2024-06-30_2c9b52b12c2b30ea5c512b0cb19125dc_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-06-30_2c9b52b12c2b30ea5c512b0cb19125dc_ryuk
Size

2.4MB
MD5

2c9b52b12c2b30ea5c512b0cb19125dc
SHA1

69bcf4293fa0b1e5a4e6617d43f36db2f41fc39a
SHA256

75c8cc7352d458e8ea60a0cb6382a6b1a3a5e8f394f5bfb85e42265f84886e84
SHA512

2138b2a815a3e2d565228e164c0ae757b03fee3d0d88f1fd1b19d5d42f63fce33f6de8a29d31b25c26a040050a812708962328094bd28ce2aa83539f164de9b9
SSDEEP

49152:k9b0ZZy+yucAxIZqSiM71MIcGTaxlMPdlR8v4UC0Eg6ET7M/I:ub0ZZyBaZl2/V0cETQ/I

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-06-30_2c9b52b12c2b30ea5c512b0cb19125dc_ryuk

Files

2024-06-30_2c9b52b12c2b30ea5c512b0cb19125dc_ryuk
.exe windows:5 windows x64 arch:x64

fb890080847d09e89dffa290990ca00c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\b\c\b\win64_pgo\src\out\Release_x64\setup.exe.pdb

Imports

netapi32

NetGetJoinInformation
NetApiBufferFree

advapi32

RevertToSelf
ConvertSidToStringSidW
GetTokenInformation
OpenProcessToken
EqualSid
GetAce
GetAclInformation
RegEnumValueA
RegEnumValueW
RegEnumKeyExW
RegLoadKeyW
RegUnLoadKeyW
GetLengthSid
InitializeAcl
AddAce
IsValidSid
InitializeSid
GetNamedSecurityInfoW
CopySid
SetNamedSecurityInfoW
GetSidLengthRequired
GetSidSubAuthority
CreateProcessAsUserW
RegQueryValueExW
RegDeleteValueW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegCloseKey
GetSidSubAuthorityCount
SystemFunction036
GetUserNameW
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetFileSecurityW
ConvertSecurityDescriptorToStringSecurityDescriptorW
SetFileSecurityW
AdjustTokenPrivileges
LookupPrivilegeValueW
ImpersonateNamedPipeClient
TraceEvent
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids

kernel32

QueueUserAPC
GetPriorityClass
GetProcAddress
VirtualAllocEx
WTSGetActiveConsoleSessionId
CreateProcessW
GetModuleHandleW
CreateEventW
HeapFree
InitializeCriticalSectionAndSpinCount
HeapSize
HeapReAlloc
RaiseException
HeapAlloc
DecodePointer
HeapDestroy
DeleteCriticalSection
GetProcessHeap
CreateDirectoryW
GetCommandLineW
GetUserDefaultLangID
SetEnvironmentVariableW
GetEnvironmentVariableW
GetFileAttributesW
MultiByteToWideChar
OutputDebugStringW
WideCharToMultiByte
GetTempPathW
LoadLibraryW
FreeLibrary
VirtualProtect
GetModuleFileNameW
DuplicateHandle
OpenProcess
GetExitCodeProcess
HeapSetInformation
ReadFile
GetLongPathNameW
WriteFile
RemoveDirectoryW
CreateFileW
UnmapViewOfFile
SetFileAttributesW
GetFileAttributesExW
DeleteFileW
GetCurrentDirectoryW
SetCurrentDirectoryW
MoveFileExW
ReplaceFileW
CopyFileW
CreateFileMappingW
MapViewOfFile
MoveFileW
SetHandleInformation
GetStdHandle
AssignProcessToJobObject
GetProcessId
GetCurrentThreadId
Sleep
CreateThread
IsDebuggerPresent
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
GetSystemInfo
GetProcessTimes
VirtualQueryEx
FileTimeToSystemTime
QueryPerformanceFrequency
WriteProcessMemory
QueryPerformanceCounter
HeapCreate
OutputDebugStringA
GetLocalTime
FormatMessageA
GetTickCount
FindFirstFileExW
FindNextFileW
FindClose
AcquireSRWLockExclusive
SetEvent
ResetEvent
GetVersionExW
GetNativeSystemInfo
VirtualFree
VirtualAlloc
FlushViewOfFile
GetFileSizeEx
SetFileTime
SetEndOfFile
GetFileInformationByHandle
SetFilePointerEx
FlushFileBuffers
GetModuleHandleExW
RegisterWaitForSingleObject
ResumeThread
GetWindowsDirectoryW
SizeofResource
LockResource
LoadResource
FindResourceW
TlsGetValue
VirtualQuery
TlsSetValue
TlsAlloc
TlsFree
RtlCaptureStackBackTrace
SetUnhandledExceptionFilter
LoadLibraryExW
GetQueuedCompletionStatus
PostQueuedCompletionStatus
CreateIoCompletionPort
CompareStringW
GetShortPathNameW
SetFilePointer
GetDateFormatW
InitOnceExecuteOnce
EnterCriticalSection
LeaveCriticalSection
RtlVirtualUnwind
GetVersion
SleepEx
GetFileType
UnlockFileEx
LockFileEx
Wow64GetThreadContext
SuspendThread
GetThreadContext
ReadProcessMemory
GetSystemDefaultLCID
GetThreadLocale
GetUserDefaultLCID
SetConsoleCtrlHandler
SetProcessShutdownParameters
WaitNamedPipeW
TransactNamedPipe
CreateNamedPipeW
SetNamedPipeHandleState
InitializeCriticalSection
GetUserDefaultUILanguage
WriteConsoleW
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetOEMCP
IsValidCodePage
GetTimeZoneInformation
EnumSystemLocalesW
IsValidLocale
ReadConsoleW
GetACP
GetConsoleMode
GetConsoleCP
SetStdHandle
ExitProcess
GetFullPathNameW
PeekNamedPipe
GetDriveTypeW
RtlUnwindEx
RtlPcToFileHeader
InitializeSListHead
GetStartupInfoW
IsProcessorFeaturePresent
UnhandledExceptionFilter
RtlLookupFunctionEntry
RtlCaptureContext
WaitForSingleObjectEx
GetCPInfo
GetLocaleInfoW
LCMapStringW
EncodePointer
GetStringTypeW
FreeConsole
GetConsoleDisplayMode
AttachConsole
GetCurrentProcess
GetLastError
GetSystemDirectoryW
CloseHandle
ReleaseMutex
TerminateProcess
ExpandEnvironmentStringsW
UnregisterWaitEx
SetPriorityClass
WaitForSingleObject
CreateMutexW
GetSystemTimeAsFileTime
GetCurrentProcessId
ReleaseSRWLockExclusive
LocalFree
GetModuleHandleA
SetLastError
GetFileInformationByHandleEx
DisconnectNamedPipe
ConnectNamedPipe
IsWow64Process
ReleaseSemaphore
CreateSemaphoreW
LoadLibraryExA
SystemTimeToTzSpecificLocalTime

