cipher[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

cipher.exe
Size

48KB
MD5

f3471ddb5ae8e057f1b908a50e4aad7c
SHA1

12b08c7a6a36d5624c2d7f40784c26a3607fa89b
SHA256

a6b2cfde3e3de872d9edd6a16710ed6c8ee32a0dfcf57322b27b3da8d18ae71a
SHA512

9bea40d52e4c36fdad0e4ff02d6534737a0729e3bee34da0aa2bd5b74c966be0868b638ae28cc8168127e59cc35368d508bf5ca379be1e5c49824f05dbc85df5
SSDEEP

768:/fwPMuMlMhvgfgiWLm7x62QfDrm+egQuLFL7BLmCfU0GWKwhj1QJGAfopGxnzZ5I:nwdKMhgfwS6ffDrm+egf+iDgJfQKI

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cipher.exe

Files

cipher.exe
.exe windows x64

e83b4c457afd5eea31874b00e8a3a956

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

EncryptFileW
CryptReleaseContext
RegQueryValueExW
LookupAccountSidW
RemoveUsersFromEncryptedFile
RegOpenKeyExW
QueryUsersOnEncryptedFile
AddUsersToEncryptedFile
AddUsersToEncryptedFileEx
ConvertStringSidToSidW
QueryRecoveryAgentsOnEncryptedFile
EncryptedFileKeyInfo
FlushEfsCache
FreeEncryptionCertificateHashList
EqualSid
CryptAcquireContextW
RegCloseKey
SetUserFileEncryptionKey
FreeEncryptedFileKeyInfo
DecryptFileW
CryptGetUserKey
CryptDestroyKey

kernel32

GetDiskFreeSpaceW
SetConsoleMode
DeviceIoControl
VirtualAlloc
RemoveDirectoryW
SetErrorMode
SetFilePointer
SetEndOfFile
GetProcessHeap
GetVolumePathNameW
CreateFileW
GetFileAttributesW
GetVolumeNameForVolumeMountPointW
GetDiskFreeSpaceExW
ReadConsoleW
CloseHandle
HeapSetInformation
GetCurrentDirectoryW
SetCurrentDirectoryW
FindFirstFileW
GetFullPathNameW
FindVolumeClose
VerifyVersionInfoW
GetTempFileNameW
FindNextVolumeW
lstrcmpW
GetDriveTypeW
FlushFileBuffers
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
ResolveDelayLoadedAPI
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep
GetVolumeInformationW
QueryDosDeviceW
CreateDirectoryW
FindNextFileW
VirtualFree
SetLastError
GetComputerNameW
FindFirstVolumeW
GetFileType
WideCharToMultiByte
VerSetConditionMask
GetModuleHandleW
LocalFree
GetProcAddress
WriteConsoleW
HeapAlloc
GetLastError
FormatMessageW
GetConsoleMode
WriteFile
GetStdHandle
DelayLoadFailureHook
lstrlenW
HeapFree
FindClose

msvcrt

_commode
strcmp
memset
memcpy
?terminate@@YAXXZ
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
towupper
_wcsnicmp
_putws
getchar
printf
wcschr
_wcsicmp
_get_osfhandle
_vsnwprintf
__iob_func
fgetws
wcscmp

ntdll

RtlCaptureContext
RtlNtStatusToDosError
RtlLookupFunctionEntry
RtlVirtualUnwind

rpcrt4

UuidToStringW
UuidCreate
RpcStringFreeW

user32

MessageBoxW

ntdsapi

DsFreeNameResultW
DsUnBindW
DsCrackNamesW
DsBindW

crypt32

CertGetEnhancedKeyUsage
CertFreeCertificateContext
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CryptQueryObject
CertCloseStore
PFXExportCertStoreEx
CertFindCertificateInStore
CertOpenStore
CryptStringToBinaryW
CertGetCertificateContextProperty
CryptBinaryToStringW

bcrypt

BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptGenRandom
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptDestroyKey
BCryptEncrypt

efsutil

EfsUtilGetSmartcardProviderName
EfsUtilCreateSelfSignedCertificate
EfsUtilGetCurrentUserInformation

feclient

EfsClientQueryProtectors
EfsClientFreeProtectorList
EfsClientGetEncryptedFileVersion

dsrole

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

Sections

.text
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e83b4c457afd5eea31874b00e8a3a956

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

ntdll

rpcrt4

user32

ntdsapi

crypt32

bcrypt

efsutil

feclient

dsrole

Sections

.text Size: 32KB - Virtual size: 31KB

.rdata Size: 10KB - Virtual size: 10KB

.data Size: 512B - Virtual size: 10KB

.pdata Size: 1KB - Virtual size: 1KB

.didat Size: 512B - Virtual size: 48B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 48B

.text
Size: 32KB - Virtual size: 31KB

.rdata
Size: 10KB - Virtual size: 10KB

.data
Size: 512B - Virtual size: 10KB

.pdata
Size: 1KB - Virtual size: 1KB

.didat
Size: 512B - Virtual size: 48B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 48B