ncwin[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

ncwin.exe
Size

1.8MB
MD5

b6e0db27c2b3e62db616b0918a5d8ed8
SHA1

66c5afcaad55cedfd8fb6d056c1a34802f52969e
SHA256

1d177ff8ed3a7f17c5e5e4ecebcee3f26f360658bca2e8ad808bd270d1f492de
SHA512

e99600633a28f9812f0a1e631326310429ec6f11ea773c7255544164a135a76910f8325f5eac86551cc97d5f6701640b5f889e3056cc5aa60d00eaf4bdf258db
SSDEEP

49152:XB10saFtVM9UHfj96y/Y0ZRPzQOBzY7Sj:Xb0s59UHfJ6uvZQ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ncwin.exe

Files

ncwin.exe
.exe windows x86

ac615fb1d93576fa3c26077a619c9144

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

WSASocketA
ioctlsocket
getsockname
sendto
getsockopt
WSAStartup
gethostname
ntohl
bind
socket
setsockopt
recvfrom
listen
connect
WSAEventSelect
WSACreateEvent
WSACloseEvent
shutdown
WSAGetLastError
WSASetLastError
getservbyname
getservbyport
gethostbyname
gethostbyaddr
select
recv
ntohs
inet_ntoa
inet_addr
htons
htonl
send
getpeername
closesocket
accept
__WSAFDIsSet

advapi32

CryptAcquireContextA
CryptGenRandom
ReportEventA
RegisterEventSourceA
DeregisterEventSource
CryptReleaseContext

user32

GetDesktopWindow
MessageBoxA
GetUserObjectInformationW
GetProcessWindowStation

gdi32

DeleteObject
GetBitmapBits
CreateDCA
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
GetDeviceCaps
SelectObject
DeleteDC
GetObjectA

kernel32

EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
GetStringTypeW
ReadConsoleW
RaiseException
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetDriveTypeW
GetDateFormatW
FindClose
GetFileAttributesExW
FlushFileBuffers
FreeEnvironmentStringsW
GetEnvironmentStringsW
CreateFileW
SetFilePointerEx
RtlUnwind
GetTimeFormatW
CompareStringW
LCMapStringW
SetEnvironmentVariableA
HeapSize
CreateSemaphoreW
GetModuleHandleW
GetStartupInfoW
TlsFree
SetEndOfFile
FileTimeToLocalFileTime
GetFileInformationByHandle
GetFullPathNameW
SetCurrentDirectoryW
GetCurrentDirectoryW
GetFullPathNameA
FindFirstFileA
FindFirstFileExW
GetVersion
GetSystemDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
GetStdHandle
CreateFileA
ReadFile
WriteFile
CloseHandle
SetHandleInformation
GetLastError
CreatePipe
GetOverlappedResult
ResetEvent
ReleaseMutex
WaitForSingleObject
CreateMutexA
ExitProcess
TerminateProcess
GetExitCodeProcess
CreateThread
CreateProcessA
WaitForMultipleObjects
CreateNamedPipeA
GetModuleFileNameA
GetModuleHandleA
DuplicateHandle
GetCurrentProcess
FormatMessageA
Sleep
SetStdHandle
PeekNamedPipe
GetFileType
GetCurrentThreadId
FindNextFileA
MultiByteToWideChar
QueryPerformanceCounter
GetCurrentProcessId
GetTickCount
GetVersionExA
GlobalMemoryStatus
FlushConsoleInputBuffer
SetLastError
GetModuleFileNameW
GetModuleHandleExW
WriteConsoleW
HeapFree
EnterCriticalSection
LeaveCriticalSection
EncodePointer
DecodePointer
AreFileApisANSI
WideCharToMultiByte
SetConsoleCtrlHandler
HeapAlloc
GetConsoleCP
GetConsoleMode
IsProcessorFeaturePresent
GetCommandLineA
IsDebuggerPresent
HeapReAlloc
GetSystemTimeAsFileTime
GetTimeZoneInformation
GetNumberOfConsoleInputEvents
PeekConsoleInputA
ReadConsoleInputA
SetConsoleMode
OutputDebugStringW
LoadLibraryExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCurrentThread
GetProcessHeap
DeleteCriticalSection
FatalAppExitA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
CreateEventW
TlsAlloc
TlsGetValue
TlsSetValue

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 320KB - Virtual size: 319KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 48KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 57KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ac615fb1d93576fa3c26077a619c9144

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

advapi32

user32

gdi32

kernel32

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

.rdata Size: 320KB - Virtual size: 319KB

.data Size: 48KB - Virtual size: 70KB

.idata Size: 5KB - Virtual size: 5KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 57KB - Virtual size: 56KB

.text
Size: 1.3MB - Virtual size: 1.3MB

.rdata
Size: 320KB - Virtual size: 319KB

.data
Size: 48KB - Virtual size: 70KB

.idata
Size: 5KB - Virtual size: 5KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 57KB - Virtual size: 56KB