link[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

link.exe
Size

1.6MB
MD5

dc9b64ee07b46ebfb5b78cedf0aafdc7
SHA1

900953f76c757bf3701e5cd6b857cdf36595ec18
SHA256

0c7cb405822f178ca45359f073de7d0e673720d0865a06224398264a5bfb5426
SHA512

b85ee83a6e20dd7c9045550e227ef0ed185acd7b74c679579d2ca3aed6afe5497866b044dbf5b764721cd803d1f7960177e337287ebf01bf266c21f6d6e6fb93
SSDEEP

49152:+lO9cHhBCgLKtDAVt5tOihlNR5xePj5z+Xvq:IThRLIWRi6y

Score

1^/10

Malware Config

Signatures

Files

link.exe
.exe windows x64

237da3d3e5e7111f0d22ac7b231b9e59

Code Sign

33:00:00:01:52:9b:40:9f:50:56:99:75:88:00:00:00:00:01:52
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:37

Not After

02/05/2020, 21:37

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

08:67:e3:9d:75:ee:0b:09:aa:85:b1:bb:7f:e8:3b:4f:b6:48:63:84:e7:97:c5:1c:4c:7e:fa:37:fc:52:a0:02
Signer

Actual PE Digest

08:67:e3:9d:75:ee:0b:09:aa:85:b1:bb:7f:e8:3b:4f:b6:48:63:84:e7:97:c5:1c:4c:7e:fa:37:fc:52:a0:02

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptGetHashParam
EventWrite
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
EventRegister
EventUnregister
RegGetValueW
RegSetValueExW
RegCreateKeyExW

kernel32

FindResourceExW
LoadResource
ExitProcess
GetFileSizeEx
SetFilePointerEx
WriteFile
MoveFileExW
GetLastError
GetDriveTypeW
ReadFile
CreateFileW
Sleep
CloseHandle
GetFileSize
FlushViewOfFile
UnmapViewOfFile
SetEndOfFile
FlushFileBuffers
LoadLibraryW
GetProcAddress
GetCurrentProcess
CreateFileMappingW
MapViewOfFileEx
SetFilePointer
DeleteFileW
GetTempPathW
GetFileInformationByHandle
LoadLibraryExW
WideCharToMultiByte
GetFullPathNameW
GetACP
lstrcmpiW
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
EnterCriticalSection
GetCurrentThreadId
LeaveCriticalSection
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
SleepConditionVariableSRW
VirtualFree
FreeLibrary
SwitchToThread
FormatMessageW
GetTickCount
QueryPerformanceCounter
QueryPerformanceFrequency
InitializeSListHead
InterlockedFlushSList
CreateThread
ResumeThread
WaitForSingleObject
WakeAllConditionVariable
InterlockedPopEntrySList
InterlockedPushEntrySList
CopyFileW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
DuplicateHandle
GetCurrentThread
WakeConditionVariable
GetEnvironmentVariableW
GetModuleHandleW
EncodePointer
DecodePointer
HeapAlloc
GetProcessHeap
HeapFree
GetUserDefaultUILanguage
FindFirstFileW
FindNextFileW
FindClose
CreateDirectoryW
VirtualQuery
GetSystemInfo
GetEnvironmentStringsW
SetProcessWorkingSetSize
GetCommandLineW
GetExitCodeProcess
CreateProcessW
MapViewOfFile
GetModuleFileNameW
GetFileTime
GetVersion
RaiseFailFastException
SetUnhandledExceptionFilter
SetErrorMode
SetConsoleCtrlHandler
GetCurrentDirectoryW
FreeEnvironmentStringsW
VirtualAlloc
SuspendThread
GetThreadContext
GetCPInfo
MultiByteToWideChar
GetFileType
GetConsoleMode
GetConsoleOutputCP
GetConsoleScreenBufferInfo
SearchPathW
WaitForMultipleObjects
CreateMutexW
ReleaseMutex
CreateEventW
GetTickCount64
SetEvent
ResetEvent
WaitForSingleObjectEx
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
GetCurrentProcessId
GetSystemTimeAsFileTime
IsDebuggerPresent
SetFileTime
GetSystemTime
CreateFileMappingA
SystemTimeToFileTime
FindFirstFileExW
GetFileAttributesExW
AreFileApisANSI
SetLastError
LoadLibraryExA
VirtualProtect
RaiseException

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_destroy
strchr
strrchr
wcschr
__unDName
__unDNameEx
__C_specific_handler
__std_exception_copy
wcsstr
strstr
__current_exception
__current_exception_context
memset
memcpy
_CxxThrowException
__std_terminate
memmove
wcsrchr
memcmp

api-ms-win-crt-convert-l1-1-0

_wcstoui64
_wtoi64
_itoa_s
_ultow_s
atoi
wcstoul
_ultoa_s
atol
_ui64tow_s
strtoul
_itow_s

api-ms-win-crt-runtime-l1-1-0

_get_errno
__doserrno
_errno
_crt_atexit
_invalid_parameter_noinfo_noreturn
exit
_register_onexit_function
_initialize_onexit_table
_set_new_handler
_register_thread_local_exe_atexit_callback
_c_exit
_cexit
__p___wargv
__p___argc
_set_invalid_parameter_handler
_exit
_initterm_e
_initterm
_get_initial_wide_environment
_initialize_wide_environment
_configure_wide_argv
_set_app_type
_seh_filter_exe
terminate
_get_wpgmptr
__p__wpgmptr

api-ms-win-crt-filesystem-l1-1-0

_wstat64i32
_wremove
_wmakepath_s
_wstat64
_wfullpath
_wsplitpath_s
_waccess

api-ms-win-crt-string-l1-1-0

towlower
strncpy
wcscat_s
wcscpy_s
isprint
iswprint
wcstok_s
iswspace
_stricmp
_wcsnicmp
iswdigit
wcsncmp
_strnicmp
wcsncat_s
wcscspn
wcspbrk
strncmp
_wcsicmp
wcsncpy_s
strncpy_s
strlen
toupper
wcsncpy
isxdigit
strcmp
isalnum
_wcsupr_s
wcsnlen
isdigit
iswascii
strcat_s
strcpy_s
wcscmp

api-ms-win-crt-stdio-l1-1-0

fputws
fputwc
fputs
__stdio_common_vswprintf
_wfdopen
__stdio_common_vswprintf_s
getwchar
setvbuf
_set_fmode
__stdio_common_vsprintf_s
__p__commode
__stdio_common_vswscanf
_open_osfhandle
__acrt_iob_func
fflush
__stdio_common_vfprintf
fopen
ftell
fseek
fwrite
fclose
_wfsopen
_filelength
_isatty
__stdio_common_vfwprintf
__stdio_common_vsnprintf_s
fread
__stdio_common_vsscanf
fgetws
__stdio_common_vsnwprintf_s
_fileno
_get_osfhandle

api-ms-win-crt-time-l1-1-0

clock
_wctime64
_time64
_tzset

api-ms-win-crt-environment-l1-1-0

getenv
_wsearchenv_s
_wdupenv_s
_wputenv_s
_wgetenv_s
_wgetcwd

api-ms-win-crt-utility-l1-1-0

qsort_s
bsearch
qsort

api-ms-win-crt-heap-l1-1-0

calloc
free
_set_new_mode
malloc

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
setlocale
___lc_codepage_func

api-ms-win-crt-conio-l1-1-0

__conio_common_vcprintf
_cputws
__conio_common_vcwprintf
_cputs
_putwch

api-ms-win-crt-math-l1-1-0

__setusermatherr
ceilf

psapi

GetProcessMemoryInfo

msvcp140

??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Xbad_function_call@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG0@Z
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?width@ios_base@std@@QEAA_J_J@Z
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?is@?$ctype@G@std@@QEBA_NFG@Z
??Bios_base@std@@QEBA_NXZ
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?snextc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGXZ
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?sgetc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGXZ
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?width@ios_base@std@@QEBA_JXZ
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QEAA_N_N@Z
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
??Bid@locale@std@@QEAA_KXZ
?id@?$ctype@G@std@@2V0locale@2@A
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?_Xout_of_range@std@@YAXPEBD@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Xbad_alloc@std@@YAXXZ
?_Getcat@?$ctype@G@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?_Winerror_map@std@@YAHH@Z
?_Winerror_message@std@@YAKKPEADK@Z
?_Execute_once@std@@YAHAEAUonce_flag@1@P6AHPEAX1PEAPEAX@Z1@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z

tbbmalloc

scalable_free
scalable_realloc
scalable_malloc

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 300KB - Virtual size: 300KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 77KB - Virtual size: 77KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

237da3d3e5e7111f0d22ac7b231b9e59

Code Sign

33:00:00:01:52:9b:40:9f:50:56:99:75:88:00:00:00:00:01:52Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

08:67:e3:9d:75:ee:0b:09:aa:85:b1:bb:7f:e8:3b:4f:b6:48:63:84:e7:97:c5:1c:4c:7e:fa:37:fc:52:a0:02Signer

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

vcruntime140_1

vcruntime140

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-conio-l1-1-0

api-ms-win-crt-math-l1-1-0

psapi

msvcp140

tbbmalloc

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 300KB - Virtual size: 300KB

.data Size: 7KB - Virtual size: 81KB

.pdata Size: 67KB - Virtual size: 67KB

.rsrc Size: 77KB - Virtual size: 77KB

.reloc Size: 4KB - Virtual size: 3KB

33:00:00:01:52:9b:40:9f:50:56:99:75:88:00:00:00:00:01:52
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

08:67:e3:9d:75:ee:0b:09:aa:85:b1:bb:7f:e8:3b:4f:b6:48:63:84:e7:97:c5:1c:4c:7e:fa:37:fc:52:a0:02
Signer

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 300KB - Virtual size: 300KB

.data
Size: 7KB - Virtual size: 81KB

.pdata
Size: 67KB - Virtual size: 67KB

.rsrc
Size: 77KB - Virtual size: 77KB

.reloc
Size: 4KB - Virtual size: 3KB