General

Malware Config

Signatures

Files

• 2024-04-27_28373aab37411f556e55106c7045965d_ryuk

  .exe windows:10 windows x64 arch:x64

  5ee2ab762fa8d4fc5f9a047c2ed853ea

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  PDB Paths

  C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb

  Imports

  advapi32

  AdjustTokenPrivileges

  BuildExplicitAccessWithNameW

  BuildSecurityDescriptorW

  BuildTrusteeWithSidW

  ChangeServiceConfigW

  CheckTokenMembership

  CloseServiceHandle

  ConvertSidToStringSidW

  ConvertStringSecurityDescriptorToSecurityDescriptorW

  ConvertStringSidToSidW

  CreateProcessAsUserW

  CreateServiceW

  CreateWellKnownSid

  DeleteService

  DeregisterEventSource

  DuplicateTokenEx

  GetLengthSid

  GetNamedSecurityInfoW

  GetSecurityDescriptorControl

  GetSecurityDescriptorDacl

  GetSecurityDescriptorGroup

  GetSecurityDescriptorOwner

  GetSecurityDescriptorSacl

  GetSidSubAuthority

  GetSidSubAuthorityCount

  GetTokenInformation

  GetTraceEnableFlags

  GetTraceEnableLevel

  GetTraceLoggerHandle

  GetUserNameW

  ImpersonateNamedPipeClient

  IsValidAcl

  IsValidSecurityDescriptor

  IsValidSid

  LookupPrivilegeValueW

  OpenProcessToken

  OpenSCManagerW

  OpenServiceW

  QueryServiceConfigW

  RegCloseKey

  RegCreateKeyExW

  RegDeleteKeyExW

  RegDeleteValueW

  RegEnumKeyExW

  RegEnumValueA

  RegEnumValueW

  RegLoadKeyW

  RegOpenKeyExW

  RegQueryInfoKeyW

  RegQueryValueExA

  RegQueryValueExW

  RegSetValueExW

  RegUnLoadKeyW

  RegisterEventSourceA

  RegisterTraceGuidsW

  ReportEventA

  RevertToSelf

  SetEntriesInAclW

  SetNamedSecurityInfoW

  SetSecurityInfo

  TraceEvent

  UnregisterTraceGuids

  dbghelp

  SymCleanup

  SymFromAddr

  SymGetLineFromAddr64

  SymGetSearchPathW

  SymInitialize

  SymSetOptions

  SymSetSearchPathW

  shell32

  CommandLineToArgvW

  ord190

  ord155

  ord680

  SHChangeNotify

  SHGetFolderPathW

  SHGetKnownFolderPath

  ShellExecuteExW

  ShellExecuteW

  user32

  AllowSetForegroundWindow

  CallNextHookEx

  CharUpperW

  CreateWindowExW

  DefWindowProcW

  DestroyWindow

  DispatchMessageW

  GetActiveWindow

  GetMessageW

  GetMonitorInfoW

  GetQueueStatus

  GetWindowLongPtrW

  KillTimer

  LoadIconW

  MessageBoxW

  MonitorFromWindow

  MoveWindow

  MsgWaitForMultipleObjectsEx

  PeekMessageW

  PostMessageW

  PostQuitMessage

  RegisterClassExW

  RegisterClassW

  SendMessageW

  SetForegroundWindow

  SetTimer

  SetWindowLongPtrW

  SetWindowsHookExW

  TranslateMessage

  UnhookWindowsHookEx

  UnregisterClassW

  ws2_32

  ntohl

  kernel32

  AcquireSRWLockExclusive

  AcquireSRWLockShared

  AddVectoredExceptionHandler

  AssignProcessToJobObject

  CloseHandle

  CompareStringW

  ConnectNamedPipe

  CopyFileW

  CreateDirectoryW

  CreateEventW

  CreateFileA

  CreateFileMappingW

  CreateFileW

  CreateIoCompletionPort

  CreateMutexW

  CreateNamedPipeW

  CreateProcessW

  CreateSemaphoreW

  CreateThread

  CreateToolhelp32Snapshot

  DeleteCriticalSection

  DeleteFileW

  DeleteProcThreadAttributeList

  DisconnectNamedPipe

  DuplicateHandle

  EncodePointer

  EnterCriticalSection

  EnumSystemLocalesW

  ExitProcess

  ExitThread

  ExpandEnvironmentStringsW

  FileTimeToSystemTime

  FindClose

  FindFirstFileExW

