mstsc[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

mstsc.exe
Size

1.5MB
MD5

7ffae462b1c5a51c720d428237febd97
SHA1

bc0ac58f858cfd14f2db0a3c4a44da4ea9ad21d7
SHA256

355ca834be29c148d27f973299fac1c434bcec5b7b319a47c7d98eb1c96da1eb
SHA512

7cd6c6f9357b0c1c0abd3ef046ad7ed48d627071a99603f9ffe5f68894afbebca46bb634f0f75a665c171fcefc984b5232300399a8f1637ff55bdc113e8961e2
SSDEEP

24576:kqw21bi8YMMjO9SA2yNA5OfBD3TUTsukzwY89mZACErai2/FE/DgzbfFK8WZRw+i:9bi8pMjO9SA2yNA58BD3TrukzwY89mZv

Score

N/A

Malware Config

Signatures

Files

mstsc.exe
.exe windows x64

0eef7f25f0c666e7bd4bc90208074347

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
TraceMessage
EventActivityIdControl
RegDeleteKeyValueW
RegGetValueW
EventSetInformation
EventRegister
EventUnregister
EventWriteTransfer
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
SystemFunction036
RegDeleteTreeW
RegCreateKeyTransactedW
CreateWellKnownSid
CredGetSessionTypes
CredWriteW
CredReadW
IsTextUnicode
RegEnumValueW
OpenProcessToken
CredUnmarshalCredentialW
CredIsMarshaledCredentialW
CredWriteDomainCredentialsW
CredReadDomainCredentialsW
CredFree
CredDeleteW
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegQueryValueExW
RegOpenKeyExA
RegQueryValueExA

kernel32

Sleep
HeapSetInformation
GetSystemDirectoryW
CreateSemaphoreExW
HeapFree
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
GetLocaleInfoW
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
SetLastError
FindNextFileW
FindFirstFileW
GetFileAttributesExW
GetTempPathW
SetFilePointer
GetACP
GetFullPathNameW
CompareStringW
GetFileAttributesW
LocalAlloc
CreateDirectoryW
SearchPathW
GetCurrentDirectoryW
LocalFree
LoadLibraryW
GetCurrentProcess
TerminateProcess
GetModuleFileNameA
CreateProcessW
WriteFile
EnterCriticalSection
ReleaseSemaphore
CompareStringOrdinal
lstrcmpW
DelayLoadFailureHook
ResolveDelayLoadedAPI
GetTickCount64
TlsFree
TlsGetValue
SwitchToThread
GetSystemInfo
TlsAlloc
TrySubmitThreadpoolCallback
CloseThreadpool
CloseThreadpoolCleanupGroup
CloseThreadpoolCleanupGroupMembers
CreateThreadpoolCleanupGroup
SetThreadpoolThreadMinimum
SetThreadpoolThreadMaximum
CreateThreadpool
InitializeCriticalSectionAndSpinCount
LockResource
FindResourceW
SystemTimeToFileTime
GetSystemTime
CreateTimerQueueTimer
LoadLibraryA
GlobalFree
LCMapStringEx
RemoveDirectoryW
CompareStringEx
GetProcessId
TerminateThread
ProcessIdToSessionId
GetComputerNameW
InitOnceExecuteOnce
ExpandEnvironmentStringsW
GetOverlappedResult
CloseThreadpoolWork
SubmitThreadpoolWork
CreateThreadpoolWork
DisconnectNamedPipe
CreateThreadpoolIo
CancelThreadpoolIo
StartThreadpoolIo
CloseThreadpoolIo
WaitForThreadpoolIoCallbacks
QueueUserWorkItem
CreateSemaphoreW
GetTickCount
FreeLibraryAndExitThread
GetExitCodeThread
WaitForMultipleObjects
CreateWaitableTimerExW
ExpandEnvironmentStringsA
LoadLibraryExA
GetStartupInfoW
InitializeSListHead
GetSystemTimeAsFileTime
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
WideCharToMultiByte
GetStartupInfoA
MulDiv
GetVersionExA
GetVersionExW
ReadFile
GetFileSize
CreateFileW
GetDateFormatW
GetTimeFormatW
GetLocalTime
DeleteFileW
CreateThread
OpenThread
VerifyVersionInfoW
VerSetConditionMask
GetModuleHandleExW
CreateEventW
SetEvent
InitializeCriticalSection
GetCommandLineW
GetModuleHandleExA
GetModuleFileNameW
FindResourceExW
LoadResource
SizeofResource
MultiByteToWideChar
RaiseException
lstrcmpiW
LoadLibraryExW
FreeLibrary
IsDebuggerPresent
DebugBreak
GetModuleHandleW
GetProcessHeap
GetCurrentProcessId
DeleteCriticalSection
AcquireSRWLockShared
SetWaitableTimer
ResetEvent
TlsSetValue
LeaveCriticalSection
InitializeCriticalSectionEx
CreateMutexExW
GetProcAddress
HeapAlloc
CreateThreadpoolTimer
ReleaseSRWLockShared
CancelWaitableTimer
QueryPerformanceFrequency
FindClose
SetThreadpoolTimer
CloseHandle
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockExclusive
CloseThreadpoolTimer
OutputDebugStringW
ReleaseSRWLockExclusive
GetLastError
FormatMessageW
ReleaseMutex
GetCurrentThreadId
WaitForSingleObject
WaitForThreadpoolTimerCallbacks

