2 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2
Size

487KB
MD5

0f5bb25b185f00f171942ffa09480f75
SHA1

e79c8159003e88ea46197e22a75afe39369a3de7
SHA256

dff7cc9945e7130ac731920cc61fc96d8bd9590c3faed96b50f1b481833e33ea
SHA512

84a1dcb679d6dd2a6a2657ac972a16a44c82499a1884f1d27c9f2fd60111692bea6f3a01ea81e0446e1b1a8defcacfb756495c194fcfb56ecf2f49627e29e162
SSDEEP

6144:rfZUAOJkpY4lcikvaprxxq+8G8CsnlXzZ:Txk+8zVd

Score

1^/10

Malware Config

Signatures

Files

2
.dll windows x64

da57c1f0fa76f550caf2252b4a863180

Code Sign

33:00:00:00:9d:1e:8d:27:ae:b8:f3:d8:38:00:01:00:00:00:9d
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/09/2012, 21:42

Not After

04/03/2013, 21:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:02:8e:42:00:00:00:00:00:1f
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

09/01/2012, 22:25

Not After

09/04/2013, 22:25

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:F528-3777-8A76,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

65:98:c0:82:50:3b:6d:ac:04:79:27:04:ec:de:f4:11:2f:cc:b5:d4
Signer

Actual PE Digest

65:98:c0:82:50:3b:6d:ac:04:79:27:04:ec:de:f4:11:2f:cc:b5:d4

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
ConvertStringSecurityDescriptorToSecurityDescriptorW
StartServiceW
OpenServiceW
OpenSCManagerW
CloseServiceHandle
CredWriteW
RegSetKeySecurity
EventWrite
RegDeleteValueW
OpenProcessToken
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
IsValidSid
LookupAccountNameW
ConvertSidToStringSidW
RegSetValueExW

kernel32

CreateThread
CreateMutexW
WaitForSingleObjectEx
GetCurrentThreadId
ExpandEnvironmentStringsW
FreeLibrary
GetModuleHandleW
GetProcAddress
WideCharToMultiByte
SetLastError
GetExitCodeProcess
DeleteFileW
FindClose
FindFirstFileExW
SetFileAttributesW
SetFilePointerEx
ReleaseMutex
OpenMutexW
WaitForMultipleObjects
CreateDirectoryW
GetFileAttributesExW
MultiByteToWideChar
GetVersion
GetFileSizeEx
ReadFile
CreateFileW
GetFileType
GetTempPathW
TerminateProcess
GetExitCodeThread
LocalAlloc
LocalFree
WriteFile
GetSystemTime
FormatMessageW
SystemTimeToTzSpecificLocalTime
GetTimeZoneInformation
FlsSetValue
GetCommandLineA
EncodePointer
DecodePointer
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
HeapFree
HeapAlloc
HeapReAlloc
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
FlsGetValue
FlsFree
FlsAlloc
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetStartupInfoW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSetInformation
HeapCreate
HeapDestroy
QueryPerformanceCounter
HeapSize
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringW
GetStringTypeW
LoadLibraryW
SetFilePointer
GetConsoleCP
GetConsoleMode
SetStdHandle
WriteConsoleW
FlushFileBuffers
OpenEventW
VirtualAlloc
VirtualQuery
LoadLibraryA
GetTickCount
DisableThreadLibraryCalls
GetModuleFileNameW
GlobalFree
CreateSemaphoreW
ReleaseSemaphore
GetNativeSystemInfo
GetVersionExW
GetCurrentProcessId
Sleep
CreateEventExW
SetEvent
LeaveCriticalSection
EnterCriticalSection
CloseHandle
CompareStringEx
IsWow64Process
GetCurrentProcess
DeleteCriticalSection
InitializeCriticalSectionEx
GetLastError

ole32

StringFromIID
CoTaskMemFree
CoCreateGuid

rpcrt4

RpcBindingFromStringBindingW
RpcBindingFree
RpcStringBindingComposeW
RpcMgmtIsServerListening
RpcStringFreeW
RpcBindingSetAuthInfoW
NdrClientCall2

Exports

Exports

AddOfficeProduct
C2rVersion
ClearPropertyBagValue
Configure
ConfigureFromXmlFile
ConnectToServer
EnsureConnection
EnsureDir
EnsureFile
EnsureResource
GetConfiguration
GetFileDiskRanges
GetFileMemRanges
GetInstalledProducts
GetPackageKey
GetPackageRoot
GetPipeLineStats
GetProperty
GetStatusValue
GetTaskState
GetTotalProgress
GetUpdateStatus
HandleError
HandleErrorEx
HandleLoadBitmapA
HandleLoadBitmapW
HandleLoadCursorA
HandleLoadCursorW
HandleLoadIconA
HandleLoadIconW
HandleLoadImageA
HandleLoadImageW
HandleLoadResource
HandleScheduledHeartbeat
HandleStreamFault
HrApplyUpdatesNow
HrBeginUpdatesDiscoveryPeriod
HrDownloadUpdatesNow
HrGetAreUpdatesEnabled
HrGetAreUpdatesFromAdminSource
HrGetAreUpdatesReadyForDownload
HrGetAreUpdatesReadyToApply
HrGetTaskStateText
HrRefreshState
HrSetAreUpdatesEnabled
HrSetAreUpdatesFromAdminSource
InstallProduct
InstallProducts
InstallProofOfPurchase
IsClick2Run
IsOSPPReady
IsRecording
IsRepairRequired
IsRoaming
IsStreaming
Launch
LicenseRepair
LoadFile
LoadMemory
LoadRange
MarkFinalIntegrateComplete
MigrateOSPPToSPP
RecordDataFault
RecordStreamFaultTime
RemoveProduct
RemoveProducts
Repair
RunMode
SaveRecording
ScheduleMode
SetEnsureResourceA
SetEnsureResourceW
SetPropertyBagToken
ShutDownServer
StartFB
StartProgressAgent
StartScenario
StreamFault
UninstallProofOfPurchase
WaitFB

Sections

.text
Size: 277KB - Virtual size: 277KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 159KB - Virtual size: 159KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: - Virtual size: 9B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

da57c1f0fa76f550caf2252b4a863180

Code Sign

33:00:00:00:9d:1e:8d:27:ae:b8:f3:d8:38:00:01:00:00:00:9dCertificate

Extended Key Usages

61:02:8e:42:00:00:00:00:00:1fCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

65:98:c0:82:50:3b:6d:ac:04:79:27:04:ec:de:f4:11:2f:cc:b5:d4Signer

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

ole32

rpcrt4

Exports

Exports

Sections

.text Size: 277KB - Virtual size: 277KB

.rdata Size: 159KB - Virtual size: 159KB

.data Size: 20KB - Virtual size: 30KB

.pdata Size: 20KB - Virtual size: 20KB

.tls Size: - Virtual size: 9B

.reloc Size: 2KB - Virtual size: 1KB

33:00:00:00:9d:1e:8d:27:ae:b8:f3:d8:38:00:01:00:00:00:9d
Certificate

61:02:8e:42:00:00:00:00:00:1f
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

65:98:c0:82:50:3b:6d:ac:04:79:27:04:ec:de:f4:11:2f:cc:b5:d4
Signer

.text
Size: 277KB - Virtual size: 277KB

.rdata
Size: 159KB - Virtual size: 159KB

.data
Size: 20KB - Virtual size: 30KB

.pdata
Size: 20KB - Virtual size: 20KB

.tls
Size: - Virtual size: 9B

.reloc
Size: 2KB - Virtual size: 1KB