Behavioral task
behavioral1
Sample
f427b4d8a76ba24099478a24e0232203ae8ba49b7540110e8cb8a21401a0ad92.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f427b4d8a76ba24099478a24e0232203ae8ba49b7540110e8cb8a21401a0ad92.exe
Resource
win10v2004-20220901-en
General
-
Target
f427b4d8a76ba24099478a24e0232203ae8ba49b7540110e8cb8a21401a0ad92
-
Size
996KB
-
MD5
528f828012f27f82d05ed7f3d0f06e17
-
SHA1
eea8ac37dd6ecdbd7e675dfeeda9757c38b6a091
-
SHA256
f427b4d8a76ba24099478a24e0232203ae8ba49b7540110e8cb8a21401a0ad92
-
SHA512
52ee8d6cb014c8a34e22ab5e49c40891ebc0ba78d34a7b718ab3b8d786dc0d4126ee5b1f34139743c3a6b97687b0757c5027defef37b595f3430e583d807de49
-
SSDEEP
12288:03OUoLE11S7RIEcot35FHTF/l7fEBg6bF1CzWWS3xV:yOUop7lxb52B/B1Czyz
Malware Config
Signatures
-
Processes:
resource yara_rule sample upx
Files
-
f427b4d8a76ba24099478a24e0232203ae8ba49b7540110e8cb8a21401a0ad92.exe windows x86
365a0c6663eb6d83395d4fd917effcd3
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
ntdll
RtlInitUnicodeString
RtlInitString
kernel32
GetCurrentProcess
OutputDebugStringW
IsDebuggerPresent
DebugBreak
FatalExit
LoadLibraryW
GetProcAddress
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSection
InterlockedCompareExchange
SetLastError
AssignProcessToJobObject
GetSystemDirectoryW
ResumeThread
TerminateProcess
WaitForMultipleObjects
GetProcessHeap
OpenProcess
LocalFree
LocalAlloc
FreeLibrary
CreateFileW
IsProcessorFeaturePresent
GetFileType
CloseHandle
GetLastError
GetCurrentProcessId
CreateJobObjectW
InterlockedExchange
HeapSize
HeapReAlloc
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetSystemTimeAsFileTime
HeapDestroy
HeapAlloc
HeapSetInformation
GetVersionExW
ProcessIdToSessionId
GetVolumeInformationW
HeapFree
rpcrt4
NdrServerCall2
RpcStringFreeW
RpcBindingFree
I_RpcBindingInqLocalClientPID
RpcStringBindingParseW
RpcBindingToStringBindingW
RpcBindingServerFromClient
RpcServerListen
RpcServerRegisterAuthInfoW
RpcServerRegisterIf2
RpcRevertToSelf
RpcImpersonateClient
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcBindingSetAuthInfoW
NdrClientCall2
RpcMgmtStopServerListening
RpcServerUseProtseqEpW
advapi32
InitializeSid
LookupPrivilegeValueW
GetTokenInformation
AdjustTokenPrivileges
SystemFunction036
GetSidLengthRequired
GetSidSubAuthority
OpenProcessToken
DuplicateTokenEx
CreateProcessAsUserW
ImpersonateLoggedOnUser
RevertToSelf
LsaNtStatusToWinError
SetTokenInformation
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
CopySid
IsValidSid
GetLengthSid
AllocateLocallyUniqueId
AllocateAndInitializeSid
FreeSid
GetSecurityDescriptorLength
MakeSelfRelativeSD
InitializeSecurityDescriptor
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
MakeAbsoluteSD
GetSecurityDescriptorControl
GetAclInformation
InitializeAcl
AddAce
ConvertSidToStringSidW
GetSecurityInfo
SetEntriesInAclW
SetSecurityInfo
CreateWellKnownSid
EqualSid
CheckTokenMembership
ConvertStringSidToSidW
user32
MessageBoxW
msvcr80
_except_handler4_common
_amsg_exit
__wgetmainargs
_cexit
_exit
_XcptFilter
exit
__winitenv
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
strncmp
__set_app_type
_crt_debugger_hook
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
_invoke_watson
_controlfp_s
??1exception@std@@UAE@XZ
?what@exception@std@@UBEPBDXZ
??0exception@std@@QAE@ABQBD@Z
_purecall
memcpy
??0exception@std@@QAE@XZ
??0exception@std@@QAE@ABV01@@Z
_encode_pointer
??2@YAPAXI@Z
memmove_s
memcpy_s
_CxxThrowException
_vsnwprintf
??3@YAXPAX@Z
__CxxFrameHandler3
malloc
free
memset
__FrameUnwindFilter
calloc
_wcsnicmp
crypt32
CertVerifyCertificateChainPolicy
CertGetCertificateContextProperty
CryptDecodeObject
CryptFindOIDInfo
msvcp80
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
userenv
UnloadUserProfile
DestroyEnvironmentBlock
CreateEnvironmentBlock
LoadUserProfileW
secur32
LsaGetLogonSessionData
LsaConnectUntrusted
LsaLookupAuthenticationPackage
LsaFreeReturnBuffer
LsaDeregisterLogonProcess
LsaLogonUser
shlwapi
PathCombineW
msvcm80
?ThrowModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVString@System@@P$AAVException@3@@Z
?DoDllLanguageSupportValidation@<CrtImplementationDetails>@@YAXXZ
?RegisterModuleUninitializer@<CrtImplementationDetails>@@YAXP$AAVEventHandler@System@@@Z
?ThrowModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVString@System@@@Z
?ThrowNestedModuleLoadException@<CrtImplementationDetails>@@YAXP$AAVException@System@@0@Z
?DoCallBackInDefaultDomain@<CrtImplementationDetails>@@YAXP6GJPAX@Z0@Z
shell32
SHGetFolderPathW
dnsapi
DnsNameCompare_W
mscoree
_CorExeMain
Sections
.text Size: 248KB - Virtual size: 244KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rdata Size: 516KB - Virtual size: 513KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 3KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 72KB - Virtual size: 68KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 8KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
UPX0 Size: 144KB - Virtual size: 380KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE