Static task
static1
General
-
Target
ossec-agent.exe
-
Size
1.0MB
-
MD5
494a91bff52fae2f1eaa05fe18398305
-
SHA1
a74d901a470c913600601bea9028fc6eed96682a
-
SHA256
77234bea4fc90a94d22d9102f349d5822b7c0a4e7d7750af9c44dd16309cc5d2
-
SHA512
1f1fae2d6663c36179e411c1aea9291acd9cb6423bbe2568639f9ac867a620812c6dc72b9a6bed160e9e48b9e9256807b48871e3754a445d259b02010313e69d
-
SSDEEP
24576:yFw44S+yr4q7SNB6AAzyQMg89+KTa1EgJAhYZ:TimVAWQUTa1EgJAhYZ
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource ossec-agent.exe
Files
-
ossec-agent.exe.exe windows x86
f8a3ed316ee1f452b186d809103770bc
Headers
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
Imports
advapi32
AdjustTokenPrivileges
AllocateAndInitializeSid
ChangeServiceConfig2A
CloseEventLog
CloseServiceHandle
ControlService
ConvertSidToStringSidA
CreateServiceA
DeleteService
FreeSid
GetNumberOfEventLogRecords
GetOldestEventLogRecord
GetSecurityInfo
ImpersonateSelf
InitializeSecurityDescriptor
LookupAccountSidA
LookupPrivilegeValueA
OpenEventLogA
OpenSCManagerA
OpenServiceA
OpenThreadToken
QueryServiceStatus
ReadEventLogA
RegCloseKey
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegisterServiceCtrlHandlerA
SetEntriesInAclA
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
SetServiceStatus
StartServiceA
StartServiceCtrlDispatcherA
kernel32
BackupRead
BackupSeek
CloseHandle
CreateEventA
CreateFileA
CreateMutexA
CreateProcessA
CreateThread
CreateToolhelp32Snapshot
DeleteCriticalSection
EnterCriticalSection
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FormatMessageA
FormatMessageW
FreeLibrary
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetFileAttributesA
GetFileInformationByHandle
GetLastError
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
InitializeCriticalSection
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LocalAlloc
LocalFree
Module32First
MoveFileExA
MultiByteToWideChar
Process32First
Process32Next
QueryPerformanceCounter
ReadDirectoryChangesW
ReleaseMutex
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForSingleObject
WaitForSingleObjectEx
WideCharToMultiByte
lstrcmpiA
msvcrt
__getmainargs
__initenv
__lconv_init
__p__acmdln
__p__fmode
__set_app_type
__setusermatherr
_amsg_exit
_cexit
_errno
_fdopen
_findclose
_fstati64
_fullpath
_initterm
_iob
_mktemp
_onexit
_open_osfhandle
_pclose
_popen
_stati64
_stricmp
_strnicmp
_vsnprintf
abort
atoi
atol
calloc
clearerr
div
exit
fclose
ferror
fflush
fgetc
fgetpos
fgets
fopen
fprintf
fputc
fputs
fread
free
fscanf
fseek
fsetpos
ftell
fwrite
isalnum
ispunct
isspace
localtime
malloc
mbstowcs
memchr
memcmp
memcpy
memmove
memset
printf
putchar
puts
qsort
rand
realloc
setlocale
signal
sprintf
srand
strchr
strcmp
strcpy
strerror
strftime
strlen
strncat
strncmp
strncpy
strrchr
strstr
time
ungetc
vfprintf
wcstombs
_findnext
_findfirst
_unlink
_strdup
_read
_open
_getpid
_getcwd
_fileno
_close
_chmod
_chdir
shlwapi
PathFindFileNameA
user32
GetSystemMetrics
wevtapi
EvtClose
EvtCreateBookmark
EvtCreateRenderContext
EvtFormatMessage
EvtOpenPublisherMetadata
EvtRender
EvtSubscribe
EvtUpdateBookmark
ws2_32
WSAAddressToStringA
freeaddrinfo
getaddrinfo
getnameinfo
wsock32
WSAStartup
accept
bind
closesocket
connect
ioctlsocket
listen
recv
select
send
setsockopt
socket
Sections
.text Size: 622KB - Virtual size: 622KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 1024B - Virtual size: 604B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rdata Size: 192KB - Virtual size: 191KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
/4 Size: 40KB - Virtual size: 40KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.bss Size: - Virtual size: 168KB
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.idata Size: 6KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.CRT Size: 512B - Virtual size: 52B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.tls Size: 512B - Virtual size: 8B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
/14 Size: 512B - Virtual size: 88B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
/29 Size: 37KB - Virtual size: 36KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
/41 Size: 2KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
/55 Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
/67 Size: 512B - Virtual size: 56B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
/80 Size: 1024B - Virtual size: 872B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
/91 Size: 1024B - Virtual size: 786B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
/102 Size: 512B - Virtual size: 136B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