ole32

CoTaskMemFree
CoAllowSetForegroundWindow
CoSetProxyBlanket
CoUninitialize
CoInitializeEx
CoTaskMemAlloc
CoCreateInstance
PropVariantClear

oleaut32

SysFreeString
SysStringLen
SysAllocString
VariantInit
VariantClear

psapi

GetPerformanceInfo
GetProcessMemoryInfo

shell32

ShellExecuteW
SHOpenWithDialog
ord680
SHChangeNotify
SHQueryUserNotificationState
SHGetFolderPathW
ShellExecuteExW
CommandLineToArgvW
SHGetKnownFolderPath

shlwapi

UrlCanonicalizeW
PathMatchSpecW

user32

MonitorFromRect
EqualRect
GetWindowRect
GetWindowThreadProcessId
GetWindowLongW
UnregisterClassW
GetSystemMetrics
TranslateMessage
DispatchMessageW
SendMessageW
CallNextHookEx
UnhookWindowsHookEx
LoadIconW
SetWindowsHookExW
MonitorFromWindow
MoveWindow
SetForegroundWindow
DefWindowProcW
DestroyWindow
SetWindowLongPtrW
CreateWindowExW
GetWindowLongPtrW
GetForegroundWindow
IntersectRect
MessageBoxW
RegisterClassW
GetMessageW
GetMonitorInfoW
PostMessageW

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

winmm

timeGetTime

ws2_32

ntohl

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

urlmon

CreateURLMonikerEx

wtsapi32

WTSFreeMemory
WTSQueryUserToken
WTSQuerySessionInformationW

winhttp

WinHttpCrackUrl
WinHttpConnect
WinHttpWriteData
WinHttpOpenRequest
WinHttpReadData
WinHttpOpen
WinHttpCloseHandle
WinHttpSetTimeouts
WinHttpReceiveResponse
WinHttpAddRequestHeaders
WinHttpQueryHeaders
WinHttpSendRequest

Exports

Exports

GetHandleVerifier

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 241KB - Virtual size: 240KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 51KB - Virtual size: 51KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 29B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

CPADinfo
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 311KB - Virtual size: 310KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 576KB - Virtual size: 580KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

fb890080847d09e89dffa290990ca00c

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

netapi32

advapi32

kernel32

ole32

oleaut32

psapi

shell32

shlwapi

user32

version

winmm

ws2_32

userenv

urlmon

wtsapi32

winhttp

Exports

Exports

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 241KB - Virtual size: 240KB

.data Size: 5KB - Virtual size: 37KB

.pdata Size: 51KB - Virtual size: 51KB

.didat Size: 512B - Virtual size: 24B

.tls Size: 512B - Virtual size: 29B

CPADinfo Size: 512B - Virtual size: 48B

.rsrc Size: 311KB - Virtual size: 310KB

.reloc Size: 576KB - Virtual size: 580KB

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 241KB - Virtual size: 240KB

.data
Size: 5KB - Virtual size: 37KB

.pdata
Size: 51KB - Virtual size: 51KB

.didat
Size: 512B - Virtual size: 24B

.tls
Size: 512B - Virtual size: 29B

CPADinfo
Size: 512B - Virtual size: 48B

.rsrc
Size: 311KB - Virtual size: 310KB

.reloc
Size: 576KB - Virtual size: 580KB