2024-06-15_5c2cf1c0ce9700572c60fa3f3ff1c6c4_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-06-15_5c2cf1c0ce9700572c60fa3f3ff1c6c4_ryuk
Size

5.2MB
MD5

5c2cf1c0ce9700572c60fa3f3ff1c6c4
SHA1

dac491972cd22a3513065ddf3f20551433d7fe9f
SHA256

804e658252ce87f947e617401ffa55e4b5aa415502dd31140561260f6faca1f9
SHA512

05ff58418731cea1e9e8eee2394a1b88c0e6799a2ee692b2fdb3d201f6cb5be2240a93ef9ca2ec44b2d36c22965c8a15ecaadd3f8bae9b56af9a2959bfe774dc
SSDEEP

49152:V2Orcz6cyxitwOYQcsqtdVyxPUegRyxRSCsxE/qDgvzuhpbd0FbMwA+vbWlQ1GUA:V29iP0xoVd

Score

10^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 1 IoCs

resource	yara_rule
sample	INDICATOR_EXE_Packed_MPress

Detects executables packed with VMProtect. 1 IoCs

resource	yara_rule
sample	INDICATOR_EXE_Packed_VMProtect

Files

2024-06-15_5c2cf1c0ce9700572c60fa3f3ff1c6c4_ryuk
.exe windows:5 windows x64 arch:x64

366a1579bdd3d72ad1f4812c39e354b3

Code Sign

f4:86:eb:67:5b:aa:4e:34
Certificate

Issuer

O=RSA,L=Bedford,ST=Massachusetts,C=US

Not Before

28/01/2014, 21:16

Not After

26/01/2024, 21:16

Subject

O=RSA,L=Bedford,ST=Massachusetts,C=US

1f:06:52:8b:cb:ab:75:4a:64:c3:09:ce:09:90:94:0f:3b:5d:08:18
Signer

Actual PE Digest

1f:06:52:8b:cb:ab:75:4a:64:c3:09:ce:09:90:94:0f:3b:5d:08:18

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Build\workspace\NWE-Windows-Debug-5.0-build\windows\ECAT\Client\x64\Debug\ECAT-Agent64.pdb

Imports

kernel32

LCMapStringW
VerSetConditionMask
VerifyVersionInfoW
OpenProcess
GetModuleFileNameW
GetLocalTime
GetCurrentProcess
GetCurrentThread
WTSGetActiveConsoleSessionId
FindClose
FindFirstFileW
FindNextFileW
RemoveDirectoryW
DeviceIoControl
GetProcessTimes
GetWindowsDirectoryW
MoveFileExW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
GetComputerNameW
FileTimeToLocalFileTime
FileTimeToSystemTime
GetComputerNameExW
GetNativeSystemInfo
GetTimeZoneInformation
GetGeoInfoW
GetUserGeoID
GetSystemDefaultLangID
GetUserDefaultLangID
ProcessIdToSessionId
VirtualQueryEx
IsWow64Process
Module32FirstW
Module32NextW
WaitForMultipleObjects
CreateDirectoryW
SetFileTime
GetFileSizeEx
DuplicateHandle
QueryPerformanceFrequency
ExitProcess
SetCurrentDirectoryW
OpenEventW
SetConsoleCtrlHandler
IsDebuggerPresent
SetThreadPriority
SuspendThread
ResumeThread
GetStdHandle
GetConsoleScreenBufferInfo
SetConsoleScreenBufferSize
FreeConsole
AllocConsole
WriteConsoleW
CancelIo
ExpandEnvironmentStringsA
CreateRemoteThread
VirtualProtect
VirtualAllocEx
WriteProcessMemory
GetModuleFileNameA
lstrcmpiW
CopyFileA
GetOverlappedResult
LCMapStringA
CheckRemoteDebuggerPresent
lstrlenW
CreateEventW
ResetEvent
SetEvent
GetModuleHandleA
ReadProcessMemory
GetVolumePathNamesForVolumeNameW
FindVolumeClose
FindNextVolumeW
FindFirstVolumeW
GetSystemWow64DirectoryW
GetSystemDirectoryW
QueryDosDeviceW
GetLongPathNameW
LoadLibraryW
GetLogicalDrives
CreateProcessW
GetExitCodeProcess
ExpandEnvironmentStringsW
CompareStringA
CompareStringW
GlobalFree
GlobalAlloc
TerminateThread
CreateThread
GetModuleHandleW
GetSystemWindowsDirectoryW
SetFileAttributesW
VirtualFree
VirtualAlloc
ReleaseMutex
SetLastError
GetCurrentThreadId
DeleteCriticalSection
TryEnterCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
HeapAlloc
HeapCompact
HeapDestroy
UnlockFile
GetProcAddress
CreateFileMappingA
LocalFree
LockFileEx
GetFileSize
GetCurrentProcessId
GetProcessHeap
SystemTimeToFileTime
FreeLibrary
WideCharToMultiByte
GetSystemTimeAsFileTime
GetSystemTime
FormatMessageA
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
GetTickCount
FlushFileBuffers
AreFileApisANSI
ReadFile
HeapCreate
HeapFree
GetFullPathNameW
WriteFile
GetDiskFreeSpaceW
OutputDebugStringA
LockFile
SetFilePointer
GetFullPathNameA
SetEndOfFile
UnlockFileEx
GetTempPathW
GetConsoleMode
GetConsoleCP
SetStdHandle
FindNextFileA
FindFirstFileExA
GetCommandLineW
GetCommandLineA
SetEnvironmentVariableW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCPInfo
CreateMutexW
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetVersionExW
UnmapViewOfFile
HeapValidate
HeapSize
MultiByteToWideChar
Sleep
GetTempPathA
FormatMessageW
GetDiskFreeSpaceA
GetLastError
GetFileAttributesA
GetFileAttributesExW
OutputDebugStringW
FlushViewOfFile
CreateFileA
LoadLibraryA
WaitForSingleObjectEx
GetVersionExA
DeleteFileA
DeleteFileW
GetOEMCP
IsValidCodePage
HeapQueryInformation
CreateProcessA
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
GetTimeFormatW
GetDateFormatW
GetACP
GetFileType
GetStringTypeW
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
EncodePointer
LoadLibraryExW
InterlockedFlushSList
InterlockedPushEntrySList
RtlPcToFileHeader
RtlUnwindEx
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
InitializeSListHead
GetStartupInfoW
RaiseException
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
Thread32Next
Thread32First
FlushInstructionCache
SetThreadContext
GetThreadContext
OpenThread
GetFileInformationByHandle
BackupSeek
BackupRead
FindVolumeMountPointClose
FindNextVolumeMountPointW
FindFirstVolumeMountPointW
GetVolumeNameForVolumeMountPointW
GetVolumeInformationW
GetDriveTypeW
FindFirstFileExW
VirtualQuery
SetFilePointerEx
HeapReAlloc
CloseHandle
GetSystemInfo

