General

Malware Config

Signatures

Files

• 9023247984.zip

  .zip

  Password: infected

• a914ba4dd70904400072bb2d103119dcf49de9528cbc5031a495fe967a9cff43

  .zip
• RuntimeBroker.exe

  .exe windows x64

  d4d98acf3243e0c97c83c6548571a44e

  
  

  Code Sign

  33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66

  Certificate

  Issuer

  CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Not Before

  04-03-2020 18:30

  Not After

  03-03-2021 18:30

  Subject

  CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Extended Key Usages

  ExtKeyUsageCodeSigning

  61:07:76:56:00:00:00:00:00:08

  Certificate

  Issuer

  CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Not Before

  19-10-2011 18:41

  Not After

  19-10-2026 18:51

  Subject

  CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  Key Usages

  KeyUsageDigitalSignature

  KeyUsageCertSign

  KeyUsageCRLSign

  59:e6:61:76:a1:3d:05:37:e6:df:32:1b:ee:2b:bd:20:5d:95:84:94:f6:2b:3b:5d:56:14:04:d7:51:3c:f4:d1

  Signer

  Actual PE Digest

  59:e6:61:76:a1:3d:05:37:e6:df:32:1b:ee:2b:bd:20:5d:95:84:94:f6:2b:3b:5d:56:14:04:d7:51:3c:f4:d1

  Digest Algorithm

  sha256

  PE Digest Matches

  true

  Signature Validations

  Trusted

  false

  Verification

  Signing Certificate

  CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

  02-02-2023 17:54

  Valid: false

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  IMAGE_DLLCHARACTERISTICS_GUARD_CF

  IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  Imports

  api-ms-win-crt-runtime-l1-1-0

  _register_thread_local_exe_atexit_callback

  _c_exit

  _initterm_e

  _initterm

  api-ms-win-crt-private-l1-1-0

  _o__get_wide_winmain_command_line

  _o__initialize_onexit_table

  _o__initialize_wide_environment

  _o__invalid_parameter_noinfo

  _o__purecall

  _o__register_onexit_function

  _o__resetstkoflw

  _o__seh_filter_exe

  _o__set_app_type

  _o__set_fmode

  _o__set_new_mode

  memmove

  _o__exit

  _o_exit

  _o_terminate

  __C_specific_handler

  __CxxFrameHandler3

  _o___stdio_common_vswprintf

  _o__crt_atexit

  _o__configure_wide_argv

  _o__configthreadlocale

  _o__errno

  _o__cexit

  memcmp

  _o___p__commode

  memcpy

  api-ms-win-crt-string-l1-1-0

  wcsncmp

  memset

  ntdll

  EtwTraceMessage

  RtlVirtualUnwind

  RtlLookupFunctionEntry

  RtlCaptureContext

  RtlNtStatusToDosError

  RtlEqualSid

  RtlIsMultiSessionSku

  RtlQueryPackageClaims

  RtlQueryPackageIdentity

  EtwEventRegister

  EtwEventUnregister

  EtwEventWriteTransfer

  EtwEventSetInformation

  api-ms-win-security-base-l1-1-0

  GetKernelObjectSecurity

  PrivilegeCheck

  AccessCheckByType

  GetTokenInformation

  GetLengthSid

  CreateWellKnownSid

  CopySid

  MapGenericMask

  AccessCheck

  api-ms-win-core-com-l1-1-0

  CoTaskMemAlloc

  CoReleaseServerProcess

  CoAddRefServerProcess

  CoCreateInstance

  CoCreateFreeThreadedMarshaler

  CoFreeUnusedLibrariesEx

  CoTaskMemFree

  CoImpersonateClient

  CoRegisterClassObject

  CoGetCallContext

  CoRevokeClassObject

  CoResumeClassObjects

  CoInitializeEx

  CoDecrementMTAUsage

  CoRevertToSelf

  CoInitializeSecurity

  CoIncrementMTAUsage

  api-ms-win-core-libraryloader-l1-2-0

  GetModuleFileNameA

  GetProcAddress

  GetModuleHandleExW

  GetModuleHandleW

  api-ms-win-power-setting-l1-1-0

  PowerSettingUnregisterNotification

  PowerSettingRegisterNotification

  api-ms-win-core-synch-l1-2-0

  InitOnceExecuteOnce

  InitOnceBeginInitialize

  InitOnceComplete

  api-ms-win-core-registry-l1-1-0

  RegCloseKey

  RegOpenKeyExW

  RegQueryValueExW

  api-ms-win-core-synch-l1-1-0

  ReleaseMutex

  CreateEventW

  InitializeCriticalSectionEx

  AcquireSRWLockShared

  LeaveCriticalSection

  CreateMutexExW

  SetEvent

  OpenSemaphoreW

  ReleaseSRWLockShared

  AcquireSRWLockExclusive

  DeleteCriticalSection

  WaitForSingleObjectEx

  WaitForSingleObject

  ReleaseSemaphore

  CreateSemaphoreExW

  EnterCriticalSection

  ReleaseSRWLockExclusive

  api-ms-win-core-winrt-error-l1-1-0

  RoGetErrorReportingFlags

  RoOriginateError

  RoOriginateErrorW

  RoSetErrorReportingFlags

  api-ms-win-core-heap-l1-1-0

  GetProcessHeap

  HeapAlloc

  HeapSetInformation

  HeapFree

  api-ms-win-core-errorhandling-l1-1-0

  RaiseException

  UnhandledExceptionFilter

  SetUnhandledExceptionFilter

  SetLastError

  GetLastError

  SetErrorMode

  api-ms-win-core-winrt-string-l1-1-0

  WindowsDeleteString

  WindowsCreateStringReference

  WindowsCreateString

  WindowsGetStringRawBuffer

  api-ms-win-core-processthreads-l1-1-0

  OpenThreadToken

  GetStartupInfoW

  TerminateProcess

  SetThreadStackGuarantee

  GetCurrentProcessId

  SetProcessShutdownParameters

  GetCurrentThreadId

  GetCurrentProcess

  GetCurrentThread

  rpcrt4

  UuidEqual

  api-ms-win-core-synch-l1-2-1

  WaitForMultipleObjects

  api-ms-win-eventing-provider-l1-1-0

  EventWriteTransfer

  EventUnregister

  EventRegister

  EventSetInformation

  api-ms-win-core-processthreads-l1-1-1

  SetProcessMitigationPolicy

  IsProcessorFeaturePresent

  GetProcessMitigationPolicy

  api-ms-win-core-winrt-l1-1-0

  RoGetActivationFactory

  RoActivateInstance

  api-ms-win-core-threadpool-l1-2-0

  WaitForThreadpoolTimerCallbacks

  CloseThreadpoolTimer

  CreateThreadpoolTimer

  SetThreadpoolTimer

  api-ms-win-core-localization-l1-2-0

  FormatMessageW

  api-ms-win-core-debug-l1-1-0

  OutputDebugStringW

  IsDebuggerPresent

  DebugBreak

  api-ms-win-core-handle-l1-1-0

  CloseHandle

  api-ms-win-core-heap-l2-1-0

  LocalFree

  api-ms-win-core-psapi-l1-1-0

  QueryFullProcessImageNameW

  api-ms-win-core-profile-l1-1-0

  QueryPerformanceCounter

  api-ms-win-core-sysinfo-l1-1-0

  GetSystemInfo

  GetSystemTimeAsFileTime

  api-ms-win-core-interlocked-l1-1-0

  InitializeSListHead

  combase

  ord69

  ord99

  ord153

  api-ms-win-security-lsalookup-l1-1-0

  LsaLookupFreeMemory

  LsaLookupClose

  LsaLookupOpenLocalPolicy

  LsaLookupGetDomainInfo

  api-ms-win-appmodel-runtime-l1-1-1

  GetApplicationUserModelIdFromToken

  api-ms-win-core-apiquery-l1-1-0

  ApiSetQueryApiSetPresence

  rmclient

  HamCloseActivity

  api-ms-win-core-memory-l1-1-0

  VirtualAlloc

  VirtualProtect

  VirtualQuery

  Sections

  .text

  Size: 58KB - Virtual size: 58KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .imrsiv

  Size: - Virtual size: 4B

  IMAGE_SCN_CNT_UNINITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .rdata

  Size: 23KB - Virtual size: 22KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 512B - Virtual size: 3KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .pdata

  Size: 5KB - Virtual size: 5KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 2KB - Virtual size: 2KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 344B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

• info.txt
• umpdc.dll

  .dll windows x64

  
  

  Headers

  DLL Characteristics

  IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA

  IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE

  IMAGE_DLLCHARACTERISTICS_NX_COMPAT

  File Characteristics

  IMAGE_FILE_EXECUTABLE_IMAGE

  IMAGE_FILE_LARGE_ADDRESS_AWARE

  Exports

  Exports

  PdcAcquireRwLockExclusive

  PdcActivationClientActivityRequest

  PdcActivationClientRegister

  PdcActivationClientUnregister

  PdcAllocate

  PdcFree

  PdcNotificationClientAcknowledge

  PdcNotificationClientRegister

  PdcNotificationClientUnregister

  PdcPortClose

  PdcPortOpen

  PdcPortSendMessage

  PdcPortSendMessageSynchronously

  PdcPpmProfileClientRegister

  PdcPpmProfileClientUnregister

  PdcPpmProfileDisable

  PdcPpmProfileEnable

  PdcReleaseRwLockExclusive

  PdcResiliencyClientAcknowledge

  PdcResiliencyClientRegister

  PdcResiliencyClientUnregister

  PdcRwLockInitialize

  PdcSignalClientPulse

  PdcSignalClientRegister

  PdcSignalClientSetActive

  PdcSignalClientUnregister

  PdcSleep

  PdcTaskClientRegister

  PdcTaskClientRequest

  PdcTaskClientUnregister

  Pdcv2ActivationClientActivate

  Pdcv2ActivationClientDeactivate

  Pdcv2ActivationClientRegister

  Pdcv2ActivationClientRenewActivation

  Pdcv2ActivationClientSetBrokeredProcessId

  Pdcv2ActivationClientUnregister

  SleepstudyHelperBlockerActiveDereference

  SleepstudyHelperBlockerActiveReference

  SleepstudyHelperBuildBlocker

  SleepstudyHelperCreateBlockerFromGuid

  SleepstudyHelperCreateLibrary

  SleepstudyHelperDestroyBlocker

  SleepstudyHelperDestroyBlockerBuilder

  SleepstudyHelperDestroyLibrary

  SleepstudyHelperGetBlockerGuid

  SleepstudyHelperSetBlockerFriendlyName

  SleepstudyHelperSetBlockerParentHandle

  SleepstudyHelperSetBlockerVisible

  Sections

  .text

  Size: 379KB - Virtual size: 379KB

  IMAGE_SCN_CNT_CODE

  IMAGE_SCN_MEM_EXECUTE

  IMAGE_SCN_MEM_READ

  .rdata

  Size: 3KB - Virtual size: 2KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .data

  Size: 512B - Virtual size: 40B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  IMAGE_SCN_MEM_WRITE

  .pdata

  Size: 2KB - Virtual size: 1KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .rsrc

  Size: 512B - Virtual size: 480B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ

  .reloc

  Size: 512B - Virtual size: 12B

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_DISCARDABLE

  IMAGE_SCN_MEM_READ

  .rdata2

  Size: 4KB - Virtual size: 4KB

  IMAGE_SCN_CNT_INITIALIZED_DATA

  IMAGE_SCN_MEM_READ