibraryW
SetEvent
ResetEvent
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
SetInformationJobObject
DecodePointer
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
CreateProcessW
OutputDebugStringW
FreeLibrary
LockFileEx
UnlockFileEx
SetConsoleCtrlHandler
InitializeCriticalSection
LeaveCriticalSection
TerminateJobObject
GetUserDefaultLCID
WriteProcessMemory
AssignProcessToJobObject
GetFileType
SetHandleInformation
ProcessIdToSessionId
GetProcessHandleCount
GetProcessHeaps
SignalObjectAndWait
CreateMutexW
VirtualProtectEx
QueryFullProcessImageNameW
VirtualAllocEx
VirtualFreeEx
CreateJobObjectW
CreateNamedPipeW
CreateRemoteThread
ReadProcessMemory
DebugBreak
lstrlenW
SearchPathW
SetFilePointer
VirtualProtect
LoadLibraryExA
Wow64GetThreadContext
GetThreadContext
SuspendThread
SleepEx
CreateSemaphoreW
ReleaseSemaphore
GetVersion
WaitNamedPipeW
TransactNamedPipe
SetNamedPipeHandleState
IsWow64Process
GetFileInformationByHandleEx
DisconnectNamedPipe
ConnectNamedPipe
InitOnceExecuteOnce
ResumeThread
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetOEMCP
IsValidCodePage
GetTimeZoneInformation
WriteConsoleW
EnumSystemLocalesW
IsValidLocale
ReadConsoleW
GetACP
GetStdHandle
SetStdHandle
GetFullPathNameW
ExitProcess
GetConsoleMode
GetConsoleCP
PeekNamedPipe
GetDriveTypeW
RtlPcToFileHeader
RtlUnwindEx
GetCPInfo
GetLocaleInfoW
LCMapStringW
CompareStringW
EncodePointer
GetStringTypeW
InitializeSListHead
GetStartupInfoW
IsProcessorFeaturePresent
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WaitForSingleObjectEx
GetSystemDefaultLCID
FindFirstFileExW
EnterCriticalSection

psapi

GetMappedFileNameW
GetPerformanceInfo
GetProcessMemoryInfo

shell32

SHGetKnownFolderPath
SHGetFolderPathW
CommandLineToArgvW

user32

GetMessageW
RegisterClassW
GetUserObjectInformationW
GetProcessWindowStation
SetProcessWindowStation
CreateWindowStationW
GetThreadDesktop
CreateDesktopW
CloseWindowStation
CloseDesktop
wsprintfW
SetWindowLongPtrW
GetWindowLongPtrW
DestroyWindow
CreateWindowExW
UnregisterClassW
DefWindowProcW
PostMessageW
DispatchMessageW
TranslateMessage
PostThreadMessageW
PeekMessageW

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

winmm

timeGetTime

winhttp

WinHttpSetTimeouts
WinHttpCloseHandle
WinHttpOpen
WinHttpCrackUrl
WinHttpReadData
WinHttpWriteData
WinHttpQueryHeaders
WinHttpConnect
WinHttpReceiveResponse
WinHttpAddRequestHeaders
WinHttpOpenRequest
WinHttpSendRequest

Exports

Exports

GetHandleVerifier
IsSandboxedProcess

Sections

.text
Size: 816KB - Virtual size: 815KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 193KB - Virtual size: 193KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPADinfo
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 333KB - Virtual size: 332KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fde412b4c4f2ebb2c8aa0abeec785f82

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

nw_elf

advapi32

kernel32

psapi

shell32

user32

version

winmm

winhttp

Exports

Exports

Sections

.text Size: 816KB - Virtual size: 815KB

.rdata Size: 193KB - Virtual size: 193KB

.data Size: 5KB - Virtual size: 22KB

.pdata Size: 44KB - Virtual size: 43KB

.didat Size: 512B - Virtual size: 96B

CPADinfo Size: 512B - Virtual size: 48B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 333KB - Virtual size: 332KB

.reloc Size: 6KB - Virtual size: 5KB

.text
Size: 816KB - Virtual size: 815KB

.rdata
Size: 193KB - Virtual size: 193KB

.data
Size: 5KB - Virtual size: 22KB

.pdata
Size: 44KB - Virtual size: 43KB

.didat
Size: 512B - Virtual size: 96B

CPADinfo
Size: 512B - Virtual size: 48B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 333KB - Virtual size: 332KB

.reloc
Size: 6KB - Virtual size: 5KB