  FindNextFileW

  FindResourceW

  FlsAlloc

  FlsFree

  FlsGetValue

  FlsSetValue

  FlushFileBuffers

  FlushViewOfFile

  FormatMessageA

  FormatMessageW

  FreeEnvironmentStringsW

  FreeLibrary

  FreeLibraryAndExitThread

  GetACP

  GetCPInfo

  GetCommandLineA

  GetCommandLineW

  GetConsoleMode

  GetConsoleOutputCP

  GetCurrentDirectoryW

  GetCurrentProcess

  GetCurrentProcessId

  GetCurrentThread

  GetCurrentThreadId

  GetDateFormatW

  GetDriveTypeW

  GetEnvironmentStringsW

  GetEnvironmentVariableW

  GetExitCodeProcess

  GetFileAttributesExW

  GetFileAttributesW

  GetFileInformationByHandle

  GetFileInformationByHandleEx

  GetFileSizeEx

  GetFileTime

  GetFileType

  GetFullPathNameW

  GetLastError

  GetLocalTime

  GetLocaleInfoW

  GetLongPathNameW

  GetModuleFileNameW

  GetModuleHandleA

  GetModuleHandleExW

  GetModuleHandleW

  GetNativeSystemInfo

  GetOEMCP

  GetPriorityClass

  GetProcAddress

  GetProcessHandleCount

  GetProcessHeap

  GetProcessId

  GetProcessMitigationPolicy

  GetProcessTimes

  GetProductInfo

  GetQueuedCompletionStatus

  GetShortPathNameW

  GetStartupInfoW

  GetStdHandle

  GetStringTypeW

  GetSystemDefaultLCID

  GetSystemDirectoryW

  GetSystemInfo

  GetSystemTimeAsFileTime

  GetTempPathW

  GetThreadContext

  GetThreadId

  GetThreadLocale

  GetThreadPreferredUILanguages

  GetThreadPriority

  GetTickCount

  GetTimeFormatW

  GetTimeZoneInformation

  GetUserDefaultLCID

  GetUserDefaultLangID

  GetVersionExW

  GetWindowsDirectoryW

  GlobalAlloc

  GlobalFree

  HeapSetInformation

  InitOnceExecuteOnce

  InitializeConditionVariable

  InitializeCriticalSection

  InitializeCriticalSectionAndSpinCount

  InitializeProcThreadAttributeList

  InitializeSListHead

  InitializeSRWLock

  IsDebuggerPresent

  IsProcessorFeaturePresent

  IsValidCodePage

  IsValidLocale

  IsWow64Process

  K32GetModuleInformation

  K32GetPerformanceInfo

  K32GetProcessMemoryInfo

  K32QueryWorkingSetEx

  LCMapStringW

  LeaveCriticalSection

  LoadLibraryExA

  LoadLibraryExW

  LoadLibraryW

  LoadResource

  LocalFree

  LockFileEx

  LockResource

  MapViewOfFile

  MoveFileExW

  MoveFileW

  MultiByteToWideChar

  OpenMutexW

  OpenProcess

  OutputDebugStringA

  PeekNamedPipe

  PostQueuedCompletionStatus

  Process32FirstW

  Process32NextW

  QueryFullProcessImageNameW

  QueryPerformanceCounter

  QueryPerformanceFrequency

  QueryThreadCycleTime

  QueueUserAPC

  RaiseException

  ReadConsoleW

  ReadFile

  ReadProcessMemory

  RegisterWaitForSingleObject

  ReleaseMutex

  ReleaseSRWLockExclusive

  ReleaseSRWLockShared

  ReleaseSemaphore

  RemoveDirectoryW

  RemoveVectoredExceptionHandler

  ReplaceFileW

  ResetEvent

  ResumeThread

  RtlCaptureContext

  RtlCaptureStackBackTrace

  RtlLookupFunctionEntry

  RtlPcToFileHeader

  RtlUnwind

  RtlUnwindEx

  RtlVirtualUnwind

  SetConsoleCtrlHandler

  SetCurrentDirectoryW

  SetEndOfFile

  SetEnvironmentVariableW

  SetEvent

  SetFileAttributesW

  SetFileInformationByHandle

  SetFilePointerEx

  SetFileTime

  SetHandleInformation

  SetLastError

  SetNamedPipeHandleState

  SetPriorityClass

  SetProcessShutdownParameters

  SetStdHandle

  SetThreadInformation

  SetThreadPriority

  SetUnhandledExceptionFilter

