cipher[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

cipher.exe
Size

46KB
MD5

1de5a4875fedbcbd57bfc0549476c52e
SHA1

0e8e28f81a4bb5f972dcd02b0080d04d78a1574b
SHA256

1c7bafe5742197741fc3724753c952c9af890f8a6b2c61561c33caaba8cf07cc
SHA512

aad20eb9f8c1db140875dfb81661c3f156659a94b4eebabd308f5bdbfce9e0ad21c7e203a742c29b31eee70d4144027640111f5083f880d199825db73d9f524e
SSDEEP

768:v0m+PdVMFMu28U3M4GqRhSE9XpweDLYnB7jgCQ5VNhoGueph/qyppnFwT:e/MauB5E9XpjDMnwQ+h/qyKT

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cipher.exe

Files

cipher.exe
.exe windows x64

e83b4c457afd5eea31874b00e8a3a956

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

EncryptFileW
CryptReleaseContext
RegQueryValueExW
LookupAccountSidW
RemoveUsersFromEncryptedFile
RegOpenKeyExW
QueryUsersOnEncryptedFile
AddUsersToEncryptedFile
AddUsersToEncryptedFileEx
ConvertStringSidToSidW
QueryRecoveryAgentsOnEncryptedFile
EncryptedFileKeyInfo
FlushEfsCache
FreeEncryptionCertificateHashList
EqualSid
CryptAcquireContextW
RegCloseKey
SetUserFileEncryptionKey
FreeEncryptedFileKeyInfo
DecryptFileW
CryptGetUserKey
CryptDestroyKey

kernel32

GetDiskFreeSpaceW
SetConsoleMode
DeviceIoControl
VirtualAlloc
RemoveDirectoryW
SetErrorMode
SetFilePointer
SetEndOfFile
GetProcessHeap
GetVolumePathNameW
CreateFileW
GetFileAttributesW
GetVolumeNameForVolumeMountPointW
GetDiskFreeSpaceExW
ReadConsoleW
CloseHandle
HeapSetInformation
GetCurrentDirectoryW
SetCurrentDirectoryW
FindFirstFileW
GetFullPathNameW
FindVolumeClose
VerifyVersionInfoW
GetTempFileNameW
FindNextVolumeW
lstrcmpW
GetDriveTypeW
FlushFileBuffers
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
ResolveDelayLoadedAPI
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep
GetVolumeInformationW
QueryDosDeviceW
CreateDirectoryW
FindNextFileW
VirtualFree
SetLastError
GetComputerNameW
FindFirstVolumeW
GetFileType
WideCharToMultiByte
VerSetConditionMask
GetModuleHandleW
LocalFree
GetProcAddress
WriteConsoleW
HeapAlloc
GetLastError
FormatMessageW
GetConsoleMode
WriteFile
GetStdHandle
DelayLoadFailureHook
lstrlenW
HeapFree
FindClose

msvcrt

_commode
strcmp
memset
memcpy
?terminate@@YAXXZ
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
towupper
_wcsnicmp
_putws
getchar
printf
wcschr
_wcsicmp
_get_osfhandle
_vsnwprintf
__iob_func
fgetws
wcscmp

ntdll

RtlCaptureContext
RtlNtStatusToDosError
RtlLookupFunctionEntry
RtlVirtualUnwind

rpcrt4

UuidToStringW
UuidCreate
RpcStringFreeW

user32

MessageBoxW

ntdsapi

DsFreeNameResultW
DsUnBindW
DsCrackNamesW
DsBindW

crypt32

CertGetEnhancedKeyUsage
CertFreeCertificateContext
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CryptQueryObject
CertCloseStore
PFXExportCertStoreEx
CertFindCertificateInStore
CertOpenStore
CryptStringToBinaryW
CertGetCertificateContextProperty
CryptBinaryToStringW

bcrypt

BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptGenRandom
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptDestroyKey
BCryptEncrypt

efsutil

EfsUtilGetSmartcardProviderName
EfsUtilCreateSelfSignedCertificate
EfsUtilGetCurrentUserInformation

feclient

EfsClientQueryProtectors
EfsClientFreeProtectorList
EfsClientGetEncryptedFileVersion

dsrole

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

Sections

.text
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e83b4c457afd5eea31874b00e8a3a956

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

ntdll

rpcrt4

user32

ntdsapi

crypt32

bcrypt

efsutil

feclient

dsrole

Sections

.text Size: 29KB - Virtual size: 29KB

.rdata Size: 10KB - Virtual size: 10KB

.data Size: 512B - Virtual size: 10KB

.pdata Size: 1KB - Virtual size: 1KB

.didat Size: 512B - Virtual size: 48B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 48B

.text
Size: 29KB - Virtual size: 29KB

.rdata
Size: 10KB - Virtual size: 10KB

.data
Size: 512B - Virtual size: 10KB

.pdata
Size: 1KB - Virtual size: 1KB

.didat
Size: 512B - Virtual size: 48B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 48B