2024-10-01_f7c4db878bdba44c87f5b1b29544d477_ryuk

Sharing

Copy URL Twitter E-mail

General

Target

2024-10-01_f7c4db878bdba44c87f5b1b29544d477_ryuk
Size

1.7MB
MD5

f7c4db878bdba44c87f5b1b29544d477
SHA1

e6f1b8ae51934410a9f3309736db67d8a369820d
SHA256

cbdc58cd4210a669d32bcebe90161279737354a336341f3289956f18f49ffee7
SHA512

61a5f879195eb564057b85ff677ae761c481046243a607d525541179b964edac077388a98d4bd57b87517ddd7ef4dc62c2f9861c4c146bd545806e9944734c60
SSDEEP

24576:piBEkWqwXeAVmYd/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:lz5Xe6XdLNiXicJFFRGNzj3

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2024-10-01_f7c4db878bdba44c87f5b1b29544d477_ryuk

Files

2024-10-01_f7c4db878bdba44c87f5b1b29544d477_ryuk
.exe windows:6 windows x64 arch:x64

997697ab724741456c3bab642ada075e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

d:\Workspace\nisraely\gitlab\cphs\IntelCpHeciSvc\x64\one_core_release_registry\IntelCpHeciSvc.pdb

Imports

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentStringsW
FreeEnvironmentStringsW
GetCommandLineW
SetStdHandle
ExpandEnvironmentStringsW
GetCommandLineA
GetStdHandle

api-ms-win-core-file-l1-1-0

CreateDirectoryW
SetEndOfFile
FlushFileBuffers
SetFilePointerEx
FindNextFileW
FindFirstFileExW
CreateFileW
ReadFile
WriteFile
GetFileType
FindClose

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter
RaiseException
GetLastError

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
ResetEvent
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
CreateEventW
WaitForMultipleObjectsEx
WaitForSingleObject
SetEvent
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
DeleteCriticalSection

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
ResumeThread
CreateThread
GetStartupInfoW
GetCurrentProcessId
TlsFree
TlsSetValue
TlsAlloc
GetCurrentThreadId
ExitProcess
OpenProcessToken
TlsGetValue

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
LoadStringW
GetProcAddress
GetModuleFileNameW
FreeLibrary
LoadLibraryExW
LoadResource
SizeofResource
GetModuleHandleW

api-ms-win-core-libraryloader-l1-2-1

FindResourceW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-core-string-l2-1-0

CharNextW
CharUpperW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExA
RegDeleteValueW
RegQueryValueExA
RegSetValueExW
RegEnumKeyExW

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

api-ms-win-core-com-l1-1-0

CoResumeClassObjects
CoAddRefServerProcess
CoReleaseServerProcess
CoTaskMemAlloc
CoCreateInstance
StringFromGUID2
CoTaskMemFree
CoInitializeSecurity
CoUninitialize
CoInitializeEx
CoTaskMemRealloc
CoRevokeClassObject
CoRegisterClassObject

oleaut32

SysStringLen
SysFreeString
LoadRegTypeLi
VarUI4FromStr
SafeArrayCreate
SafeArrayDestroy
SafeArrayRedim
SafeArrayGetUBound
SafeArrayGetLBound
RegisterTypeLi
SysAllocString
SafeArrayLock
SafeArrayUnlock
SafeArrayCopy
SafeArrayGetVartype
VariantInit
VariantClear
LoadTypeLi

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetSystemTimeAsFileTime

api-ms-win-devices-config-l1-1-1

CM_Unregister_Notification
CM_Get_Device_Interface_ListW
CM_Register_Notification
CM_Get_Device_Interface_List_SizeW

api-ms-win-core-io-l1-1-0

DeviceIoControl
GetOverlappedResult

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap
HeapReAlloc
HeapSize

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorLength
MakeAbsoluteSD
AdjustTokenPrivileges

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

api-ms-win-service-management-l2-1-0

ChangeServiceConfigW
QueryServiceConfigW

api-ms-win-service-management-l1-1-0

OpenServiceW
CloseServiceHandle
CreateServiceW
DeleteService
OpenSCManagerW

api-ms-win-service-winsvc-l1-1-0

ControlService

api-ms-win-service-core-l1-1-0

SetServiceStatus
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

user32

DispatchMessageW
TranslateMessage
GetMessageW
PostThreadMessageW

api-ms-win-core-localization-l1-2-0

IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetCPInfo
GetLocaleInfoW
LCMapStringW
GetOEMCP
GetACP
IsValidCodePage

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlUnwindEx
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-console-l1-1-0

WriteConsoleW
GetConsoleCP
GetConsoleMode
ReadConsoleW

Exports

Exports

MessageBoxW

Sections

.text
Size: 300KB - Virtual size: 300KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1.2MB - Virtual size: 1.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

997697ab724741456c3bab642ada075e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-com-l1-1-0

oleaut32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-devices-config-l1-1-1

api-ms-win-core-io-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-security-sddl-l1-1-0

user32

api-ms-win-core-localization-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-console-l1-1-0

Exports

Exports

Sections

.text Size: 300KB - Virtual size: 300KB

.rdata Size: 148KB - Virtual size: 147KB

.data Size: 8KB - Virtual size: 15KB

.pdata Size: 16KB - Virtual size: 15KB

.tls Size: 512B - Virtual size: 9B

.rsrc Size: 4KB - Virtual size: 3KB

.reloc Size: 1.2MB - Virtual size: 1.9MB

.text
Size: 300KB - Virtual size: 300KB

.rdata
Size: 148KB - Virtual size: 147KB

.data
Size: 8KB - Virtual size: 15KB

.pdata
Size: 16KB - Virtual size: 15KB

.tls
Size: 512B - Virtual size: 9B

.rsrc
Size: 4KB - Virtual size: 3KB

.reloc
Size: 1.2MB - Virtual size: 1.9MB