668a32e46d4d54536d906237151d71741d7cab6b220aed1631b42097374ab553

Sharing

Copy URL Twitter E-mail

General

Target

668a32e46d4d54536d906237151d71741d7cab6b220aed1631b42097374ab553
Size

509KB
MD5

c51f8ae60ebbef6771e1b8edcb76bdbe
SHA1

87db0d2c92b0cf225c89c27678b38e253c850c11
SHA256

668a32e46d4d54536d906237151d71741d7cab6b220aed1631b42097374ab553
SHA512

644c57da190ff8d54b8ae9144a66da8f3cf9c1ae75dc7105492030688ca0885a29fffbf82472d9e587af9562f07bb78beb3ae99bd642320769aded93050cc7b8
SSDEEP

12288:WfsCojFZ40idLc56daYSJabAgxR7fozuJbemxbPvp9:J9FZ4okOcAghUkbH7vp

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
668a32e46d4d54536d906237151d71741d7cab6b220aed1631b42097374ab553

Files

668a32e46d4d54536d906237151d71741d7cab6b220aed1631b42097374ab553
.exe windows x64

060ed2d5b7cac67279964cefcc780aee

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ObOpenObjectByPointer
PsProcessType
PsThreadType
_strlwr
strstr
RtlInitUnicodeString
RtlGetVersion
KeQueryTimeIncrement
ExAllocatePool
MmGetSystemRoutineAddress
MmMapIoSpace
MmUnmapIoSpace
ObfDereferenceObject
MmGetPhysicalAddress
RtlImageDirectoryEntryToData
ObReferenceObjectByName
_vsnwprintf
srand
rand
ZwQuerySystemInformation
IoDriverObjectType
ObReferenceObjectByHandle
ZwWaitForSingleObject
ZwQueryInformationThread
ZwQueryVirtualMemory
ObSetHandleAttributes
IoFileObjectType
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
IoAllocateIrp
IofCallDriver
IoCreateFile
IoFreeIrp
IoGetRelatedDeviceObject
ZwOpenFile
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
IoVolumeDeviceToDosName
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
RtlCompareMemory
KeDelayExecutionThread
KeEnterCriticalRegion
KeLeaveCriticalRegion
IoDeleteDevice
IoGetCurrentProcess
ZwOpenKey
ZwDeleteKey
ZwDeleteValueKey
ZwFlushKey
ZwQueryValueKey
ZwSetValueKey
KeBugCheck
MmSecureVirtualMemory
PsSetLoadImageNotifyRoutine
PsGetCurrentProcessId
PsGetCurrentThreadId
PsGetProcessExitStatus
PsGetProcessId
PsGetThreadId
ZwSetInformationThread
KeAttachProcess
KeDetachProcess
IoThreadToProcess
RtlImageNtHeader
RtlPcToFileHeader
PsGetProcessDebugPort
RtlComputeCrc32
PsGetProcessImageFileName
PsReferenceProcessFilePointer
IoDeviceObjectType
MmProtectMdlSystemAddress
MmAllocateMappingAddress
MmFreeMappingAddress
MmMapLockedPagesWithReservedMapping
MmUnmapReservedMapping
MmAllocatePagesForMdlEx
MmFreePagesFromMdl
ZwCreateSection
KeStackAttachProcess
ObReferenceObjectByHandleWithTag
ObfDereferenceObjectWithTag
PsGetThreadProcessId
PsGetThreadProcess
PsLookupThreadByThreadId
ZwQueryObject
ZwQueryInformationProcess
NtQueryInformationThread
RtlCompareUnicodeString
IoAllocateMdl
ZwOpenProcess
MmCopyVirtualMemory
KeInsertQueueApc
KeInitializeApc
ZwOpenThread
ObOpenObjectByPointerWithTag
ObGetObjectType
KeResetEvent
IoAllocateWorkItem
IoQueueWorkItem
SeLocateProcessImageName
PsGetProcessPeb
ObReferenceObjectByPointerWithTag
ObCreateObjectType
strncmp
RtlEqualUnicodeString
ZwMapViewOfSection
ZwUnmapViewOfSection
ZwAllocateVirtualMemory
ZwFreeVirtualMemory
PsGetProcessWow64Process
ZwOpenSection
MmMapViewOfSection
PsGetProcessSectionBaseAddress
IoBuildDeviceIoControlRequest
MmProbeAndLockPages
MmUnlockPages
IoFreeMdl
__C_specific_handler
MmIsAddressValid
ZwClose
ExFreePoolWithTag
ExAllocatePoolWithTag
PsLookupProcessByProcessId
KeSetKernelStackSwapEnable
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
PsCreateSystemThread
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
ExAllocatePool
ExFreePool
NtQuerySystemInformation

hal

HalTranslateBusAddress
HalMakeBeep

Sections

.text
Size: - Virtual size: 61KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INITKDBG
Size: - Virtual size: 469B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vc0
Size: - Virtual size: 572KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vc1
Size: 506KB - Virtual size: 506KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

060ed2d5b7cac67279964cefcc780aee

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: - Virtual size: 61KB

INITKDBG Size: - Virtual size: 469B

.rdata Size: - Virtual size: 3KB

.data Size: - Virtual size: 8KB

.pdata Size: - Virtual size: 2KB

INIT Size: - Virtual size: 4KB

.vc0 Size: - Virtual size: 572KB

.vc1 Size: 506KB - Virtual size: 506KB

.reloc Size: 512B - Virtual size: 12B

.rsrc Size: 1KB - Virtual size: 1KB

.text
Size: - Virtual size: 61KB

INITKDBG
Size: - Virtual size: 469B

.rdata
Size: - Virtual size: 3KB

.data
Size: - Virtual size: 8KB

.pdata
Size: - Virtual size: 2KB

INIT
Size: - Virtual size: 4KB

.vc0
Size: - Virtual size: 572KB

.vc1
Size: 506KB - Virtual size: 506KB

.reloc
Size: 512B - Virtual size: 12B

.rsrc
Size: 1KB - Virtual size: 1KB