2024-05-24_8fd65c344d3ad8c20b35aecc9ba7e1ea_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-05-24_8fd65c344d3ad8c20b35aecc9ba7e1ea_ryuk
Size

3.3MB
MD5

8fd65c344d3ad8c20b35aecc9ba7e1ea
SHA1

9cc7a76bd5d4a075a92eb5b096fecbc003d00721
SHA256

109267914b2f31b9266424a15452496241c393a46ff61d0e618d2d22245cd382
SHA512

333bdcccfbe382067717d25bd54f71f843b53823e7ce8c1a1b977680cc8dd242b06dccc23b9c91a0c9521d03e41af7bf75d632bc1a9381f9a49d06b9b29120f0
SSDEEP

49152:R57We4nbr+AD5wKAkQKvVXiIcbSbOrM5GDNCVa:tdqwMIfbSqa5

Score

1^/10

Malware Config

Signatures

Files

2024-05-24_8fd65c344d3ad8c20b35aecc9ba7e1ea_ryuk
.exe windows:6 windows x64 arch:x64

6f7b68a769f40e9f9dc51a2dd099fc87

Code Sign

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

28/07/2020, 00:00

Not After

18/03/2029, 00:00

Subject

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47
Certificate

Issuer

CN=GlobalSign Code Signing Root R45,O=GlobalSign nv-sa,C=BE

Not Before

28/07/2020, 00:00

Not After

28/07/2030, 00:00

Subject

CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/05/2019, 00:00

Not After

18/01/2038, 23:59

Subject

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

Issuer

CN=Sectigo RSA Time Stamping CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

03/05/2023, 00:00

Not After

02/08/2034, 23:59

Subject

CN=Sectigo RSA Time Stamping Signer #4,O=Sectigo Limited,ST=Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

7d:8e:89:9a:3e:71:b3:11:4b:c0:8a:0a
Certificate

Issuer

CN=GlobalSign GCC R45 CodeSigning CA 2020,O=GlobalSign nv-sa,C=BE

Not Before

23/06/2022, 19:03

Not After

19/09/2025, 19:03

Subject

CN=F-Response,O=F-Response,L=Tampa,ST=Florida,C=US,1.2.840.113549.1.9.1=#0c16737570706f727440662d726573706f6e73652e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

d1:47:13:57:d6:ee:3c:51:61:dd:2d:4a:b1:02:27:8e:5a:b7:2a:94
Signer

Actual PE Digest

d1:47:13:57:d6:ee:3c:51:61:dd:2d:4a:b1:02:27:8e:5a:b7:2a:94

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\fresponse\x64_MT\fr-log-imager-worker.pdb

Imports

hid

HidD_GetProductString
HidD_SetFeature
HidD_GetFeature
HidD_FlushQueue
HidD_FreePreparsedData
HidD_GetPreparsedData
HidD_GetHidGuid
HidD_GetAttributes
HidP_GetCaps

shlwapi

PathFileExistsW
PathAppendW
PathAddBackslashW

version

GetFileVersionInfoA
GetFileVersionInfoSizeA
VerQueryValueA

ws2_32

WSASend
getaddrinfo
freeaddrinfo
getnameinfo
WSAGetLastError
WSAStartup
gethostbyname
socket
shutdown
setsockopt
send
select
recv
ntohs
listen
inet_ntoa
inet_addr
htons
getsockopt
getsockname
ioctlsocket
connect
closesocket
bind
accept
__WSAFDIsSet
ntohl
htonl
WSAIoctl
WSACleanup

setupapi

SetupDiDestroyDeviceInfoList
SetupDiGetDeviceInterfaceDetailA
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsA

kernel32

GetModuleHandleExW
ExitProcess
GetFileType
SetStdHandle
LoadLibraryExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
GetProcAddress
GetModuleHandleW
GetSystemTimeAsFileTime
OpenEventW
WaitForSingleObject
SetEvent
LoadLibraryW
GetSystemDirectoryW
CreateDirectoryW
CreateFileW
GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
CloseHandle
SetUnhandledExceptionFilter
HeapFree
InitializeCriticalSectionEx
HeapSize
GetLastError
HeapReAlloc
RaiseException
HeapAlloc
DeleteCriticalSection
GetProcessHeap
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
CreateThread
CreateEventA
LocalFree
FormatMessageA
ReadFile
GetModuleFileNameA
DeviceIoControl
CreateFileA
SetFilePointerEx
WriteFile
MultiByteToWideChar
FileTimeToSystemTime
GetSystemDirectoryA
GetVersionExA
WideCharToMultiByte
LocalAlloc
GetStdHandle
GetNativeSystemInfo
GetLocalTime
CreateEventW
ResetEvent
InitializeSRWLock
SetFilePointer
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
FormatMessageW
GetFileSizeEx
FindFirstFileExW
FindNextFileW
WaitForMultipleObjects
FindClose
GetFileAttributesExW
SetFileInformationByHandle
FlushFileBuffers
GetOverlappedResult
GetFileAttributesW
GetModuleHandleA
SwitchToThread
SetLastError
ReleaseMutex
CreateMutexA
GetTickCount
OpenMutexA
GetCurrentDirectoryA
GetCurrentDirectoryW
DeleteFileW
GetFullPathNameW
SetFileAttributesW
GetModuleFileNameW
MoveFileW
CompareFileTime
GetSystemTime
SystemTimeToFileTime
GetTimeZoneInformation
Sleep
GetComputerNameW
GetACP
GetOEMCP
QueryPerformanceCounter
QueryPerformanceFrequency
GetFileSize
SetEndOfFile
ReleaseSemaphore
LoadLibraryA
FreeLibrary
IsDebuggerPresent
OutputDebugStringW
InitializeCriticalSectionAndSpinCount
RtlUnwindEx
EncodePointer
GetCommandLineA
GetCommandLineW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetConsoleCP
GetConsoleMode
GetStringTypeW
GetCPInfo
ReadConsoleW
IsValidCodePage
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
WriteConsoleW
SetHandleInformation
GetDiskFreeSpaceExW
GetVolumeInformationW
RtlPcToFileHeader
InitializeSListHead
GetStartupInfoW
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
WaitForSingleObjectEx

advapi32

RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegOpenKeyExA
SystemFunction036
CryptSignHashA
CryptSetHashParam
CryptAcquireContextW
CryptDestroyHash
CryptCreateHash
CryptExportKey
CryptDestroyKey
RegQueryValueExA
CryptGetUserKey
CryptGetProvParam
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
RegCloseKey

ole32

CoInitializeSecurity
CoInitializeEx
StringFromCLSID
CoCreateInstance
CoTaskMemFree
CoUninitialize

Sections

.text
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 70KB - Virtual size: 95KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 86KB - Virtual size: 86KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.udata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6f7b68a769f40e9f9dc51a2dd099fc87

Code Sign

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54Certificate

Extended Key Usages

Key Usages

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47Certificate

Extended Key Usages

Key Usages

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9Certificate

Extended Key Usages

Key Usages

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4Certificate

Extended Key Usages

Key Usages

7d:8e:89:9a:3e:71:b3:11:4b:c0:8a:0aCertificate

Extended Key Usages

Key Usages

d1:47:13:57:d6:ee:3c:51:61:dd:2d:4a:b1:02:27:8e:5a:b7:2a:94Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

hid

shlwapi

version

ws2_32

setupapi

kernel32

advapi32

ole32

Sections

.text Size: 2.1MB - Virtual size: 2.1MB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 70KB - Virtual size: 95KB

.pdata Size: 86KB - Virtual size: 86KB

.udata Size: 10KB - Virtual size: 10KB

.gfids Size: 512B - Virtual size: 244B

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 7KB - Virtual size: 6KB

78:03:18:42:45:70:8a:41:cf:6f:01:b8:ee:b4:a9:54
Certificate

77:bd:0e:03:a1:b7:08:f8:54:ab:06:72:10:d9:04:47
Certificate

30:0f:6f:ac:dd:66:98:74:7c:a9:46:36:a7:78:2d:b9
Certificate

39:4c:25:e1:7c:a0:6d:27:a8:65:e2:3b:d9:1d:22:d4
Certificate

7d:8e:89:9a:3e:71:b3:11:4b:c0:8a:0a
Certificate

d1:47:13:57:d6:ee:3c:51:61:dd:2d:4a:b1:02:27:8e:5a:b7:2a:94
Signer

.text
Size: 2.1MB - Virtual size: 2.1MB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 70KB - Virtual size: 95KB

.pdata
Size: 86KB - Virtual size: 86KB

.udata
Size: 10KB - Virtual size: 10KB

.gfids
Size: 512B - Virtual size: 244B

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 7KB - Virtual size: 6KB