credwiz[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

credwiz.exe
Size

63KB
MD5

46101caeb970d9f8903da2151f7c95ad
SHA1

d455d08d39f3940e204b600c6d63273c59c43035
SHA256

ad3302ca4d86c5142927bfbb0723da2425b9bf1c2891447253c6e6aa8276f0b3
SHA512

066330947522b092391bca3508aa8ec83e747b5e0a40468026c4889679810c084bfaa902a7013ed8c04532a7eb985d24b1780481da17f16045524f17392305cd
SSDEEP

1536:j9Xxxd1tYDf9fGFnlHmFmgdS5krzLL8vThokpfp0Foyzc1ujshqlE1FEqTWdff80:j9VYDf9fGcdQppIcqshqC1Fj6djtjy

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
credwiz.exe

Files

credwiz.exe
.exe windows x86

c522c040599e6f476c170a0a19155c14

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

GetTokenInformation
DuplicateToken
ImpersonateLoggedOnUser
RevertToSelf
EventUnregister
EventSetInformation
EventRegister
EventWriteTransfer
CredBackupCredentials
CredRestoreCredentials
CredpEncodeSecret
ConvertStringSecurityDescriptorToSecurityDescriptorW

kernel32

GetOverlappedResult
LocalFree
SleepEx
GetTempFileNameW
GetTempPath2W
GetModuleFileNameA
InitOnceBeginInitialize
CreateSemaphoreExW
HeapFree
EnterCriticalSection
ReleaseSemaphore
GetModuleHandleExW
LeaveCriticalSection
InitializeCriticalSectionEx
WaitForThreadpoolTimerCallbacks
GlobalFree
GetCurrentThreadId
ReleaseMutex
ReleaseSRWLockExclusive
HeapSetInformation
CloseThreadpoolTimer
InitOnceComplete
AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
SetThreadpoolTimer
ReleaseSRWLockShared
CreateThreadpoolTimer
HeapAlloc
GetProcAddress
CreateMutexExW
AcquireSRWLockShared
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
DebugBreak
IsDebuggerPresent
DeleteFileW
CreateThread
OutputDebugStringW
CloseHandle
GetModuleHandleA
SetEvent
GetLastError
FormatMessageW
CreateEventW
OpenProcess
DuplicateHandle
CreateFileW
LocalAlloc
WaitForMultipleObjects
WriteFile
GetCommandLineW
SetLastError
GetFileSizeEx
CancelIo
ReadFile
WaitForSingleObject

gdi32

CreateFontIndirectW
GetObjectW

user32

EnableWindow
GetParent
GetDlgItem
SetWindowLongW
SetFocus
SendDlgItemMessageW
GetDlgItemTextW
ShowWindow
LoadStringW
SetWindowTextW
SendMessageW
CheckRadioButton
PostMessageW
GetMessageW
GetWindowLongW
PostThreadMessageW
TranslateMessage
DispatchMessageW

msvcrt

__set_app_type
__getmainargs
_amsg_exit
__p__commode
_exit
memmove_s
_purecall
??3@YAXPAX@Z
memcpy_s
wcsncmp
swscanf
exit
_XcptFilter
_cexit
__CxxFrameHandler3
__p__fmode
_ismbblead
memcmp
_controlfp
?terminate@@YAXXZ
_onexit
__dllonexit
_unlock
_lock
_except_handler4_common
_acmdln
_initterm
__setusermatherr
_vsnwprintf
memset

rpcrt4

RpcBindingSetAuthInfoExW
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcAsyncCancelCall
RpcAsyncCompleteCall
I_RpcExceptionFilter
NdrAsyncClientCall2
RpcStringFreeW
RpcBindingFree
RpcAsyncInitializeHandle

crypt32

CryptProtectData
CryptUnprotectData

samcli

NetValidatePasswordPolicy

netutils

NetApiBufferFree

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcess
GetStartupInfoW

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

ntdll

NtAdjustPrivilegesToken
TpWaitForWait
RtlNtStatusToDosError
TpAllocWait
NtPrivilegeCheck
NtClose
TpReleaseWait
TpSetWait
NtOpenProcessToken

comctl32

CreatePropertySheetPageW
PropertySheetW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

ole32

CoInitializeEx
CoCreateInstance
CoUninitialize

shell32

CommandLineToArgvW

Sections

.text
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c522c040599e6f476c170a0a19155c14

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

gdi32

user32

msvcrt

rpcrt4

crypt32

samcli

netutils

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

ntdll

comctl32

comdlg32

ole32

shell32

Sections

.text Size: 47KB - Virtual size: 47KB

.data Size: 512B - Virtual size: 4KB

.idata Size: 5KB - Virtual size: 5KB

.rsrc Size: 6KB - Virtual size: 5KB

.reloc Size: 3KB - Virtual size: 2KB

.text
Size: 47KB - Virtual size: 47KB

.data
Size: 512B - Virtual size: 4KB

.idata
Size: 5KB - Virtual size: 5KB

.rsrc
Size: 6KB - Virtual size: 5KB

.reloc
Size: 3KB - Virtual size: 2KB