2024-06-05_4bbdcc6606bd7ebf45ab6b842004fd9a_ryuk

Sharing

Copy URL

Twitter E-mail

General

Target

2024-06-05_4bbdcc6606bd7ebf45ab6b842004fd9a_ryuk
Size

1.4MB
MD5

4bbdcc6606bd7ebf45ab6b842004fd9a
SHA1

d030bfdc08ff59b468585479cf198d3990a716b2
SHA256

2ee5f7d92cd741986e889dbf62c4432a228bcd0a8c3d189ba24d57a98df91c0d
SHA512

8f8583c4d65adb4803990f71671955a4334b21c6077dbc2cf8e69f82150402032d1249b2ceecdde0ebe93ef775f1e3d0f01823b862a400ad5e768ae3f3f4f115
SSDEEP

12288:1u/zShiseG3PT8ompYt8e+3asYIXZK/1agin5ELQpmzujFvADOu3V:EShpl37xmCt8RnXZ41Vi5ELpujFY

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-06-05_4bbdcc6606bd7ebf45ab6b842004fd9a_ryuk

Files

2024-06-05_4bbdcc6606bd7ebf45ab6b842004fd9a_ryuk
.exe windows:6 windows x64 arch:x64

5c43e34a07b640c2356320669ccbc1da

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\BuildAutomation\USHUpgradeService_int_cs_4.9\sw\int_cs_4.9\host\windows\UshUpgradeService\x64\Release\UshUpgradeService.pdb

Imports

wtsapi32

WTSQueryUserToken

userenv

CreateEnvironmentBlock

setupapi

SetupDiGetClassDevsW
CM_Locate_DevNodeW
CM_Reenumerate_DevNode
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW

kernel32

CloseHandle
CreateThread
LocalFree
ResetEvent
WTSGetActiveConsoleSessionId
VerSetConditionMask
VerifyVersionInfoW
FreeLibrary
SetEndOfFile
HeapReAlloc
HeapSize
TerminateThread
CreateFileW
LocalAlloc
WaitForSingleObject
GetModuleFileNameW
CreateEventA
GetProcessHeap
HeapAlloc
HeapFree
GetProcAddress
LoadLibraryW
DeleteFileW
GetLastError
GetPrivateProfileStringW
GetFileAttributesW
FindClose
RemoveDirectoryW
ExpandEnvironmentStringsW
FindNextFileW
FindFirstFileW
CreateDirectoryW
SetEvent
Sleep
GetCurrentProcessId
GetLocalTime
GetCurrentThreadId
SetStdHandle
SetEnvironmentVariableW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCPInfo
GetOEMCP
IsValidCodePage
FindFirstFileExW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlPcToFileHeader
EncodePointer
RaiseException
RtlUnwindEx
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
ReadFile
GetConsoleMode
ReadConsoleInputA
SetConsoleMode
MultiByteToWideChar
WideCharToMultiByte
GetStdHandle
WriteFile
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
GetACP
GetFileType
GetConsoleCP
SetFilePointerEx
ReadConsoleW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetTimeZoneInformation
FlushFileBuffers
WriteConsoleW
GetStringTypeW

user32

RegisterDeviceNotificationW

advapi32

SystemFunction036
DeregisterEventSource
CreateProcessAsUserA
SetTokenInformation
RegCreateKeyExA
ReportEventA
RegSetValueExA
RegDeleteValueW
DuplicateTokenEx
RegisterEventSourceA
RegisterServiceCtrlHandlerExW
CreateServiceW
SetServiceStatus
ChangeServiceConfig2W
StartServiceCtrlDispatcherW
QueryServiceStatusEx
SetSecurityDescriptorDacl
AllocateAndInitializeSid
FreeSid
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
AddAccessAllowedAce
QueryServiceStatus
CloseServiceHandle
OpenSCManagerW
RegCreateKeyExW
DeleteService
ControlService
RegSetValueExW
StartServiceW
OpenServiceW
RegCloseKey
RegOpenKeyExW
RegQueryValueExW

shell32

SHGetFolderPathA

Sections

.text
Size: 173KB - Virtual size: 172KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 70KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 816B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1.2MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

5c43e34a07b640c2356320669ccbc1da

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wtsapi32

userenv

setupapi

kernel32

user32

advapi32

shell32

Sections

.text Size: 173KB - Virtual size: 172KB

.rdata Size: 70KB - Virtual size: 69KB

.data Size: 3KB - Virtual size: 14KB

.pdata Size: 8KB - Virtual size: 8KB

.gfids Size: 512B - Virtual size: 244B

.rsrc Size: 1024B - Virtual size: 816B

.reloc Size: 1.2MB - Virtual size: 1.8MB

.text
Size: 173KB - Virtual size: 172KB

.rdata
Size: 70KB - Virtual size: 69KB

.data
Size: 3KB - Virtual size: 14KB

.pdata
Size: 8KB - Virtual size: 8KB

.gfids
Size: 512B - Virtual size: 244B

.rsrc
Size: 1024B - Virtual size: 816B

.reloc
Size: 1.2MB - Virtual size: 1.8MB