2024-06-15_9a2a50751f7740a8edfd1a1dd661a10a_cobalt-strike_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-06-15_9a2a50751f7740a8edfd1a1dd661a10a_cobalt-strike_ryuk
Size

501KB
MD5

9a2a50751f7740a8edfd1a1dd661a10a
SHA1

8f1303f1e8bc31b9ccd1f5fb739c691030767827
SHA256

48ec77720b6a5ddc537fecae21046807fc236b558ddf6e1affdd7245794adc91
SHA512

f61ab334fe440106963050e2ded6461b31b043d9f98e9f27c39d6fa2dbde0979c7223aa65b644c4ff42f91c137ceea1d5a9cc2771ae89e430e27882f08d814c4
SSDEEP

6144:TiBlwsmAQIPvTmaEVmP02yCUE+cw0wIceA4D55qv4t/uBmohChYgXP6RIeGBPLa:TiBlwBAQIXqaE0yCgqwXeAVmoEAlGFO

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-06-15_9a2a50751f7740a8edfd1a1dd661a10a_cobalt-strike_ryuk

Files

2024-06-15_9a2a50751f7740a8edfd1a1dd661a10a_cobalt-strike_ryuk
.exe windows:6 windows x64 arch:x64

997697ab724741456c3bab642ada075e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\Workspace\nisraely\gitlab\cphs\IntelCpHeciSvc\x64\one_core_release_registry\IntelCpHeciSvc.pdb

Imports

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentStringsW
FreeEnvironmentStringsW
GetCommandLineW
SetStdHandle
ExpandEnvironmentStringsW
GetCommandLineA
GetStdHandle

api-ms-win-core-file-l1-1-0

CreateDirectoryW
SetEndOfFile
FlushFileBuffers
SetFilePointerEx
FindNextFileW
FindFirstFileExW
CreateFileW
ReadFile
WriteFile
GetFileType
FindClose

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter
RaiseException
GetLastError

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
ResetEvent
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
CreateEventW
WaitForMultipleObjectsEx
WaitForSingleObject
SetEvent
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
DeleteCriticalSection

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
ResumeThread
CreateThread
GetStartupInfoW
GetCurrentProcessId
TlsFree
TlsSetValue
TlsAlloc
GetCurrentThreadId
ExitProcess
OpenProcessToken
TlsGetValue

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
LoadStringW
GetProcAddress
GetModuleFileNameW
FreeLibrary
LoadLibraryExW
LoadResource
SizeofResource
GetModuleHandleW

api-ms-win-core-libraryloader-l1-2-1

FindResourceW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-core-string-l2-1-0

CharNextW
CharUpperW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExA
RegDeleteValueW
RegQueryValueExA
RegSetValueExW
RegEnumKeyExW

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

api-ms-win-core-com-l1-1-0

CoResumeClassObjects
CoAddRefServerProcess
CoReleaseServerProcess
CoTaskMemAlloc
CoCreateInstance
StringFromGUID2
CoTaskMemFree
CoInitializeSecurity
CoUninitialize
CoInitializeEx
CoTaskMemRealloc
CoRevokeClassObject
CoRegisterClassObject

oleaut32

SysStringLen
SysFreeString
LoadRegTypeLi
VarUI4FromStr
SafeArrayCreate
SafeArrayDestroy
SafeArrayRedim
SafeArrayGetUBound
SafeArrayGetLBound
RegisterTypeLi
SysAllocString
SafeArrayLock
SafeArrayUnlock
SafeArrayCopy
SafeArrayGetVartype
VariantInit
VariantClear
LoadTypeLi

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetSystemTimeAsFileTime

api-ms-win-devices-config-l1-1-1

CM_Unregister_Notification
CM_Get_Device_Interface_ListW
CM_Register_Notification
CM_Get_Device_Interface_List_SizeW

api-ms-win-core-io-l1-1-0

DeviceIoControl
GetOverlappedResult

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap
HeapReAlloc
HeapSize

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorLength
MakeAbsoluteSD
AdjustTokenPrivileges

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

api-ms-win-service-management-l2-1-0

ChangeServiceConfigW
QueryServiceConfigW

api-ms-win-service-management-l1-1-0

OpenServiceW
CloseServiceHandle
CreateServiceW
DeleteService
OpenSCManagerW

api-ms-win-service-winsvc-l1-1-0

ControlService

api-ms-win-service-core-l1-1-0

SetServiceStatus
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

user32

DispatchMessageW
TranslateMessage
GetMessageW
PostThreadMessageW

api-ms-win-core-localization-l1-2-0

IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetCPInfo
GetLocaleInfoW
LCMapStringW
GetOEMCP
GetACP
IsValidCodePage

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlUnwindEx
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-console-l1-1-0

WriteConsoleW
GetConsoleCP
GetConsoleMode
ReadConsoleW

Exports

Exports

MessageBoxW

Sections

.text
Size: 300KB - Virtual size: 300KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

997697ab724741456c3bab642ada075e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-com-l1-1-0

oleaut32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-devices-config-l1-1-1

api-ms-win-core-io-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-security-sddl-l1-1-0

user32

api-ms-win-core-localization-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-console-l1-1-0

Exports

Exports

Sections

.text Size: 300KB - Virtual size: 300KB

.rdata Size: 148KB - Virtual size: 147KB

.data Size: 8KB - Virtual size: 15KB

.pdata Size: 16KB - Virtual size: 15KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 300KB - Virtual size: 300KB

.rdata
Size: 148KB - Virtual size: 147KB

.data
Size: 8KB - Virtual size: 15KB

.pdata
Size: 16KB - Virtual size: 15KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 4KB - Virtual size: 3KB