diskshadow[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

diskshadow.exe
Size

300KB
MD5

013aece2fcfe8b3e3570194111930466
SHA1

1d723d27eb1f6e9ddc00e0dc3c191256815e1190
SHA256

3c294111310c83e5dd8df705b94d9d63b5521f9d5330facbf6a9d9af3a440f6a
SHA512

e2b25aa846f285d54939af8354192a1f5642e99073199bdcd5477a2dee14ab0f33f72016b0ea519bdcc2f694dd6b314a8c66f07199b0d23442e77ef51519763c
SSDEEP

6144:N4ZpwRQRaHHMh04FCEoiNMNeNhU3hrWhMi+4E:N4ZSKsHHkuGMNeX2TeE

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
diskshadow.exe

Files

diskshadow.exe
.exe windows x86

836811311ea3d11b5483093d01e3d7ee

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

ExpandEnvironmentStringsW
GetFullPathNameW
WideCharToMultiByte
MultiByteToWideChar
SetEnvironmentVariableW
GetFileSize
ReadFile
GetComputerNameW
CreateFileA
SetFilePointer
DeleteFileA
GetTempPathA
GetTempFileNameA
GetFileInformationByHandle
FileTimeToDosDateTime
GetFileAttributesA
GetDateFormatW
LocalAlloc
WaitForSingleObject
CreateProcessW
GetExitCodeProcess
SetThreadUILanguage
SetConsoleCtrlHandler
GetStdHandle
GetConsoleMode
WriteConsoleW
GetConsoleOutputCP
GetTempFileNameW
FileTimeToSystemTime
FileTimeToLocalFileTime
GetVolumePathNamesForVolumeNameW
LoadLibraryExW
FreeLibrary
GetCurrentThread
GetCommandLineW
FindNextFileW
FindFirstFileW
GetFileAttributesW
GetVolumePathNameW
FindClose
GetVolumeNameForVolumeMountPointW
GetFileAttributesExW
GlobalFree
WriteFile
CreateFileW
CloseHandle
GetLastError
DeviceIoControl
GetTimeFormatW
GetFileType
GetThreadLocale
FormatMessageW
GetTempPathW
LocalFree

msvcrt

setvbuf
setlocale
exit
mbstowcs_s
_callnewh
wcscspn
??0exception@@QAE@XZ
memcmp
_except_handler4_common
_controlfp
wcstok
??1type_info@@UAE@XZ
?terminate@@YAXXZ
_onexit
__dllonexit
??0exception@@QAE@ABV0@@Z
__setusermatherr
__p__fmode
_cexit
_exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
wcsspn
wcschr
malloc
_wtoi
wcsftime
localtime
time
_wcsnicmp
realloc
free
wcsncmp
iswalpha
wcspbrk
_wcsicmp
_vsnwprintf
__iob_func
_vsnprintf
_unlock
_purecall
_lock
memmove
__CxxFrameHandler3
memcpy
??0exception@@QAE@ABQBD@Z
_CxxThrowException
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
_initterm
memset

atl

ord30

oleaut32

SysFreeString
GetErrorInfo
SysAllocString
VariantClear

api-ms-win-core-com-l1-1-0

CoInitializeSecurity
CoCreateInstance
CoTaskMemRealloc
CoTaskMemAlloc
CoInitializeEx
CoUninitialize
CLSIDFromString
CoTaskMemFree

rpcrt4

UuidToStringW
RpcStringFreeW

cabinet

ord10
ord14
ord13
ord11

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
InitializeCriticalSectionEx
EnterCriticalSection
DeleteCriticalSection

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentProcess
TerminateProcess
GetCurrentThreadId

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
LoadStringW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

setupapi

SetupIterateCabinetW

vssapi

ShouldBlockRevertInternal
CreateVssBackupComponentsInternal
VssFreeSnapshotPropertiesInternal

winbrand

BrandingFormatString

vsstrace

ord7
ord1
ord4
ord11
ord5
ord9
ord8
ord6
ord10
ord3
ord2

advapi32

OpenProcessToken
GetTokenInformation
ReportEventW
RegisterEventSourceW
OpenThreadToken
ConvertSidToStringSidW
DeregisterEventSource

api-ms-win-security-lsalookup-l1-1-0

LookupAccountSidLocalW

Sections

.text
Size: 277KB - Virtual size: 276KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

836811311ea3d11b5483093d01e3d7ee

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

msvcrt

atl

oleaut32

api-ms-win-core-com-l1-1-0

rpcrt4

cabinet

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

setupapi

vssapi

winbrand

vsstrace

advapi32

api-ms-win-security-lsalookup-l1-1-0

Sections

.text Size: 277KB - Virtual size: 276KB

.data Size: 512B - Virtual size: 1KB

.idata Size: 5KB - Virtual size: 4KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 14KB - Virtual size: 13KB

.text
Size: 277KB - Virtual size: 276KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 5KB - Virtual size: 4KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 14KB - Virtual size: 13KB