gdi32

GetDIBColorTable
CreatePalette
FillRgn
CreateDCW
UpdateColors
CreateRectRgn
CreateRectRgnIndirect
DeleteObject
SetRectRgn
GetRgnBox
OffsetRgn
CombineRgn
EqualRgn
SelectPalette
RealizePalette
SelectObject
CreateSolidBrush
PatBlt
GetObjectW
SetBkMode
GetStockObject
SetTextColor
CreateFontIndirectW
GetDeviceCaps
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
StretchBlt
DeleteDC
SetMapMode
TranslateCharsetInfo

user32

SystemParametersInfoA
GetWindowRect
GetWindowPlacement
SetFocus
IntersectRect
SetWindowPos
PeekMessageW
MsgWaitForMultipleObjectsEx
LoadAcceleratorsW
DialogBoxParamW
AllowSetForegroundWindow
MessageBoxW
RegisterClassW
DefDlgProcW
GetClassInfoW
IsRectEmpty
UnregisterClassA
GetDesktopWindow
CopyRect
SetRect
RegisterWindowMessageW
LoadImageW
IsWindow
PostQuitMessage
AppendMenuW
InsertMenuW
CreateMenu
DeleteMenu
GetMenuItemInfoW
GetSystemMenu
ModifyMenuW
SetCursor
LoadCursorW
IsZoomed
GetWindowLongW
SetWindowPlacement
GetClientRect
MoveWindow
ShowWindow
GetClassInfoExW
UnregisterClassW
SetMenuItemInfoW
CheckMenuItem
EnableMenuItem
SetWindowTextW
InvalidateRect
UpdateWindow
SetForegroundWindow
SetWindowLongW
SetWindowRgn
IsWindowVisible
LoadIconW
EqualRect
SendInput
GetTitleBarInfo
GetCursorPos
EnumDisplaySettingsExW
AdjustWindowRectEx
ShowWindowAsync
DestroyIcon
KillTimer
GetMenu
SetTimer
RedrawWindow
IsWindowEnabled
GetDC
ReleaseDC
MapWindowPoints
SendDlgItemMessageW
BeginPaint
DrawIcon
EndPaint
CreateDialogIndirectParamW
GetDlgItemTextW
IsDlgButtonChecked
EnumDisplayMonitors
DrawTextW
GetFocus
GetWindowDC
GetMonitorInfoW
SubtractRect
ScreenToClient
MapDialogRect
GetWindow
DrawIconEx
CheckRadioButton
FillRect
EnumDisplayDevicesW
CharLowerW
LoadStringW
CreateDialogParamW
GetMenuItemCount
MonitorFromWindow
SystemParametersInfoW
InsertMenuItemW
PtInRect
GetKeyboardLayout
SetProcessDPIAware
OffsetRect
GetSystemMetrics
EnableWindow
IsIconic
DefWindowProcW
GetWindowLongPtrW
SetWindowLongPtrW
RegisterClassExW
IsChild
CreateWindowExW
DestroyWindow
SetDlgItemTextW
GetDlgItem
EndDialog
CheckDlgButton
SendMessageW
PostMessageW
PostThreadMessageW
IsDialogMessageW
TranslateAcceleratorW
DispatchMessageW
TranslateMessage
GetMessageW
LockWindowUpdate
CharNextW
CharUpperW