advapi32

RegOpenKeyExW
CryptReleaseContext
CryptDeriveKey
CryptDestroyKey
CryptGetHashParam
CryptExportKey
CryptImportKey
CryptEncrypt
CryptDecrypt
CryptCreateHash
CryptHashData
CryptDestroyHash
RegDeleteValueW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegSetValueExA
CryptGetUserKey
RegOpenKeyW
RegEnumValueW
RegEnumKeyExW
RegQueryInfoKeyW
RegEnumKeyW
RegLoadKeyW
RegUnLoadKeyW
RevertToSelf
GetUserNameW
RegOpenCurrentUser
SystemFunction036
StartServiceCtrlDispatcherW
CryptGenRandom
OpenProcessToken
OpenThreadToken
SetServiceStatus
RegisterServiceCtrlHandlerExW
InitiateSystemShutdownExW
LookupPrivilegeValueW
AdjustTokenPrivileges
GetSecurityInfo
SetNamedSecurityInfoW
GetSecurityDescriptorSacl
GetSecurityDescriptorOwner
GetSecurityDescriptorDacl
LookupAccountSidW
ConvertSidToStringSidW
LookupAccountNameW
GetSidSubAuthorityCount
GetSidSubAuthority
ConvertStringSecurityDescriptorToSecurityDescriptorW
StartServiceW
QueryServiceStatus
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
DeleteService
ControlService
CloseServiceHandle
RegCreateKeyExW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
CryptSetKeyParam
ImpersonateLoggedOnUser
GetTokenInformation
FreeSid
EqualSid
DuplicateTokenEx
AllocateAndInitializeSid
CryptAcquireContextW

shell32

CommandLineToArgvW
SHGetSpecialFolderPathW
SHGetFolderPathW

user32

SetWindowLongPtrW
GetClientRect
GetWindowThreadProcessId
EnumWindows
CallWindowProcW
GetCaretBlinkTime
InvalidateRect

wtsapi32

WTSEnumerateSessionsW
WTSQueryUserToken
WTSEnumerateProcessesW
WTSFreeMemory

crypt32

CertFreeCertificateChain
CertGetCertificateChain
CryptProtectData
CryptUnprotectData
CertGetCertificateContextProperty
CertCloseStore
CertEnumCertificatesInStore
PFXImportCertStore
CryptDecodeObjectEx
CryptDecodeObject
CryptMsgOpenToDecode
CryptMsgClose
CryptMsgUpdate
CryptMsgGetParam
CryptMsgControl
CertFindCertificateInStore
CertFreeCertificateContext
CertGetNameStringW
CryptQueryObject
CryptVerifyCertificateSignature
CertNameToStrW