  SizeofResource

  Sleep

  SleepConditionVariableSRW

  SleepEx

  SuspendThread

  SwitchToThread

  SystemTimeToTzSpecificLocalTime

  TerminateProcess

  TlsAlloc

  TlsFree

  TlsGetValue

  TlsSetValue

  TransactNamedPipe

  TryAcquireSRWLockExclusive

  UnhandledExceptionFilter

  UnlockFileEx

  UnmapViewOfFile

  UnregisterWaitEx

  UpdateProcThreadAttribute

  VerSetConditionMask

  VerifyVersionInfoW

  VirtualAlloc

  VirtualAllocEx

  VirtualFree

  VirtualProtect

  VirtualQuery

  VirtualQueryEx

  WaitForMultipleObjects

  WaitForSingleObject

  WaitNamedPipeW

  WakeAllConditionVariable

  WakeConditionVariable

  WerRegisterRuntimeExceptionModule

  WideCharToMultiByte

  Wow64GetThreadContext

  WriteConsoleW

  WriteFile

  WriteProcessMemory

  lstrcmpiW

  lstrlenA

  winhttp

  WinHttpAddRequestHeaders

  WinHttpCloseHandle

  WinHttpConnect

  WinHttpCrackUrl

  WinHttpGetProxyForUrl

  WinHttpOpen

  WinHttpOpenRequest

  WinHttpQueryHeaders

  WinHttpReadData

  WinHttpReceiveResponse

  WinHttpSendRequest

  WinHttpSetOption

  WinHttpSetStatusCallback

  WinHttpSetTimeouts

  WinHttpWriteData

  ole32

  CoAllowSetForegroundWindow

  CoCreateInstance

  CoInitializeEx

  CoRegisterInitializeSpy

  CoRevokeInitializeSpy

  CoSetProxyBlanket

  CoTaskMemAlloc

  CoTaskMemFree

  CoUninitialize

  PropVariantClear

  propsys

  InitPropVariantFromCLSID

  shlwapi

  ord437

  PathMatchSpecW

  UrlCanonicalizeW

  ntdll

  NtClose

  NtDeleteKey

  NtOpenKeyEx

  NtQueryValueKey

  RtlFormatCurrentUserKeyPath

  RtlFreeUnicodeString

  RtlInitUnicodeString

  winmm

  timeBeginPeriod

  timeEndPeriod

  timeGetTime

  userenv

  CreateEnvironmentBlock

  DestroyEnvironmentBlock

  version

  GetFileVersionInfoSizeW

  GetFileVersionInfoW

  VerQueryValueW

  urlmon

  CreateURLMonikerEx

  oleaut32

  SysAllocString

  SysAllocStringLen

  SysFreeString

  SysStringLen

  VariantClear

  VariantInit

  ncrypt

  NCryptCreatePersistedKey

  NCryptExportKey

  NCryptFinalizeKey

  NCryptFreeObject

  NCryptGetProperty

  NCryptImportKey

  NCryptIsAlgSupported

  NCryptOpenStorageProvider

  NCryptSignHash

  api-ms-win-core-winrt-l1-1-0

  RoUninitialize

  Exports

  Exports

  GetHandleVerifier

  Sections

  .text

  Size: 2.8MB - Virtual size: 2.8MB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 571KB - Virtual size: 570KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 68KB - Virtual size: 123KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .pdata

  Size: 97KB - Virtual size: 97KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .gxfg

  Size: 12KB - Virtual size: 12KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .retplne

  Size: 512B - Virtual size: 172B

  .tls

  Size: 1024B - Virtual size: 585B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  CPADinfo

  Size: 512B - Virtual size: 56B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  LZMADEC

  Size: 4KB - Virtual size: 4KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  _RDATA

  Size: 512B - Virtual size: 500B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 431KB - Virtual size: 430KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 580KB - Virtual size: 584KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE