2024-06-15_cef0c9d4ccaa1445ed3ba6602d4083a8_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-06-15_cef0c9d4ccaa1445ed3ba6602d4083a8_ryuk
Size

3.3MB
MD5

cef0c9d4ccaa1445ed3ba6602d4083a8
SHA1

bb65297914bd42f2b2a52aa1b85f803a527f6332
SHA256

67993bc10eb1e0f9ef1ff1d40f7955267f6d75bf1e65cc06b11c1421f4521adb
SHA512

b930acb14595f245d37fda077d81f4d1e4f0a1bfc61d99eec76dfa1627bbd758f743001e069cfcc2fcc988d56444422921d142bed0348d79d1332b2241ebefbb
SSDEEP

49152:ojjsuwxOCBZk9xqOvm+vRdRCkQCad5y+qtxRTDl0FXPkrMTB5E6bg4JxPS08a:GVCnkjqnoQDd2tfpqbb

Score

10^/10

Malware Config

Signatures

Detects executables containing bas64 encoded gzip files 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Files

2024-06-15_cef0c9d4ccaa1445ed3ba6602d4083a8_ryuk
.exe windows:6 windows x64 arch:x64

381b3b34dc89120559f1278451956735

Code Sign

56:00:00:05:f7:94:54:54:01:93:b4:c7:75:00:00:00:00:05:f7
Certificate

Issuer

CN=Intel External Issuing CA 7B,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Not Before

08/03/2018, 16:55

Not After

07/03/2020, 16:55

Subject

CN=Intel(R) Open Source - Ylian Saint-Hilaire,OU=Open Source Manageability,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

06:9b:5e:99:27:72:84:c8:76:7f:13:68:a7:de:b0:f3
Certificate

Issuer

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

28/10/2015, 00:00

Not After

17/06/2021, 23:59

Subject

CN=Intel External Issuing CA 7B,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageEmailProtection
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
Certificate

Issuer

CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE

Not Before

30/05/2000, 10:48

Not After

30/05/2020, 10:48

Subject

CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bf
Certificate

Issuer

CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM

Not Before

30/05/2014, 16:35

Not After

17/03/2021, 18:33

Subject

CN=QuoVadis Issuing CA G4,O=QuoVadis Limited,C=BM

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

19:c3:fc:f0:e6:04:82:44:f7:2c:4e:cc:39:e2:f2:61:d6:c8:ae:d7
Certificate

Issuer

CN=QuoVadis Issuing CA G4,O=QuoVadis Limited,C=BM

Not Before

23/04/2018, 20:25

Not After

17/03/2021, 18:33

Subject

CN=timestamp.intel.com,OU=Thales TSS ESN:0E37-9649-08C5,O=Intel Corporation,L=Santa Clara,ST=CA,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

cc:04:d3:0c:ac:75:28:c6:99:ce:be:1e:39:76:80:45:00:51:2a:92:d0:8d:7b:9a:4e:79:1e:84:b0:12:a1:cc
Signer

Actual PE Digest

cc:04:d3:0c:ac:75:28:c6:99:ce:be:1e:39:76:80:45:00:51:2a:92:d0:8d:7b:9a:4e:79:1e:84:b0:12:a1:cc

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Temp\bcpd_meshagent-meshagent2\Release\MeshService64.pdb

Imports

setupapi

SetupDiGetDeviceInterfaceDetailA
SetupDiGetClassDevsA
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList

dbghelp

StackWalk64
SymInitialize
SymFunctionTableAccess64
SymGetLineFromAddr64
SymGetModuleBase64
SymFromAddr

iphlpapi

ConvertLengthToIpv4Mask
SendARP
GetAdaptersAddresses
GetAdaptersInfo

ws2_32

ntohl
WSAGetLastError
ioctlsocket
recv
ntohs
getsockname
WSASocketW
listen
closesocket
bind
accept
__WSAFDIsSet
gethostname
htonl
htons
send
WSASetLastError
WSACleanup
FreeAddrInfoW
select
WSAStartup
GetAddrInfoW
WSAIoctl
shutdown
connect
recvfrom
getsockopt
sendto
socket
setsockopt

wintrust

WTHelperGetProvSignerFromChain
WTHelperGetProvCertFromChain
WTHelperProvDataFromStateData
WinVerifyTrust

version

VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA

gdiplus

GdipCloneImage
GdipGetImageEncoders
GdipAlloc
GdiplusStartup
GdipDisposeImage
GdipFree
GdipGetImageEncodersSize
GdipSaveImageToStream
GdiplusShutdown
GdipLoadImageFromStream

winhttp

WinHttpGetIEProxyConfigForCurrentUser

kernel32

GetModuleFileNameA
GetStdHandle
WriteFile
GetFullPathNameA
GetSystemPowerStatus
SetCurrentDirectoryA
Sleep
GetLastError
CloseHandle
CreateProcessA
LoadLibraryA
GetProcAddress
FreeLibrary
ReadFile
GetCurrentThreadId
GetVersionExA
CreateThread
SleepEx
SetSystemPowerState
GetCurrentProcess
SetThreadExecutionState
FileTimeToSystemTime
QueryPerformanceFrequency
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
GetSystemTime
QueryPerformanceCounter
ReleaseSemaphore
WaitForSingleObject
CreateSemaphoreA
CancelIo
FindFirstFileW
FindNextFileW
RemoveDirectoryW
GetDriveTypeA
FindFirstVolumeA
FindClose
GetVolumePathNamesForVolumeNameA
GetFileAttributesExW
CreateFileA
ReadDirectoryChangesW
FindNextVolumeA
FindVolumeClose
GetDiskFreeSpaceExA
CreateEventA
GetModuleHandleExA
DeviceIoControl
ResetEvent
QueueUserAPC
GetOverlappedResult
CompareStringW
WideCharToMultiByte
SetConsoleOutputCP
IsDebuggerPresent
CancelSynchronousIo
SetEvent
WaitForSingleObjectEx
GetThreadId
GetEnvironmentStrings
FreeEnvironmentStringsA
CopyFileA
RtlCaptureContext
DuplicateHandle
GetModuleHandleA
DeleteFileA
GetTickCount
OpenThread
CreateNamedPipeA
TerminateProcess
WaitForMultipleObjectsEx
WTSGetActiveConsoleSessionId
GetExitCodeProcess
SetConsoleCtrlHandler
GetModuleFileNameW
GetTempPathA
GlobalFree
FreeConsole
RemoveDirectoryA
CreateDirectoryA
GetFileType
GetModuleHandleW
SwitchToFiber
DeleteFiber
CreateFiber
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
GetCurrentProcessId
GlobalMemoryStatus
GetEnvironmentVariableW
GetConsoleMode
ReadConsoleA
ReadConsoleW
SetConsoleMode
SetLastError
RtlUnwindEx
GetStartupInfoW
InitializeSListHead
IsProcessorFeaturePresent
LCMapStringW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetFilePointerEx
GetConsoleCP
GetStringTypeW
HeapReAlloc
FlushFileBuffers
GetCPInfo
SetStdHandle
FindFirstFileExA
LoadLibraryExW
ExitProcess
GetModuleHandleExW
CreateDirectoryW
DeleteFileW
MoveFileExW
GetTimeZoneInformation
GetCommandLineA
GetCommandLineW
GetACP
FindNextFileA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
GetProcessHeap
WriteConsoleW
CreateFileW
RaiseException
HeapSize
HeapFree
HeapAlloc
GetDateFormatW
GetCurrentThread
GetTimeFormatW
SetEndOfFile
GetDriveTypeW
PeekNamedPipe
GetCurrentDirectoryW
GetFullPathNameW
RtlPcToFileHeader
MultiByteToWideChar
EncodePointer

user32

GetProcessWindowStation
EndDialog
DialogBoxParamA
GetUserObjectInformationW
GetDlgItem
EnableWindow
MessageBeep
ExitWindowsEx
MessageBoxW
SetWindowTextA
MapVirtualKeyA
SetProcessDPIAware
SendInput
SetForegroundWindow
GetForegroundWindow
GetDC
ReleaseDC
GetUserObjectInformationA
CloseWindowStation
FindWindowA
SendMessageA
OpenInputDesktop
SetProcessWindowStation
GetMonitorInfoA
EnumDisplayMonitors
GetSystemMetrics
SetThreadDesktop
GetThreadDesktop
CloseDesktop
OpenWindowStationA
OpenDesktopA

gdi32

CreateCompatibleDC
SelectObject
GetDIBits
DeleteDC
SetStretchBltMode
DeleteObject
CreateCompatibleBitmap
BitBlt
StretchBlt

advapi32

CryptDestroyKey
CryptReleaseContext
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
SetServiceStatus
OpenSCManagerA
RegisterServiceCtrlHandlerExA
DeleteService
ControlService
StartServiceA
FreeSid
CheckTokenMembership
ChangeServiceConfig2A
OpenServiceA
CreateProcessAsUserA
SetTokenInformation
DuplicateTokenEx
AdjustTokenPrivileges
LookupPrivilegeValueA
InitiateSystemShutdownA
OpenProcessToken
RegCreateKeyA
RegCloseKey
RegDeleteKeyA
RegQueryValueExA
RegSetValueExA
RegOpenKeyExA
RegDeleteValueA
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
CryptSignHashW
CryptEnumProvidersW
CryptGenRandom
CloseServiceHandle
QueryServiceStatus
StartServiceCtrlDispatcherA
CreateServiceA
DeregisterEventSource
AllocateAndInitializeSid

shell32

ShellExecuteExA
SHGetFolderPathA

ole32

CoInitializeEx
CoUninitialize
CreateStreamOnHGlobal
CoCreateInstance

oleaut32

SysAllocString
SysFreeString
SysStringLen

crypt32

CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore
CertFindCertificateInStore

Sections

.text
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 480KB - Virtual size: 479KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 19KB - Virtual size: 162KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 85KB - Virtual size: 84KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 196B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

381b3b34dc89120559f1278451956735

Code Sign

56:00:00:05:f7:94:54:54:01:93:b4:c7:75:00:00:00:00:05:f7Certificate

Extended Key Usages

Key Usages

06:9b:5e:99:27:72:84:c8:76:7f:13:68:a7:de:b0:f3Certificate

Extended Key Usages

Key Usages

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22Certificate

Key Usages

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bfCertificate

Key Usages

19:c3:fc:f0:e6:04:82:44:f7:2c:4e:cc:39:e2:f2:61:d6:c8:ae:d7Certificate

Extended Key Usages

Key Usages

cc:04:d3:0c:ac:75:28:c6:99:ce:be:1e:39:76:80:45:00:51:2a:92:d0:8d:7b:9a:4e:79:1e:84:b0:12:a1:ccSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

setupapi

dbghelp

iphlpapi

ws2_32

wintrust

version

gdiplus

winhttp

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

crypt32

Sections

.text Size: 1.6MB - Virtual size: 1.6MB

.rdata Size: 480KB - Virtual size: 479KB

.data Size: 19KB - Virtual size: 162KB

.pdata Size: 85KB - Virtual size: 84KB

.gfids Size: 512B - Virtual size: 196B

.rsrc Size: 18KB - Virtual size: 18KB

.reloc Size: 16KB - Virtual size: 15KB

56:00:00:05:f7:94:54:54:01:93:b4:c7:75:00:00:00:00:05:f7
Certificate

06:9b:5e:99:27:72:84:c8:76:7f:13:68:a7:de:b0:f3
Certificate

27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
Certificate

69:b2:d1:cc:f0:2e:20:dc:c9:5c:62:89:4f:7f:9e:5f:5f:c0:57:bf
Certificate

19:c3:fc:f0:e6:04:82:44:f7:2c:4e:cc:39:e2:f2:61:d6:c8:ae:d7
Certificate

cc:04:d3:0c:ac:75:28:c6:99:ce:be:1e:39:76:80:45:00:51:2a:92:d0:8d:7b:9a:4e:79:1e:84:b0:12:a1:cc
Signer

.text
Size: 1.6MB - Virtual size: 1.6MB

.rdata
Size: 480KB - Virtual size: 479KB

.data
Size: 19KB - Virtual size: 162KB

.pdata
Size: 85KB - Virtual size: 84KB

.gfids
Size: 512B - Virtual size: 196B

.rsrc
Size: 18KB - Virtual size: 18KB

.reloc
Size: 16KB - Virtual size: 15KB