notification_helper.exe.pdb
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-06-11_92dd37a87e9813386c966c8d74af9707_ryuk.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
2024-06-11_92dd37a87e9813386c966c8d74af9707_ryuk
-
Size
5.7MB
-
MD5
92dd37a87e9813386c966c8d74af9707
-
SHA1
2c44f2bab72d4a3939115afcf126771750095d3c
-
SHA256
d60285ae6b8d2de9de9c49f1d229e80fb7550c8616f56a25d7fa763b37d264ad
-
SHA512
017f40e3221c091c7771d45a893c6f1f2331a78b4211e642f1d1c697f3abdf7f663b8d6be764650106157a6fd4f8f4daa8725bd1e9e34c5e90e500d63869a640
-
SSDEEP
49152:p5BJUSoLoIn3yKqcuRi/fP09qJSWDKYH7MQCmSUbjs/260y8OZGh63P+L3PkwGQP:pei3W2Qlk0yPh
Score
3/10
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 2024-06-11_92dd37a87e9813386c966c8d74af9707_ryuk
Files
-
2024-06-11_92dd37a87e9813386c966c8d74af9707_ryuk.exe windows:10 windows x64 arch:x64
bef1e49e12efc152cf7d74ed5a2b7893
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
Imports
api-ms-win-core-winrt-error-l1-1-0
RoOriginateError
advapi32
BuildExplicitAccessWithNameW
BuildSecurityDescriptorW
BuildTrusteeWithSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertStringSidToSidW
GetLengthSid
GetNamedSecurityInfoW
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetSecurityDescriptorSacl
IsValidAcl
IsValidSecurityDescriptor
IsValidSid
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
SetEntriesInAclW
SetNamedSecurityInfoW
SetSecurityInfo
dbghelp
SymCleanup
SymFromAddr
SymGetLineFromAddr64
SymGetSearchPathW
SymInitialize
SymSetOptions
SymSetSearchPathW
shell32
CommandLineToArgvW
ord680
SHGetFolderPathW
SHGetKnownFolderPath
ShellExecuteExW
user32
AllowSetForegroundWindow
SendInput
kernel32
AcquireSRWLockExclusive
AddVectoredExceptionHandler
CloseHandle
CompareStringW
CreateDirectoryA
CreateDirectoryW
CreateEventW
CreateFileA
CreateFileW
CreateMutexA
CreateNamedPipeW
CreatePipe
CreateProcessA
CreateProcessW
CreateThread
DecodePointer
DeleteCriticalSection
DeleteFileW
EncodePointer
EnterCriticalSection
EnumSystemLocalesW
ExitProcess
ExpandEnvironmentStringsW
FileTimeToSystemTime
FindClose
FindFirstFileExW
FindNextFileW
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FormatMessageA
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetACP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetComputerNameExW
GetConsoleMode
GetConsoleOutputCP
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDateFormatW
GetDriveTypeW
GetEnvironmentStringsW
GetEnvironmentVariableA
GetEnvironmentVariableW
GetFileAttributesA
GetFileAttributesW
GetFileInformationByHandle
GetFileSizeEx
GetFileTime
GetFileType
GetFullPathNameW
GetLastError
GetLocalTime
GetLocaleInfoW
GetLogicalProcessorInformation
GetLongPathNameW
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleExW
GetModuleHandleW
GetNativeSystemInfo
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessId
GetProcessTimes
GetProductInfo
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemDirectoryW
GetSystemInfo
GetSystemTimeAsFileTime
GetTempPathW
GetThreadPriority
GetTickCount
GetTimeFormatW
GetTimeZoneInformation
GetUserDefaultLCID
GetUserDefaultLangID
GetVersionExW
GetWindowsDirectoryW
HeapAlloc
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
HeapValidate
InitOnceExecuteOnce
