2024-05-09_31114572ede4e70a83b77287f957ea36_ryuk

Sharing

Copy URL

Twitter E-mail

General

Target

2024-05-09_31114572ede4e70a83b77287f957ea36_ryuk
Size

1.0MB
MD5

31114572ede4e70a83b77287f957ea36
SHA1

170eb6a230b8c8c7aecf8444e2eeb9af6e416424
SHA256

57d0621e90d426c98018a32d2b86569e42584c90cb606e53e5c2de260b0c891d
SHA512

232ae19d6e7cb0c65916a8922f718501a0f5f757bb3a28233b7143e999bbdd411979870fce692e3f69cf10d1828a32c0e460784e404c6b21e4a6b185d5044861
SSDEEP

24576:YiBE0GqwXeAVmYg3r2p2gV8ng2P2OaXbQYxj:gf5Xe6Xg3aCg2PraXbQ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-05-09_31114572ede4e70a83b77287f957ea36_ryuk

Files

2024-05-09_31114572ede4e70a83b77287f957ea36_ryuk
.exe windows:6 windows x64 arch:x64

997697ab724741456c3bab642ada075e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\Workspace\nisraely\gitlab\cphs\IntelCpHeciSvc\x64\one_core_release_registry\IntelCpHeciSvc.pdb

Imports

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentStringsW
FreeEnvironmentStringsW
GetCommandLineW
SetStdHandle
ExpandEnvironmentStringsW
GetCommandLineA
GetStdHandle

api-ms-win-core-file-l1-1-0

CreateDirectoryW
SetEndOfFile
FlushFileBuffers
SetFilePointerEx
FindNextFileW
FindFirstFileExW
CreateFileW
ReadFile
WriteFile
GetFileType
FindClose

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter
RaiseException
GetLastError

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
ResetEvent
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
CreateEventW
WaitForMultipleObjectsEx
WaitForSingleObject
SetEvent
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
DeleteCriticalSection

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
ResumeThread
CreateThread
GetStartupInfoW
GetCurrentProcessId
TlsFree
TlsSetValue
TlsAlloc
GetCurrentThreadId
ExitProcess
OpenProcessToken
TlsGetValue

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
LoadStringW
GetProcAddress
GetModuleFileNameW
FreeLibrary
LoadLibraryExW
LoadResource
SizeofResource
GetModuleHandleW

api-ms-win-core-libraryloader-l1-2-1

FindResourceW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-core-string-l2-1-0

CharNextW
CharUpperW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExA
RegDeleteValueW
RegQueryValueExA
RegSetValueExW
RegEnumKeyExW

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

api-ms-win-core-com-l1-1-0

CoResumeClassObjects
CoAddRefServerProcess
CoReleaseServerProcess
CoTaskMemAlloc
CoCreateInstance
StringFromGUID2
CoTaskMemFree
CoInitializeSecurity
CoUninitialize
CoInitializeEx
CoTaskMemRealloc
CoRevokeClassObject
CoRegisterClassObject

oleaut32

SysStringLen
SysFreeString
LoadRegTypeLi
VarUI4FromStr
SafeArrayCreate
SafeArrayDestroy
SafeArrayRedim
SafeArrayGetUBound
SafeArrayGetLBound
RegisterTypeLi
SysAllocString
SafeArrayLock
SafeArrayUnlock
SafeArrayCopy
SafeArrayGetVartype
VariantInit
VariantClear
LoadTypeLi

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetSystemTimeAsFileTime

api-ms-win-devices-config-l1-1-1

CM_Unregister_Notification
CM_Get_Device_Interface_ListW
CM_Register_Notification
CM_Get_Device_Interface_List_SizeW

api-ms-win-core-io-l1-1-0

DeviceIoControl
GetOverlappedResult

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap
HeapReAlloc
HeapSize

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorLength
MakeAbsoluteSD
AdjustTokenPrivileges

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

api-ms-win-service-management-l2-1-0

ChangeServiceConfigW
QueryServiceConfigW

api-ms-win-service-management-l1-1-0

OpenServiceW
CloseServiceHandle
CreateServiceW
DeleteService
OpenSCManagerW

api-ms-win-service-winsvc-l1-1-0

ControlService

api-ms-win-service-core-l1-1-0

SetServiceStatus
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

user32

DispatchMessageW
TranslateMessage
GetMessageW
PostThreadMessageW

api-ms-win-core-localization-l1-2-0

IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetCPInfo
GetLocaleInfoW
LCMapStringW
GetOEMCP
GetACP
IsValidCodePage

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlUnwindEx
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-console-l1-1-0

WriteConsoleW
GetConsoleCP
GetConsoleMode
ReadConsoleW

Exports

Exports

MessageBoxW

Sections

.text
Size: 300KB - Virtual size: 300KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 572KB - Virtual size: 576KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

997697ab724741456c3bab642ada075e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-com-l1-1-0

oleaut32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-devices-config-l1-1-1

api-ms-win-core-io-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-security-sddl-l1-1-0

user32

api-ms-win-core-localization-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-console-l1-1-0

Exports

Exports

Sections

.text Size: 300KB - Virtual size: 300KB

.rdata Size: 148KB - Virtual size: 147KB

.data Size: 8KB - Virtual size: 15KB

.pdata Size: 16KB - Virtual size: 15KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 572KB - Virtual size: 576KB

.text
Size: 300KB - Virtual size: 300KB

.rdata
Size: 148KB - Virtual size: 147KB

.data
Size: 8KB - Virtual size: 15KB

.pdata
Size: 16KB - Virtual size: 15KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 572KB - Virtual size: 576KB