cryptnet

CryptGetObjectUrl

wintrust

CryptCATAdminReleaseCatalogContext
CryptCATCatalogInfoFromContext
CryptCATAdminEnumCatalogFromHash
CryptCATOpen
CryptCATClose
CryptCATEnumerateMember
CryptCATAdminAcquireContext
CryptCATAdminReleaseContext

wininet

InternetCombineUrlW

winhttp

WinHttpGetProxyForUrl
WinHttpReceiveResponse
WinHttpSetCredentials
WinHttpSendRequest
WinHttpAddRequestHeaders
WinHttpOpenRequest
WinHttpSetTimeouts
WinHttpSetOption
WinHttpQueryOption
WinHttpWriteData
WinHttpCrackUrl
WinHttpGetDefaultProxyConfiguration
WinHttpOpen
WinHttpCloseHandle
WinHttpQueryHeaders
WinHttpGetIEProxyConfigForCurrentUser
WinHttpSetStatusCallback
WinHttpConnect
WinHttpReadData

ws2_32

closesocket
shutdown
WSASocketW
GetAddrInfoW
FreeAddrInfoW
WSAAddressToStringW
WSAStringToAddressW
InetNtopW
connect
ioctlsocket
recv
select
send
WSAStartup
WSACleanup
WSAGetLastError
WSAGetOverlappedResult
WSARecv
WSARecvFrom
WSASend
getaddrinfo
freeaddrinfo
WSASendTo

iphlpapi

GetPerAdapterInfo
GetAdaptersAddresses
GetAdaptersInfo
GetTcpTable

dnsapi

DnsQuery_W
DnsFree

dbghelp

ImageNtHeader
MiniDumpWriteDump

imagehlp

UnMapAndLoad
MapAndLoad
CheckSumMappedFile

psapi

GetMappedFileNameW
QueryWorkingSet
EnumProcessModules
GetProcessImageFileNameW
EnumProcesses

ole32

CoUninitialize
CoCreateInstance
CoInitialize
CoInitializeEx
CoInitializeSecurity
CoTaskMemFree
CoSetProxyBlanket
IIDFromString

oleaut32

VariantInit
SysStringLen
SafeArrayGetElement
VariantClear
SystemTimeToVariantTime
VariantTimeToSystemTime
SysAllocString
SysFreeString

userenv

GetProfilesDirectoryW

netapi32

NetUserGetLocalGroups
NetApiBufferFree
NetUserGetGroups
NetStatisticsGet
NetShareEnum
NetGetDCName
NetLocalGroupGetMembers

shlwapi

PathIsNetworkPathW
PathIsDirectoryW
PathFindFileNameA
PathIsRelativeW
PathIsRootW
PathRenameExtensionW
PathFindFileNameW
PathRemoveFileSpecW
PathGetArgsW
PathFindExtensionW
PathRemoveBackslashW
PathAddBackslashW
PathUnquoteSpacesW
PathStripToRootW
PathGetDriveNumberW
PathFileExistsW
PathAppendW

sfc

SfcIsFileProtected

secur32

LsaEnumerateLogonSessions
LsaGetLogonSessionData
GetComputerObjectNameW
LsaFreeReturnBuffer
GetUserNameExW

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

Sections

.text
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 882KB - Virtual size: 881KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 731KB - Virtual size: 14.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 157KB - Virtual size: 156KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.gfids
Size: 512B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 456B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

366a1579bdd3d72ad1f4812c39e354b3

Code Sign

f4:86:eb:67:5b:aa:4e:34Certificate

1f:06:52:8b:cb:ab:75:4a:64:c3:09:ce:09:90:94:0f:3b:5d:08:18Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

shell32

user32

wtsapi32

crypt32

cryptnet

wintrust

wininet

winhttp

ws2_32

iphlpapi

dnsapi

dbghelp

imagehlp

psapi

ole32

oleaut32

userenv

netapi32

shlwapi

sfc

secur32

version

Sections

.text Size: 3.5MB - Virtual size: 3.5MB

.rdata Size: 882KB - Virtual size: 881KB

.data Size: 731KB - Virtual size: 14.6MB

.pdata Size: 157KB - Virtual size: 156KB

.gfids Size: 512B - Virtual size: 464B

.rsrc Size: 512B - Virtual size: 456B

.reloc Size: 20KB - Virtual size: 20KB

f4:86:eb:67:5b:aa:4e:34
Certificate

1f:06:52:8b:cb:ab:75:4a:64:c3:09:ce:09:90:94:0f:3b:5d:08:18
Signer

.text
Size: 3.5MB - Virtual size: 3.5MB

.rdata
Size: 882KB - Virtual size: 881KB

.data
Size: 731KB - Virtual size: 14.6MB

.pdata
Size: 157KB - Virtual size: 156KB

.gfids
Size: 512B - Virtual size: 464B

.rsrc
Size: 512B - Virtual size: 456B

.reloc
Size: 20KB - Virtual size: 20KB