win32k[.]ex_ | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

win32k.ex_
Size

262KB
MD5

07458acb129ef3ef233d284361b4e158
SHA1

e46b46400d8af345bad009fd0b100e1d6a6ae13a
SHA256

8088f08a5636cec3bf8b9f05b6ca2d0b21a76a56199d6ccd1777a6f6a7b9fdde
SHA512

116609f09bc694d3205f989d1c6228b4ab773fd2afd1f22149432d7c2ff20be60dd871aaa6ea51f05f690e31946de8d3b3cde23919ec81f060a1ca812282e08c
SSDEEP

3072:4fdCm94F6x59KscGxM3CqA+EGbiXBm2jVAMhCxbCK6YCX4Vc9ZgPvO8Rc9JiZgA4:K1fx5Ysw3C7+EhRmZMQHbwTgPW0wiP

Score

N/A

Malware Config

Signatures

Files

win32k.ex_
.dll windows x64

8d7e3e41cd993d5a41f4e96d6076c4f7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

iphlpapi

GetAdaptersAddresses

wininet

InternetConnectA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFile
InternetWriteFile
InternetSetOptionW
HttpQueryInfoW
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
InternetOpenA
HttpEndRequestW
InternetCloseHandle
InternetGetConnectedState
InternetOpenUrlA
InternetQueryOptionW

ws2_32

WSAConnect
htons
select
WSACreateEvent
closesocket
WSAWaitForMultipleEvents
WSASend
WSASocketW
inet_addr
WSAStartup
WSACloseEvent
socket
getsockname
WSAEnumNetworkEvents
WSARecv
GetAddrInfoW
FreeAddrInfoW
WSASetLastError
WSAGetOverlappedResult
bind
recvfrom
sendto
connect
shutdown
ntohs
WSAEventSelect
WSAGetLastError

shlwapi

StrToIntA
StrTrimA
StrStrIA
StrToIntW
StrStrIW
StrStrA

advapi32

OpenProcessToken
RegEnumKeyExW
RegOpenKeyW
QueryServiceConfigW
ControlService
FreeSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
EnumServicesStatusW
AllocateAndInitializeSid
DuplicateTokenEx
CreateProcessAsUserW
OpenServiceW
LogonUserW
OpenSCManagerW
DeleteService
CloseServiceHandle
CryptHashData
RegSetValueExW
RegCloseKey
AdjustTokenPrivileges
CryptDestroyHash
RegOpenKeyExW
CryptCreateHash
LookupAccountSidW
LookupPrivilegeValueW
RegQueryValueExW
CryptReleaseContext
RegCreateKeyExW
GetTokenInformation
CryptAcquireContextW
CryptGetHashParam

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock
LoadUserProfileW

bcrypt

BCryptOpenAlgorithmProvider
BCryptDestroyHash
BCryptHashData
BCryptFinishHash
BCryptVerifySignature
BCryptCloseAlgorithmProvider
BCryptImportKeyPair
BCryptDestroyKey
BCryptCreateHash
BCryptGetProperty

netapi32

NetApiBufferFree
NetUserDel
NetUserEnum

kernel32

GetSystemInfo
GlobalMemoryStatusEx
LockResource
GetLocalTime
VirtualAlloc
GetProcAddress
OpenMutexW
lstrlenW
CreateFileW
ReadFile
lstrcmpiW
CreateToolhelp32Snapshot
GetCurrentProcessId
TerminateThread
SetLastError
HeapReAlloc
HeapAlloc
HeapFree
HeapDestroy
HeapCreate
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
FlushFileBuffers
lstrcpyW
CreateDirectoryW
lstrcmpW
Process32FirstW
Process32NextW
GetWindowsDirectoryW
DeleteFileW
GetComputerNameA
GetExitCodeProcess
GetTempFileNameW
CreateMutexW
GetTempPathW
MoveFileW
GetExitCodeThread
MapViewOfFile
UnmapViewOfFile
CreateRemoteThread
FlushInstructionCache
IsWow64Process
CreateFileMappingW
TerminateProcess
GetVersionExW
SizeofResource
WideCharToMultiByte
OpenProcess
WriteFile
VirtualFree
GetModuleHandleW
GetComputerNameW
QueryPerformanceCounter
GetCurrentProcess
SystemTimeToFileTime
FindResourceW
GetFileSize
GetLastError
SetEvent
GetTickCount
Sleep
CreateEventA
CloseHandle
CreateThread
lstrcpyA
lstrlenA
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
SetThreadPriority
ResetEvent
CreateEventW
TryEnterCriticalSection
MultiByteToWideChar
lstrcmpA
WaitForSingleObject
LoadResource

user32

GetWindowLongW
wsprintfW
wsprintfA
EnumChildWindows
FindWindowW
GetWindowInfo
GetParent
PostMessageW
SetActiveWindow
UpdateWindow
SendMessageW

shell32

SHGetFolderPathW
SHFileOperationW
ShellExecuteW

ntdll

memcpy
__chkstk

Sections

.text
Size: 97KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 132KB - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 228B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8d7e3e41cd993d5a41f4e96d6076c4f7

Headers

DLL Characteristics

File Characteristics

Imports

iphlpapi

wininet

ws2_32

shlwapi

advapi32

userenv

bcrypt

netapi32

kernel32

user32

shell32

ntdll

Sections

.text Size: 97KB - Virtual size: 97KB

.rdata Size: 22KB - Virtual size: 21KB

.data Size: 512B - Virtual size: 11KB

.pdata Size: 9KB - Virtual size: 8KB

.rsrc Size: 132KB - Virtual size: 131KB

.reloc Size: 512B - Virtual size: 228B

.text
Size: 97KB - Virtual size: 97KB

.rdata
Size: 22KB - Virtual size: 21KB

.data
Size: 512B - Virtual size: 11KB

.pdata
Size: 9KB - Virtual size: 8KB

.rsrc
Size: 132KB - Virtual size: 131KB

.reloc
Size: 512B - Virtual size: 228B