api-ms-win-crt-string-l1-1-0

wcsncmp
wcscspn
wcsnlen
wcscmp
memset

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_c_exit
_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__ltow_s
_o__purecall
_o__recalloc
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__wcsicmp
_o__wcslwr
_o__wcsnicmp
_o__wtoi
_o__wtol
_o_bsearch
_o_exit
_o_free
_o_iswdigit
_o_iswspace
_o_malloc
_o_pow
_o_terminate
_o_toupper
_o_towlower
_o_towupper
_o_wcscat_s
_o_wcscpy_s
_o_wcsncat_s
_o_wcsncpy_s
_o_wcstok
_o_wcstok_s
_o_wcstol
_o_wcstombs_s
_o_wcstoul
_o__callnewh
_CxxThrowException
_o___stdio_common_vswscanf
_o___stdio_common_vswprintf
_o___stdio_common_vsprintf
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o__invalid_parameter_noinfo
_o__initialize_onexit_table
_o__initialize_narrow_environment
_o___p__commode
wcschr
wcsstr
wcsrchr
__C_specific_handler
memcmp
memcpy
_o__get_narrow_winmain_command_line
_o__exit
_o__errno
__CxxFrameHandler4
__std_terminate
__CxxFrameHandler3
_o__itow_s
_o__crt_atexit
_o__configure_narrow_argv
_o__configthreadlocale
_o__cexit
memmove

ole32

GetRunningObjectTable
CoUninitialize
CoCreateInstance
StringFromGUID2
CoRegisterClassObject
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CreateItemMoniker
CoCreateGuid
CoRevokeClassObject
OleUninitialize
CLSIDFromString
IIDFromString
CoInitializeEx
OleInitialize
CoInitialize

oleaut32

SysAllocStringByteLen
SysAllocStringLen
VariantClear
VariantInit
SafeArrayDestroy
SafeArrayLock
SafeArrayUnlock
SafeArrayGetUBound
SafeArrayGetLBound
SysStringByteLen
SafeArrayGetVartype
SysStringLen
SafeArrayCreate
LoadTypeLi
SysAllocString
UnRegisterTypeLi
VarUI4FromStr
SysFreeString
VariantChangeType
VarBstrCat
VariantCopy
RegisterTypeLi

shell32

SHGetSpecialFolderLocation
SHGetMalloc
SHGetDesktopFolder
SHGetFileInfoW
ShellExecuteExW
SHAddToRecentDocs
SHGetPathFromIDListW
SHFileOperationW

comctl32

InitCommonControlsEx
ord412
ord410
ImageList_Create
ImageList_ReplaceIcon
ord17
ord413
ImageList_GetImageCount
ImageList_Destroy
ImageList_LoadImageW

comdlg32

GetSaveFileNameW
GetFileTitleW
GetOpenFileNameW

shlwapi

PathFindFileNameW
PathAppendW
PathRemoveFileSpecW
PathStripPathW
StrStrIW
PathFindExtensionW
SHStrDupW
ord388
UrlCombineW
UrlCreateFromPathW
PathCanonicalizeW