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InitializeSListHead
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsValidLocale
IsWow64Process
K32EnumProcessModules
K32GetModuleFileNameExA
K32GetModuleInformation
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
LockFileEx
MoveFileW
MultiByteToWideChar
OpenProcess
OutputDebugStringA
OutputDebugStringW
PeekNamedPipe
QueryPerformanceCounter
QueryPerformanceFrequency
QueryThreadCycleTime
RaiseException
ReadConsoleW
ReadFile
ReleaseMutex
ReleaseSRWLockExclusive
RemoveDirectoryW
RemoveVectoredExceptionHandler
ReplaceFileW
RtlCaptureContext
RtlCaptureStackBackTrace
RtlLookupFunctionEntry
RtlPcToFileHeader
RtlUnwind
RtlUnwindEx
RtlVirtualUnwind
SetConsoleCtrlHandler
SetEndOfFile
SetEnvironmentVariableW
SetEvent
SetFileAttributesW
SetFileInformationByHandle
SetFilePointer
SetFilePointerEx
SetHandleInformation
SetLastError
SetNamedPipeHandleState
SetStdHandle
SetThreadInformation
SetThreadPriority
SetUnhandledExceptionFilter
Sleep
SleepConditionVariableSRW
SleepEx
SystemTimeToTzSpecificLocalTime
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TransactNamedPipe
TryAcquireSRWLockExclusive
UnhandledExceptionFilter
UnlockFileEx
VerSetConditionMask
VerifyVersionInfoW
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForSingleObject
WaitForSingleObjectEx
WaitNamedPipeW
WakeAllConditionVariable
WerRegisterRuntimeExceptionModule
WideCharToMultiByte
WriteConsoleW
WriteFile
lstrcmpW
lstrlenA
lstrlenW
ole32
CoAddRefServerProcess
CoRegisterClassObject
CoReleaseServerProcess
CoResumeClassObjects
CoRevokeClassObject
CoTaskMemFree
api-ms-win-core-synch-l1-2-0
WaitOnAddress
WakeByAddressAll
WakeByAddressSingle
api-ms-win-core-winrt-l1-1-0
RoInitialize
RoUninitialize
version
GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
winmm
timeGetTime
shlwapi
PathMatchSpecW
ntdll
NtClose
NtOpenKeyEx
NtQueryValueKey
NtWriteFile
RtlFormatCurrentUserKeyPath
RtlFreeUnicodeString
RtlInitUnicodeString
RtlNtStatusToDosError
Exports
Exports
?RegisterUndefinedBehaviorReport@__ubsan@@YAXPEAUUndefinedBehaviorReport@1@@Z
GetHandleVerifier
__asan_addr_is_in_fake_stack
__asan_address_is_poisoned
__asan_after_dynamic_init
__asan_alloca_poison
__asan_allocas_unpoison
__asan_before_dynamic_init
__asan_default_options__dll
__asan_default_suppressions__dll
__asan_describe_address
__asan_exp_load1
__asan_exp_load16
__asan_exp_load2
__asan_exp_load4
__asan_exp_load8
__asan_exp_loadN
__asan_exp_store1
__asan_exp_store16
__asan_exp_store2
__asan_exp_store4
__asan_exp_store8
__asan_exp_storeN
__asan_get_alloc_stack
__asan_get_current_fake_stack
__asan_get_free_stack
__asan_get_report_access_size
__asan_get_report_access_type
__asan_get_report_address
__asan_get_report_bp
__asan_get_report_description
__asan_get_report_pc
__asan_get_report_sp
__asan_get_shadow_mapping
__asan_get_shadow_memory_dynamic_address
__asan_handle_no_return
__asan_handle_vfork
__asan_init
__asan_load1
__asan_load16
__asan_load16_noabort
__asan_load1_noabort
__asan_load2
__asan_load2_noabort
__asan_load4
__asan_load4_noabort
__asan_load8
__asan_load8_noabort
__asan_loadN
__asan_loadN_noabort
__asan_load_cxx_array_cookie
__asan_locate_address
__asan_memcpy
__asan_memmove
__asan_memset
__asan_on_error__dll
__asan_option_detect_stack_use_after_return
__asan_poison_cxx_array_cookie
__asan_poison_intra_object_redzone
__asan_poison_memory_region
__asan_poison_stack_memory
__asan_print_accumulated_stats
__asan_region_is_poisoned
__asan_register_elf_globals
__asan_register_globals
__asan_register_image_globals
__asan_report_error
__asan_report_exp_load1
__asan_report_exp_load16
__asan_report_exp_load2
__asan_report_exp_load4
__asan_report_exp_load8
__asan_report_exp_load_n
__asan_report_exp_store1
__asan_report_exp_store16
__asan_report_exp_store2
__asan_report_exp_store4
__asan_report_exp_store8
__asan_report_exp_store_n
__asan_report_load1
__asan_report_load16
__asan_report_load16_noabort
__asan_report_load1_noabort
__asan_report_load2
__asan_report_load2_noabort
__asan_report_load4
__asan_report_load4_noabort
__asan_report_load8
__asan_report_load8_noabort
__asan_report_load_n
__asan_report_load_n_noabort
__asan_report_present
__asan_report_store1
__asan_report_store16
__asan_report_store16_noabort
__asan_report_store1_noabort
__asan_report_store2
__asan_report_store2_noabort
__asan_report_store4
__asan_report_store4_noabort
__asan_report_store8
__asan_report_store8_noabort
__asan_report_store_n
__asan_report_store_n_noabort
__asan_set_death_callback
__asan_set_error_report_callback
__asan_set_seh_filter
__asan_set_shadow_00
__asan_set_shadow_01
__asan_set_shadow_02
__asan_set_shadow_03
__asan_set_shadow_04
__asan_set_shadow_05
__asan_set_shadow_06
__asan_set_shadow_07
__asan_set_shadow_f1
__asan_set_shadow_f2
__asan_set_shadow_f3
__asan_set_shadow_f5
__asan_set_shadow_f8
__asan_shadow_memory_dynamic_address
__asan_should_detect_stack_use_after_return
__asan_stack_free_0
__asan_stack_free_1
__asan_stack_free_10
__asan_stack_free_2
__asan_stack_free_3
__asan_stack_free_4
__asan_stack_free_5
__asan_stack_free_6
__asan_stack_free_7
__asan_stack_free_8
__asan_stack_free_9
__asan_stack_malloc_0
__asan_stack_malloc_1
__asan_stack_malloc_10
__asan_stack_malloc_2
__asan_stack_malloc_3
__asan_stack_malloc_4
__asan_stack_malloc_5
__asan_stack_malloc_6
__asan_stack_malloc_7
__asan_stack_malloc_8
__asan_stack_malloc_9
__asan_stack_malloc_always_0
__asan_stack_malloc_always_1
__asan_stack_malloc_always_10
__asan_stack_malloc_always_2
__asan_stack_malloc_always_3
__asan_stack_malloc_always_4
__asan_stack_malloc_always_5
__asan_stack_malloc_always_6
__asan_stack_malloc_always_7
__asan_stack_malloc_always_8
__asan_stack_malloc_always_9
__asan_store1
__asan_store16
__asan_store16_noabort
__asan_store1_noabort
__asan_store2
__asan_store2_noabort
__asan_store4
__asan_store4_noabort
__asan_store8
__asan_store8_noabort
__asan_storeN
__asan_storeN_noabort
__asan_test_only_reported_buggy_pointer
__asan_unhandled_exception_filter
__asan_unpoison_intra_object_redzone
__asan_unpoison_memory_region
__asan_unpoison_stack_memory
__asan_unregister_elf_globals
__asan_unregister_globals
__asan_unregister_image_globals
__asan_update_allocation_context
__asan_version_mismatch_check_v8
__asan_wrap_CreateThread
__asan_wrap_HeapAlloc
__asan_wrap_HeapFree
__asan_wrap_HeapReAlloc
__asan_wrap_HeapSize
__asan_wrap_RaiseException
__asan_wrap_RtlAllocateHeap
__asan_wrap_RtlFreeHeap
__asan_wrap_RtlRaiseException
__asan_wrap_RtlReAllocateHeap
__asan_wrap_RtlSizeHeap
