Static task
static1
General
-
Target
powershell.exe
-
Size
480KB
-
MD5
0499440c4b0783266183246e384c6657
-
SHA1
4018d2a1c31763c6a047aae5ad63a3306a732252
-
SHA256
d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd
-
SHA512
06980acb8a7b6a5b6a63da325eb97c3b47d38c19ed9906a4d444c3f7577ca480f98918de4f604aafdd50fc3dd2b3901d5f7e1e5704cdf1c1461ebf77daace6a9
-
SSDEEP
12288:nSLwa34DkVFf1W2KXzJ4pdd3klnnWosPhnzq:nS/35dW2KjJ4Td3kJnbsPhnzq
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource powershell.exe
Files
-
powershell.exe.exe windows x64
342a7fd0a3177ae5549a5eee99f82271
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
msvcrt
_fmode
_commode
_lock
_unlock
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
__dllonexit
_XcptFilter
memmove
memcpy
_onexit
?terminate@@YAXXZ
__CxxFrameHandler3
??1type_info@@UEAA@XZ
memcmp
_wcsicmp
_wcsnicmp
fclose
_wfopen
_itow_s
wcstoul
wcschr
__uncaught_exception
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
_callnewh
malloc
wcsncmp
memmove_s
wcsrchr
free
_vsnprintf_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
_purecall
??3@YAXPEAX@Z
memcpy_s
_vsnwprintf
??_V@YAXPEAX@Z
_amsg_exit
__CxxFrameHandler4
memset
atl
ord30
kernel32
LCIDToLocaleName
UnmapViewOfFile
GetVersionExW
GetLocaleInfoW
GetUserDefaultUILanguage
GetLocaleInfoEx
GetSystemDefaultUILanguage
SearchPathW
FindResourceExW
GetTickCount
GetSystemTimeAsFileTime
QueryPerformanceCounter
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
Sleep
IsDebuggerPresent
IsWow64Process
SetConsoleTitleW
DebugBreak
GetFileType
VerifyVersionInfoW
LoadResource
GetModuleHandleW
FreeLibrary
GetStartupInfoW
GetModuleFileNameA
GetProcessHeap
FindFirstFileW
CreateFileMappingW
GetCurrentProcessId
CompareStringW
VerSetConditionMask
CreateSemaphoreExW
HeapFree
SetLastError
EnterCriticalSection
DeleteCriticalSection
GetCurrentProcess
GetStdHandle
ReleaseSemaphore
WriteFile
AcquireSRWLockShared
GetModuleHandleExW
ExpandEnvironmentStringsW
LocalFree
CreateMutexExW
GetProcAddress
MapViewOfFile
SetThreadUILanguage
LoadLibraryExW
GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSectionEx
WaitForThreadpoolTimerCallbacks
FindClose
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetCurrentThreadId
ReleaseMutex
SetErrorMode
FormatMessageW
WriteConsoleW
OutputDebugStringW
GetLastError
ReleaseSRWLockExclusive
HeapAlloc
CloseThreadpoolTimer
AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
CloseHandle
SetThreadpoolTimer
ReleaseSRWLockShared
CreateThreadpoolTimer
oleaut32
SafeArrayPutElement
SysAllocString
SafeArrayCreate
SysStringLen
SysFreeString
VariantClear
advapi32
EventRegister
RegEnumKeyExW
EventSetInformation
RegOpenKeyExW
RegGetValueW
EventUnregister
RegQueryValueExW
RegCloseKey
EventWriteTransfer
ole32
CoInitializeEx
CoInitialize
PropVariantClear
CoTaskMemAlloc
CoUninitialize
CoCreateInstance
user32
LoadStringW
mscoree
CorBindToRuntimeEx
Sections
.text Size: 72KB - Virtual size: 68KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 36KB - Virtual size: 34KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 8KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 352KB - Virtual size: 351KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 4KB - Virtual size: 1000B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