2024-06-20_dd69e77ef5084d79a8650e4cee5a2f17_cobalt-strike_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-06-20_dd69e77ef5084d79a8650e4cee5a2f17_cobalt-strike_ryuk
Size

516KB
MD5

dd69e77ef5084d79a8650e4cee5a2f17
SHA1

d9bb5c6779056a046d18d043dabff160c6eb0713
SHA256

b1643f086f577f6e299b83e0624f468b6aed5be1f79d041773c0130b0a935170
SHA512

6e8f7d535a39861305d82ea0645c99ff2246e4a5a9dcb12fd400729c42e436eecf7c24e643d5e64897d0759e1ba09e316749bbff50326d0bdb646ff092ec6727
SSDEEP

6144:giBlwsmAQIPvTmaEVmP02yCUE+cw0wIceA4D55qv4t/uBmohChYgXP6RIey5I:giBlwBAQIXqaE0yCgqwXeAVmoEAlyy

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-06-20_dd69e77ef5084d79a8650e4cee5a2f17_cobalt-strike_ryuk

Files

2024-06-20_dd69e77ef5084d79a8650e4cee5a2f17_cobalt-strike_ryuk
.exe windows:6 windows x64 arch:x64

997697ab724741456c3bab642ada075e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\Workspace\nisraely\gitlab\cphs\IntelCpHeciSvc\x64\one_core_release_registry\IntelCpHeciSvc.pdb

Imports

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentStringsW
FreeEnvironmentStringsW
GetCommandLineW
SetStdHandle
ExpandEnvironmentStringsW
GetCommandLineA
GetStdHandle

api-ms-win-core-file-l1-1-0

CreateDirectoryW
SetEndOfFile
FlushFileBuffers
SetFilePointerEx
FindNextFileW
FindFirstFileExW
CreateFileW
ReadFile
WriteFile
GetFileType
FindClose

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter
RaiseException
GetLastError

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
ResetEvent
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
CreateEventW
WaitForMultipleObjectsEx
WaitForSingleObject
SetEvent
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
DeleteCriticalSection

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
ResumeThread
CreateThread
GetStartupInfoW
GetCurrentProcessId
TlsFree
TlsSetValue
TlsAlloc
GetCurrentThreadId
ExitProcess
OpenProcessToken
TlsGetValue

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
LoadStringW
GetProcAddress
GetModuleFileNameW
FreeLibrary
LoadLibraryExW
LoadResource
SizeofResource
GetModuleHandleW

api-ms-win-core-libraryloader-l1-2-1

FindResourceW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-core-string-l2-1-0

CharNextW
CharUpperW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExA
RegDeleteValueW
RegQueryValueExA
RegSetValueExW
RegEnumKeyExW

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

api-ms-win-core-com-l1-1-0

CoResumeClassObjects
CoAddRefServerProcess
CoReleaseServerProcess
CoTaskMemAlloc
CoCreateInstance
StringFromGUID2
CoTaskMemFree
CoInitializeSecurity
CoUninitialize
CoInitializeEx
CoTaskMemRealloc
CoRevokeClassObject
CoRegisterClassObject

oleaut32

SysStringLen
SysFreeString
LoadRegTypeLi
VarUI4FromStr
SafeArrayCreate
SafeArrayDestroy
SafeArrayRedim
SafeArrayGetUBound
SafeArrayGetLBound
RegisterTypeLi
SysAllocString
SafeArrayLock
SafeArrayUnlock
SafeArrayCopy
SafeArrayGetVartype
VariantInit
VariantClear
LoadTypeLi

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetSystemTimeAsFileTime

api-ms-win-devices-config-l1-1-1

CM_Unregister_Notification
CM_Get_Device_Interface_ListW
CM_Register_Notification
CM_Get_Device_Interface_List_SizeW

api-ms-win-core-io-l1-1-0

DeviceIoControl
GetOverlappedResult

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap
HeapReAlloc
HeapSize

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorLength
MakeAbsoluteSD
AdjustTokenPrivileges

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

api-ms-win-service-management-l2-1-0

ChangeServiceConfigW
QueryServiceConfigW

api-ms-win-service-management-l1-1-0

OpenServiceW
CloseServiceHandle
CreateServiceW
DeleteService
OpenSCManagerW

api-ms-win-service-winsvc-l1-1-0

ControlService

api-ms-win-service-core-l1-1-0

SetServiceStatus
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

user32

DispatchMessageW
TranslateMessage
GetMessageW
PostThreadMessageW

api-ms-win-core-localization-l1-2-0

IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetCPInfo
GetLocaleInfoW
LCMapStringW
GetOEMCP
GetACP
IsValidCodePage

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlUnwindEx
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-console-l1-1-0

WriteConsoleW
GetConsoleCP
GetConsoleMode
ReadConsoleW

Exports

Exports

MessageBoxW

Sections

.text
Size: 300KB - Virtual size: 300KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

997697ab724741456c3bab642ada075e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-com-l1-1-0

oleaut32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-devices-config-l1-1-1

api-ms-win-core-io-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-security-sddl-l1-1-0

user32

api-ms-win-core-localization-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-console-l1-1-0

Exports

Exports

Sections

.text Size: 300KB - Virtual size: 300KB

.rdata Size: 148KB - Virtual size: 147KB

.data Size: 8KB - Virtual size: 15KB

.pdata Size: 16KB - Virtual size: 15KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 300KB - Virtual size: 300KB

.rdata
Size: 148KB - Virtual size: 147KB

.data
Size: 8KB - Virtual size: 15KB

.pdata
Size: 16KB - Virtual size: 15KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 4KB - Virtual size: 3KB