crypt32

CertFreeCertificateContext
CryptDecodeObject
CertGetCertificateChain
CertFreeCertificateChain
CertFindExtension
CryptBinaryToStringW
CryptUnprotectData
CryptProtectData
CryptStringToBinaryW
CertDuplicateCertificateContext
CertDuplicateCertificateChain
CertGetCertificateContextProperty
CryptSignMessage
CryptVerifyDetachedMessageSignature
CertCloseStore
CertVerifyCertificateChainPolicy
CryptMsgOpenToDecode
CryptMsgUpdate
CertOpenStore
CryptMsgClose

winhttp

WinHttpCrackUrl
WinHttpSetStatusCallback
WinHttpSetOption
WinHttpSetTimeouts
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpAddRequestHeaders
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpCreateUrl
WinHttpCloseHandle
WinHttpQueryOption
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
WinHttpReadData

credui

CredUnPackAuthenticationBufferW
CredUIParseUserNameW
CredUIPromptForWindowsCredentialsW
CredPackAuthenticationBufferW

secur32

FreeContextBuffer
QuerySecurityPackageInfoW
GetUserNameExW
LsaDeregisterLogonProcess
LsaLookupAuthenticationPackage
LsaConnectUntrusted

cryptui

CryptUIDlgViewCertificateW

ntdll

RtlNtStatusToDosError
RtlVirtualUnwind
RtlCaptureContext
RtlInitString
RtlLookupFunctionEntry

cfgmgr32

CM_Get_DevNode_Registry_PropertyW
CM_Get_Child
CM_Get_Parent
CM_Get_Sibling

wininet

HttpOpenRequestW
InternetConnectW
InternetOpenW
InternetCloseHandle
InternetSetStatusCallbackW
InternetCrackUrlW
HttpSendRequestExW

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

ws2_32

WSASocketW
WSAIoctl
GetAddrInfoW
FreeAddrInfoW
WSAAddressToStringW
getpeername
accept
recv
WSAStringToAddressW
connect
setsockopt
socket
closesocket
WSAGetLastError
getsockopt
WSAEventSelect
send
select
bind
listen
shutdown
WSASend
WSAStartup
WSARecv
WSACleanup
GetNameInfoW
ntohs
getsockname
GetAddrInfoExW
FreeAddrInfoExW
htons

rpcrt4

RpcBindingSetAuthInfoExW
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcStringFreeW
RpcBindingFree
I_RpcExceptionFilter
NdrClientCall3

netapi32

NetApiBufferFree
NetGetJoinInformation

winmm

timeSetEvent
timeGetTime
timeKillEvent

ktmw32

CreateTransaction
CommitTransaction

iphlpapi

CreateSortedAddressPairs
GetAdaptersAddresses
FreeMibTable
ParseNetworkString

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 222KB - Virtual size: 221KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0eef7f25f0c666e7bd4bc90208074347

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

gdi32

user32

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

ole32

oleaut32

shell32

comctl32

comdlg32

shlwapi

crypt32

winhttp

credui

secur32

cryptui

ntdll

cfgmgr32

wininet

version

ws2_32

rpcrt4

netapi32

winmm

ktmw32

iphlpapi

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 222KB - Virtual size: 221KB

.data Size: 4KB - Virtual size: 11KB

.pdata Size: 37KB - Virtual size: 36KB

.didat Size: 512B - Virtual size: 40B

.rsrc Size: 5KB - Virtual size: 4KB

.reloc Size: 11KB - Virtual size: 10KB

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 222KB - Virtual size: 221KB

.data
Size: 4KB - Virtual size: 11KB

.pdata
Size: 37KB - Virtual size: 36KB

.didat
Size: 512B - Virtual size: 40B

.rsrc
Size: 5KB - Virtual size: 4KB

.reloc
Size: 11KB - Virtual size: 10KB