__asan_wrap_SetUnhandledExceptionFilter
__asan_wrap___C_specific_handler
__asan_wrap__strdup
__asan_wrap_atoi
__asan_wrap_atol
__asan_wrap_atoll
__asan_wrap_frexp
__asan_wrap_longjmp
__asan_wrap_memchr
__asan_wrap_memcmp
__asan_wrap_memcpy
__asan_wrap_memmove
__asan_wrap_memset
__asan_wrap_strcat
__asan_wrap_strchr
__asan_wrap_strcmp
__asan_wrap_strcpy
__asan_wrap_strcspn
__asan_wrap_strlen
__asan_wrap_strncat
__asan_wrap_strncmp
__asan_wrap_strncpy
__asan_wrap_strnlen
__asan_wrap_strpbrk
__asan_wrap_strrchr
__asan_wrap_strspn
__asan_wrap_strstr
__asan_wrap_strtok
__asan_wrap_strtol
__asan_wrap_strtoll
__asan_wrap_wcslen
__asan_wrap_wcsnlen
__lsan_default_options__dll
__lsan_default_suppressions__dll
__lsan_disable
__lsan_do_leak_check
__lsan_do_recoverable_leak_check
__lsan_enable
__lsan_ignore_object
__lsan_is_turned_off__dll
__lsan_register_root_region
__lsan_unregister_root_region
__sancov_default_options__dll
__sanitizer_acquire_crash_state
__sanitizer_annotate_contiguous_container
__sanitizer_annotate_double_ended_contiguous_container
__sanitizer_contiguous_container_find_bad_address
__sanitizer_cov_8bit_counters_init__dll
__sanitizer_cov_bool_flag_init__dll
__sanitizer_cov_dump
__sanitizer_cov_load16__dll
__sanitizer_cov_load1__dll
__sanitizer_cov_load2__dll
__sanitizer_cov_load4__dll
__sanitizer_cov_load8__dll
__sanitizer_cov_pcs_init__dll
__sanitizer_cov_reset
__sanitizer_cov_store16__dll
__sanitizer_cov_store1__dll
__sanitizer_cov_store2__dll
__sanitizer_cov_store4__dll
__sanitizer_cov_store8__dll
__sanitizer_cov_trace_cmp1__dll
__sanitizer_cov_trace_cmp2__dll
__sanitizer_cov_trace_cmp4__dll
__sanitizer_cov_trace_cmp8__dll
__sanitizer_cov_trace_cmp__dll
__sanitizer_cov_trace_const_cmp1__dll
__sanitizer_cov_trace_const_cmp2__dll
__sanitizer_cov_trace_const_cmp4__dll
__sanitizer_cov_trace_const_cmp8__dll
__sanitizer_cov_trace_div4__dll
__sanitizer_cov_trace_div8__dll
__sanitizer_cov_trace_gep__dll
__sanitizer_cov_trace_pc_guard__dll
__sanitizer_cov_trace_pc_guard_init__dll
__sanitizer_cov_trace_pc_indir__dll
__sanitizer_cov_trace_switch__dll
__sanitizer_double_ended_contiguous_container_find_bad_address
__sanitizer_dump_coverage
__sanitizer_dump_trace_pc_guard_coverage
__sanitizer_finish_switch_fiber
__sanitizer_free_hook__dll
__sanitizer_get_allocated_begin
__sanitizer_get_allocated_size
__sanitizer_get_allocated_size_fast
__sanitizer_get_current_allocated_bytes
__sanitizer_get_estimated_allocated_size
__sanitizer_get_free_bytes
__sanitizer_get_heap_size
__sanitizer_get_module_and_offset_for_pc
__sanitizer_get_ownership
__sanitizer_get_report_path
__sanitizer_get_unmapped_bytes
__sanitizer_install_malloc_and_free_hooks
__sanitizer_internal_memcpy
__sanitizer_internal_memmove
__sanitizer_internal_memset
__sanitizer_malloc_hook__dll
__sanitizer_on_print__dll
__sanitizer_print_memory_profile
__sanitizer_print_stack_trace
__sanitizer_ptr_cmp
__sanitizer_ptr_sub
__sanitizer_purge_allocator
__sanitizer_report_error_summary__dll
__sanitizer_sandbox_on_notify__dll
__sanitizer_set_death_callback
__sanitizer_set_report_fd
__sanitizer_set_report_path
__sanitizer_start_switch_fiber
__sanitizer_symbolize_global
__sanitizer_symbolize_pc
__sanitizer_unaligned_load16
__sanitizer_unaligned_load32
__sanitizer_unaligned_load64
__sanitizer_unaligned_store16
__sanitizer_unaligned_store32
__sanitizer_unaligned_store64
__sanitizer_verify_contiguous_container
__sanitizer_verify_double_ended_contiguous_container
__sanitizer_weak_hook_memcmp__dll
__sanitizer_weak_hook_strcmp__dll
__sanitizer_weak_hook_strncmp__dll
__sanitizer_weak_hook_strstr__dll
__ubsan_default_options__dll
__ubsan_get_current_report_data
__ubsan_handle_add_overflow
__ubsan_handle_add_overflow_abort
__ubsan_handle_alignment_assumption
__ubsan_handle_alignment_assumption_abort
__ubsan_handle_builtin_unreachable
__ubsan_handle_cfi_check_fail
__ubsan_handle_cfi_check_fail_abort
__ubsan_handle_divrem_overflow
__ubsan_handle_divrem_overflow_abort
__ubsan_handle_float_cast_overflow
__ubsan_handle_float_cast_overflow_abort
__ubsan_handle_function_type_mismatch
__ubsan_handle_function_type_mismatch_abort
__ubsan_handle_implicit_conversion
__ubsan_handle_implicit_conversion_abort
__ubsan_handle_invalid_builtin
__ubsan_handle_invalid_builtin_abort
__ubsan_handle_invalid_objc_cast
__ubsan_handle_invalid_objc_cast_abort
__ubsan_handle_load_invalid_value
__ubsan_handle_load_invalid_value_abort
__ubsan_handle_missing_return
__ubsan_handle_mul_overflow
__ubsan_handle_mul_overflow_abort
__ubsan_handle_negate_overflow
__ubsan_handle_negate_overflow_abort
__ubsan_handle_nonnull_arg
__ubsan_handle_nonnull_arg_abort
__ubsan_handle_nonnull_return_v1
__ubsan_handle_nonnull_return_v1_abort
__ubsan_handle_nullability_arg
__ubsan_handle_nullability_arg_abort
__ubsan_handle_nullability_return_v1
__ubsan_handle_nullability_return_v1_abort
__ubsan_handle_out_of_bounds
__ubsan_handle_out_of_bounds_abort
__ubsan_handle_pointer_overflow
__ubsan_handle_pointer_overflow_abort
__ubsan_handle_shift_out_of_bounds
__ubsan_handle_shift_out_of_bounds_abort
__ubsan_handle_sub_overflow
__ubsan_handle_sub_overflow_abort
__ubsan_handle_type_mismatch_v1
__ubsan_handle_type_mismatch_v1_abort
__ubsan_handle_vla_bound_not_positive
__ubsan_handle_vla_bound_not_positive_abort
__ubsan_on_report
_calloc_base
_calloc_dbg
_calloc_impl
_expand
_expand_dbg
_free_base
_free_dbg
_malloc_base
_malloc_dbg
_msize
_msize_base
_realloc_base
_realloc_dbg
_recalloc
_recalloc_base
calloc
free
malloc
realloc
Sections
.text Size: 2.2MB - Virtual size: 2.2MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 3.3MB - Virtual size: 3.3MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 168KB - Virtual size: 5.6MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 49KB - Virtual size: 48KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.gxfg Size: 11KB - Virtual size: 11KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.retplne Size: 512B - Virtual size: 140B
.tls Size: 1024B - Virtual size: 681B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
CPADinfo Size: 512B - Virtual size: 96B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
_RDATA Size: 512B - Virtual size: 500B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
malloc_h Size: 1024B - Virtual size: 562B
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
prot Size: 512B - Virtual size: 116B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 23KB - Virtual size: 22KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