ntdll[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

ntdll.dll
Size

2.1MB
MD5

43f5e64b134cbf99f9ebd7358aeffe10
SHA1

9a5822978003fc507c98b967e91fd247abf0ca1b
SHA256

b334efff70eee9f55d8663ce7a8db4b0b7396b6ad70591694c798544bb4e709c
SHA512

50e57cdc78a8d313246bcc1f8792520242a014f11bd0db8e2baf106d4d2a1de00f14d81d0e92ce9147d0e314d327015d4fb53c5dda73991fe5d645be6a060c96
SSDEEP

24576:I6Fk5NEWMkLnvWvtFn0WhPb5s3j83rOGBxJI4IpAUh4h3aXuIP619Rf:I55xfuVecPbWI3G9pAUh4hKXgt

Score

1^/10

Malware Config

Signatures

Files

ntdll.dll
.dll windows x64

Code Sign

33:00:00:03:81:a4:c7:63:e7:ad:c5:b4:ee:00:00:00:00:03:81
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

10-03-2022 19:24

Not After

08-03-2023 19:24

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

de:f7:99:12:70:62:12:1a:ec:7a:aa:de:93:e9:75:60:fc:ca:e3:67:91:4a:08:ad:ae:e9:52:64:6f:41:c1:e4
Signer

Actual PE Digest

de:f7:99:12:70:62:12:1a:ec:7a:aa:de:93:e9:75:60:fc:ca:e3:67:91:4a:08:ad:ae:e9:52:64:6f:41:c1:e4

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

03-05-2023 12:03
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Exports

Exports

A_SHAFinal
A_SHAInit
A_SHAUpdate
AlpcAdjustCompletionListConcurrencyCount
AlpcFreeCompletionListMessage
AlpcGetCompletionListLastMessageInformation
AlpcGetCompletionListMessageAttributes
AlpcGetHeaderSize
AlpcGetMessageAttribute
AlpcGetMessageFromCompletionList
AlpcGetOutstandingCompletionListMessageCount
AlpcInitializeMessageAttribute
AlpcMaxAllowedMessageLength
AlpcRegisterCompletionList
AlpcRegisterCompletionListWorkerThread
AlpcRundownCompletionList
AlpcUnregisterCompletionList
AlpcUnregisterCompletionListWorkerThread
ApiSetQueryApiSetPresence
ApiSetQueryApiSetPresenceEx
CsrAllocateCaptureBuffer
CsrAllocateMessagePointer
CsrCaptureMessageBuffer
CsrCaptureMessageMultiUnicodeStringsInPlace
CsrCaptureMessageString
CsrCaptureTimeout
CsrClientCallServer
CsrClientConnectToServer
CsrFreeCaptureBuffer
CsrGetProcessId
CsrIdentifyAlertableThread
CsrSetPriorityClass
CsrVerifyRegion
DbgBreakPoint
DbgPrint
DbgPrintEx
DbgPrintReturnControlC
DbgPrompt
DbgQueryDebugFilterState
DbgSetDebugFilterState
DbgUiConnectToDbg
DbgUiContinue
DbgUiConvertStateChangeStructure
DbgUiConvertStateChangeStructureEx
DbgUiDebugActiveProcess
DbgUiGetThreadDebugObject
DbgUiIssueRemoteBreakin
DbgUiRemoteBreakin
DbgUiSetThreadDebugObject
DbgUiStopDebugging
DbgUiWaitStateChange
DbgUserBreakPoint
EtwCheckCoverage
EtwCreateTraceInstanceId
EtwDeliverDataBlock
EtwEnumerateProcessRegGuids
EtwEventActivityIdControl
EtwEventEnabled
EtwEventProviderEnabled
EtwEventRegister
EtwEventSetInformation
EtwEventUnregister
EtwEventWrite
EtwEventWriteEndScenario
EtwEventWriteEx
EtwEventWriteFull
EtwEventWriteNoRegistration
EtwEventWriteStartScenario
EtwEventWriteString
EtwEventWriteTransfer
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwLogTraceEvent
EtwNotificationRegister
EtwNotificationUnregister
EtwProcessPrivateLoggerRequest
EtwRegisterSecurityProvider
EtwRegisterTraceGuidsA
EtwRegisterTraceGuidsW
EtwReplyNotification
EtwSendNotification
EtwSetMark
EtwTraceEventInstance
EtwTraceMessage
EtwTraceMessageVa
EtwUnregisterTraceGuids
EtwWriteUMSecurityEvent
EtwpCreateEtwThread
EtwpGetCpuSpeed
EvtIntReportAuthzEventAndSourceAsync
EvtIntReportEventAndSourceAsync
ExpInterlockedPopEntrySListEnd
ExpInterlockedPopEntrySListFault
ExpInterlockedPopEntrySListResume
KiRaiseUserExceptionDispatcher
KiUserApcDispatcher
KiUserCallbackDispatcher
KiUserExceptionDispatcher
KiUserInvertedFunctionTable
LdrAccessResource
LdrAddDllDirectory
LdrAddLoadAsDataTable
LdrAddRefDll
LdrAppxHandleIntegrityFailure
LdrCallEnclave
LdrControlFlowGuardEnforced
LdrCreateEnclave
LdrDeleteEnclave
LdrDisableThreadCalloutsForDll
LdrEnumResources
LdrEnumerateLoadedModules
LdrFastFailInLoaderCallout
LdrFindEntryForAddress
LdrFindResourceDirectory_U
LdrFindResourceEx_U
LdrFindResource_U
LdrFlushAlternateResourceModules
LdrGetDllDirectory
LdrGetDllFullName
LdrGetDllHandle
LdrGetDllHandleByMapping
LdrGetDllHandleByName
LdrGetDllHandleEx
LdrGetDllPath
LdrGetFailureData
LdrGetFileNameFromLoadAsDataTable
LdrGetKnownDllSectionHandle
LdrGetProcedureAddress
LdrGetProcedureAddressEx
LdrGetProcedureAddressForCaller
LdrHotPatchNotify
LdrInitShimEngineDynamic
LdrInitializeEnclave
LdrInitializeThunk
LdrIsModuleSxsRedirected
LdrLoadAlternateResourceModule
LdrLoadAlternateResourceModuleEx
LdrLoadDll
LdrLoadEnclaveModule
LdrLockLoaderLock
LdrOpenImageFileOptionsKey
LdrProcessInitializationComplete
LdrProcessRelocationBlock
LdrProcessRelocationBlockEx
LdrQueryImageFileExecutionOptions
LdrQueryImageFileExecutionOptionsEx
LdrQueryImageFileKeyOption
LdrQueryModuleServiceTags
LdrQueryOptionalDelayLoadedAPI
LdrQueryProcessModuleInformation
LdrRegisterDllNotification
LdrRemoveDllDirectory
LdrRemoveLoadAsDataTable
LdrResFindResource
LdrResFindResourceDirectory
LdrResGetRCConfig
LdrResRelease
LdrResSearchResource
LdrResolveDelayLoadedAPI
LdrResolveDelayLoadsFromDll
LdrRscIsTypeExist
LdrSetAppCompatDllRedirectionCallback
LdrSetDefaultDllDirectories
LdrSetDllDirectory
LdrSetDllManifestProber
LdrSetImplicitPathOptions
LdrSetMUICacheType
LdrShutdownProcess
LdrShutdownThread
LdrStandardizeSystemPath
LdrSystemDllInitBlock
LdrUnloadAlternateResourceModule
LdrUnloadAlternateResourceModuleEx
LdrUnloadDll
LdrUnlockLoaderLock
LdrUnregisterDllNotification
LdrUpdatePackageSearchPath
LdrVerifyImageMatchesChecksum
LdrVerifyImageMatchesChecksumEx
LdrpResGetMappingSize
LdrpResGetResourceDirectory
MD4Final
MD4Init
MD4Update
MD5Final
MD5Init
MD5Update
MicrosoftTelemetryAssertTriggeredUM
NlsAnsiCodePage
NlsMbCodePageTag
NlsMbOemCodePageTag
NtAcceptConnectPort
NtAccessCheck
NtAccessCheckAndAuditAlarm
NtAccessCheckByType
NtAccessCheckByTypeAndAuditAlarm
NtAccessCheckByTypeResultList
NtAccessCheckByTypeResultListAndAuditAlarm
NtAccessCheckByTypeResultListAndAuditAlarmByHandle
NtAcquireCrossVmMutant
NtAcquireProcessActivityReference
NtAddAtom
NtAddAtomEx
NtAddBootEntry
NtAddDriverEntry
NtAdjustGroupsToken
NtAdjustPrivilegesToken
NtAdjustTokenClaimsAndDeviceGroups
NtAlertResumeThread
NtAlertThread
NtAlertThreadByThreadId
NtAllocateLocallyUniqueId
NtAllocateReserveObject
NtAllocateUserPhysicalPages
NtAllocateUserPhysicalPagesEx
NtAllocateUuids
NtAllocateVirtualMemory
NtAllocateVirtualMemoryEx
NtAlpcAcceptConnectPort
NtAlpcCancelMessage
NtAlpcConnectPort
NtAlpcConnectPortEx
NtAlpcCreatePort
NtAlpcCreatePortSection
NtAlpcCreateResourceReserve
NtAlpcCreateSectionView
NtAlpcCreateSecurityContext
NtAlpcDeletePortSection
NtAlpcDeleteResourceReserve
NtAlpcDeleteSectionView
NtAlpcDeleteSecurityContext
NtAlpcDisconnectPort
NtAlpcImpersonateClientContainerOfPort
NtAlpcImpersonateClientOfPort
NtAlpcOpenSenderProcess
NtAlpcOpenSenderThread
NtAlpcQueryInformation
NtAlpcQueryInformationMessage
NtAlpcRevokeSecurityContext
NtAlpcSendWaitReceivePort
NtAlpcSetInformation
NtApphelpCacheControl
NtAreMappedFilesTheSame
NtAssignProcessToJobObject
NtAssociateWaitCompletionPacket
NtCallEnclave
NtCallbackReturn
NtCancelIoFile
NtCancelIoFileEx
NtCancelSynchronousIoFile
NtCancelTimer
NtCancelTimer2
NtCancelWaitCompletionPacket
NtChangeProcessState
NtChangeThreadState
NtClearEvent
NtClose
NtCloseObjectAuditAlarm
NtCommitComplete
NtCommitEnlistment
NtCommitRegistryTransaction
NtCommitTransaction
NtCompactKeys
NtCompareObjects
NtCompareSigningLevels
NtCompareTokens
NtCompleteConnectPort
NtCompressKey
NtConnectPort
NtContinue
NtContinueEx
NtConvertBetweenAuxiliaryCounterAndPerformanceCounter
NtCopyFileChunk
NtCreateCpuPartition
NtCreateCrossVmEvent
NtCreateCrossVmMutant
NtCreateDebugObject
NtCreateDirectoryObject
NtCreateDirectoryObjectEx
NtCreateEnclave
NtCreateEnlistment
NtCreateEvent
NtCreateEventPair
NtCreateFile
NtCreateIRTimer
NtCreateIoCompletion
NtCreateIoRing
NtCreateJobObject
NtCreateJobSet
NtCreateKey
NtCreateKeyTransacted
NtCreateKeyedEvent
NtCreateLowBoxToken
NtCreateMailslotFile
NtCreateMutant
NtCreateNamedPipeFile
NtCreatePagingFile
NtCreatePartition
NtCreatePort
NtCreatePrivateNamespace
NtCreateProcess
NtCreateProcessEx
NtCreateProcessStateChange
NtCreateProfile
NtCreateProfileEx
NtCreateRegistryTransaction
NtCreateResourceManager
NtCreateSection
NtCreateSectionEx
NtCreateSemaphore
NtCreateSymbolicLinkObject
NtCreateThread
NtCreateThreadEx
NtCreateThreadStateChange
NtCreateTimer
NtCreateTimer2
NtCreateToken
NtCreateTokenEx
NtCreateTransaction
NtCreateTransactionManager
NtCreateUserProcess
NtCreateWaitCompletionPacket
NtCreateWaitablePort
NtCreateWnfStateName
NtCreateWorkerFactory
NtDebugActiveProcess
NtDebugContinue
NtDelayExecution
NtDeleteAtom
NtDeleteBootEntry
NtDeleteDriverEntry
NtDeleteFile
NtDeleteKey
NtDeleteObjectAuditAlarm
NtDeletePrivateNamespace
NtDeleteValueKey
NtDeleteWnfStateData
NtDeleteWnfStateName
NtDeviceIoControlFile
NtDirectGraphicsCall
NtDisableLastKnownGood
NtDisplayString
NtDrawText
NtDuplicateObject
NtDuplicateToken
NtEnableLastKnownGood
NtEnumerateBootEntries
NtEnumerateDriverEntries
NtEnumerateKey
NtEnumerateSystemEnvironmentValuesEx
NtEnumerateTransactionObject
NtEnumerateValueKey
NtExtendSection
NtFilterBootOption
NtFilterToken
NtFilterTokenEx
NtFindAtom
NtFlushBuffersFile
NtFlushBuffersFileEx
NtFlushInstallUILanguage
NtFlushInstructionCache
NtFlushKey
NtFlushProcessWriteBuffers
NtFlushVirtualMemory
NtFlushWriteBuffer
NtFreeUserPhysicalPages
NtFreeVirtualMemory
NtFreezeRegistry
NtFreezeTransactions
NtFsControlFile
NtGetCachedSigningLevel
NtGetCompleteWnfStateSubscription
NtGetContextThread
NtGetCurrentProcessorNumber
NtGetCurrentProcessorNumberEx
NtGetDevicePowerState
NtGetMUIRegistryInfo
NtGetNextProcess
NtGetNextThread
NtGetNlsSectionPtr
NtGetNotificationResourceManager
NtGetTickCount
NtGetWriteWatch
NtImpersonateAnonymousToken
NtImpersonateClientOfPort
NtImpersonateThread
NtInitializeEnclave
NtInitializeNlsFiles
NtInitializeRegistry
NtInitiatePowerAction
NtIsProcessInJob
NtIsSystemResumeAutomatic
NtIsUILanguageComitted
NtListenPort
NtLoadDriver
NtLoadEnclaveData
NtLoadKey
NtLoadKey2
NtLoadKey3
NtLoadKeyEx
NtLockFile
NtLockProductActivationKeys
NtLockRegistryKey
NtLockVirtualMemory
NtMakePermanentObject
NtMakeTemporaryObject
NtManageHotPatch
NtManagePartition
NtMapCMFModule
NtMapUserPhysicalPages
NtMapUserPhysicalPagesScatter
NtMapViewOfSection
NtMapViewOfSectionEx
NtModifyBootEntry
NtModifyDriverEntry
NtNotifyChangeDirectoryFile
NtNotifyChangeDirectoryFileEx
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtNotifyChangeSession
NtOpenCpuPartition
NtOpenDirectoryObject
NtOpenEnlistment
NtOpenEvent
NtOpenEventPair
NtOpenFile
NtOpenIoCompletion
NtOpenJobObject
NtOpenKey
NtOpenKeyEx
NtOpenKeyTransacted
NtOpenKeyTransactedEx
NtOpenKeyedEvent
NtOpenMutant
NtOpenObjectAuditAlarm
NtOpenPartition
NtOpenPrivateNamespace
NtOpenProcess
NtOpenProcessToken
NtOpenProcessTokenEx
NtOpenRegistryTransaction
NtOpenResourceManager
NtOpenSection
NtOpenSemaphore
NtOpenSession
NtOpenSymbolicLinkObject
NtOpenThread
NtOpenThreadToken
NtOpenThreadTokenEx
NtOpenTimer
NtOpenTransaction
NtOpenTransactionManager
NtPlugPlayControl
NtPowerInformation
NtPrePrepareComplete
NtPrePrepareEnlistment
NtPrepareComplete
NtPrepareEnlistment
NtPrivilegeCheck
NtPrivilegeObjectAuditAlarm
NtPrivilegedServiceAuditAlarm
NtPropagationComplete
NtPropagationFailed
NtProtectVirtualMemory
NtPssCaptureVaSpaceBulk
NtPulseEvent
NtQueryAttributesFile
NtQueryAuxiliaryCounterFrequency
NtQueryBootEntryOrder
NtQueryBootOptions
NtQueryDebugFilterState
NtQueryDefaultLocale
NtQueryDefaultUILanguage
NtQueryDirectoryFile
NtQueryDirectoryFileEx
NtQueryDirectoryObject
NtQueryDriverEntryOrder
NtQueryEaFile
NtQueryEvent
NtQueryFullAttributesFile
NtQueryInformationAtom
NtQueryInformationByName
NtQueryInformationCpuPartition
NtQueryInformationEnlistment
NtQueryInformationFile
NtQueryInformationJobObject
NtQueryInformationPort
NtQueryInformationProcess
NtQueryInformationResourceManager
NtQueryInformationThread
NtQueryInformationToken
NtQueryInformationTransaction
NtQueryInformationTransactionManager
NtQueryInformationWorkerFactory
NtQueryInstallUILanguage
NtQueryIntervalProfile
NtQueryIoCompletion
NtQueryIoRingCapabilities
NtQueryKey

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

RT
Size: 4KB - Virtual size: 463B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

fothk
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 308KB - Virtual size: 306KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 60KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.mrdata
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 4KB - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 468KB - Virtual size: 465KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Code Sign

33:00:00:03:81:a4:c7:63:e7:ad:c5:b4:ee:00:00:00:00:03:81Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

de:f7:99:12:70:62:12:1a:ec:7a:aa:de:93:e9:75:60:fc:ca:e3:67:91:4a:08:ad:ae:e9:52:64:6f:41:c1:e4Signer

Signature Validations

Verification

03-05-2023 12:03 Valid: false

Headers

DLL Characteristics

File Characteristics

Exports

Exports

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

PAGE Size: 4KB - Virtual size: 1KB

RT Size: 4KB - Virtual size: 463B

fothk Size: 4KB - Virtual size: 4KB

.rdata Size: 308KB - Virtual size: 306KB

.data Size: 16KB - Virtual size: 44KB

.pdata Size: 60KB - Virtual size: 59KB

.mrdata Size: 16KB - Virtual size: 13KB

.00cfg Size: 4KB - Virtual size: 40B

.rsrc Size: 468KB - Virtual size: 465KB

.reloc Size: 4KB - Virtual size: 1KB

33:00:00:03:81:a4:c7:63:e7:ad:c5:b4:ee:00:00:00:00:03:81
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

de:f7:99:12:70:62:12:1a:ec:7a:aa:de:93:e9:75:60:fc:ca:e3:67:91:4a:08:ad:ae:e9:52:64:6f:41:c1:e4
Signer

03-05-2023 12:03
Valid: false

.text
Size: 1.2MB - Virtual size: 1.2MB

PAGE
Size: 4KB - Virtual size: 1KB

RT
Size: 4KB - Virtual size: 463B

fothk
Size: 4KB - Virtual size: 4KB

.rdata
Size: 308KB - Virtual size: 306KB

.data
Size: 16KB - Virtual size: 44KB

.pdata
Size: 60KB - Virtual size: 59KB

.mrdata
Size: 16KB - Virtual size: 13KB

.00cfg
Size: 4KB - Virtual size: 40B

.rsrc
Size: 468KB - Virtual size: 465KB

.reloc
Size: 4KB - Virtual size: 1KB