cipher[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

cipher.exe
Size

39KB
MD5

ec2b2944ab4480e520a8015a0740e684
SHA1

a378ec4828dab685a88b2763db5dce96c3ac20e6
SHA256

0b26b46319ce5332ac61dc2d4767368af0c5fd0475b0b82304ab3ab621952ece
SHA512

a5ea6abce9b77e27de2661773bcdd54fdb5730605273d214299bc0cf2da369fec52aaa6b4b3d160179bc7cd17634ebb514581bfa4fa09259269766decbd18174
SSDEEP

768:3W2atUnmVZln7u0aIORVpIx34pcKmPJoz4joP:3xammR7u3VeOWK5z4j

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cipher.exe

Files

cipher.exe
.exe windows x86

3709556898beaa4e2b5f857ffa0f54ba

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

EncryptFileW
CryptReleaseContext
RegQueryValueExW
LookupAccountSidW
RemoveUsersFromEncryptedFile
RegOpenKeyExW
QueryUsersOnEncryptedFile
AddUsersToEncryptedFile
AddUsersToEncryptedFileEx
ConvertStringSidToSidW
QueryRecoveryAgentsOnEncryptedFile
EncryptedFileKeyInfo
FlushEfsCache
FreeEncryptionCertificateHashList
EqualSid
CryptAcquireContextW
RegCloseKey
SetUserFileEncryptionKey
FreeEncryptedFileKeyInfo
DecryptFileW
CryptGetUserKey
CryptDestroyKey

kernel32

GetDiskFreeSpaceW
SetConsoleMode
DeviceIoControl
VirtualAlloc
RemoveDirectoryW
SetErrorMode
SetFilePointer
SetEndOfFile
GetProcessHeap
GetVolumePathNameW
CreateFileW
GetFileAttributesW
GetVolumeNameForVolumeMountPointW
GetDiskFreeSpaceExW
ReadConsoleW
CloseHandle
HeapSetInformation
GetCurrentDirectoryW
SetCurrentDirectoryW
FindFirstFileW
GetComputerNameW
GetFullPathNameW
VerifyVersionInfoW
GetTempFileNameW
FindNextVolumeW
lstrcmpW
GetDriveTypeW
FlushFileBuffers
ResolveDelayLoadedAPI
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
DelayLoadFailureHook
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep
GetVolumeInformationW
QueryDosDeviceW
CreateDirectoryW
FindNextFileW
VirtualFree
SetLastError
FindVolumeClose
FindFirstVolumeW
GetFileType
WideCharToMultiByte
VerSetConditionMask
GetModuleHandleW
LocalFree
GetProcAddress
WriteConsoleW
HeapAlloc
GetLastError
FormatMessageW
GetConsoleMode
WriteFile
GetStdHandle
lstrlenW
HeapFree
FindClose

msvcrt

memcpy
_except_handler4_common
_controlfp
?terminate@@YAXXZ
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
towupper
_wcsnicmp
_putws
getchar
printf
wcschr
_wcsicmp
_get_osfhandle
_vsnwprintf
__iob_func
fgetws
memset

ntdll

RtlNtStatusToDosError

rpcrt4

RpcStringFreeW
UuidCreate
UuidToStringW

user32

MessageBoxW

ntdsapi

DsBindW
DsUnBindW
DsFreeNameResultW
DsCrackNamesW

crypt32

CertGetEnhancedKeyUsage
CertFreeCertificateContext
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CryptQueryObject
CertCloseStore
PFXExportCertStoreEx
CertFindCertificateInStore
CertOpenStore
CryptStringToBinaryW
CertGetCertificateContextProperty
CryptBinaryToStringW

bcrypt

BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptGenRandom
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptDestroyKey
BCryptEncrypt

efsutil

EfsUtilGetSmartcardProviderName
EfsUtilCreateSelfSignedCertificate
EfsUtilGetCurrentUserInformation

feclient

EfsClientQueryProtectors
EfsClientFreeProtectorList
EfsClientGetEncryptedFileVersion

dsrole

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

Sections

.text
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3709556898beaa4e2b5f857ffa0f54ba

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

ntdll

rpcrt4

user32

ntdsapi

crypt32

bcrypt

efsutil

feclient

dsrole

Sections

.text Size: 28KB - Virtual size: 27KB

.data Size: 512B - Virtual size: 10KB

.idata Size: 5KB - Virtual size: 4KB

.didat Size: 512B - Virtual size: 24B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 28KB - Virtual size: 27KB

.data
Size: 512B - Virtual size: 10KB

.idata
Size: 5KB - Virtual size: 4KB

.didat
Size: 512B - Virtual size: 24B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 1KB