wuaueng[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

wuaueng.dll
Size

3.3MB
MD5

7f6e71ac4096f45c968f8990af6768c3
SHA1

0a113636a214971996c25b43472ba1be310f9f57
SHA256

4af354a54e5af1b5f7d10ea06bc2d47d42d1e4b0f9eae1f380479076cd76eea3
SHA512

6dc1b639b3014b18d010bef0bc6c04c9d32a7601af7dc4b7851e54827a79a9c671b05a802cffa818f48202975275392d4552215f0faf4c5c4583e4598c818a9a
SSDEEP

49152:F0ODNuls5T+qWX3Y8oLsjgFRX2V7bEF9YKThC1F+hNFy9KGJioQa:hnT+U/CQlQJT

Score

1^/10

Malware Config

Signatures

Files

wuaueng.dll
.dll windows x64

7aef069f5ccba652ab391df77305c36c

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

43:24:d5:c4:d9:c3:d1:27:c5:95:fd:a5:0d:d8:42:5f:70:1d:e9:a0:e8:a0:6b:61:43:4d:db:8d:0e:0b:97:88
Signer

Actual PE Digest

43:24:d5:c4:d9:c3:d1:27:c5:95:fd:a5:0d:d8:42:5f:70:1d:e9:a0:e8:a0:6b:61:43:4d:db:8d:0e:0b:97:88

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

api-ms-win-crt-private-l1-1-0

_o__ltow_s
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
_o__set_errno
_o__stricmp
_o__strnicmp
_o__ultow_s
_o__wcsicmp
_o__wcsnicmp
_o__wcstoui64
_o__wfopen_s
_o__wsplitpath_s
_o__wtoi
_o__wtoi64
_o__wtol
_o_abort
_o_bsearch
_o_calloc
_o_fclose
_o_free
_o_iswalnum
_o_iswalpha
_o_iswdigit
_o_iswspace
_o_malloc
_o_mbstowcs_s
_o_qsort
_o_rand
_o_realloc
_o_srand
_o_strcpy_s
_o_strncpy_s
_o_strtol
_o_terminate
_o_tolower
_o_wcstod
_o_wcstok_s
_o_wcstol
_o_wcstombs_s
_o_wcstoul
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_onexit_table
_o__initialize_narrow_environment
_o__get_errno
_o__execute_onexit_table
_o__errno
_o__crt_atexit
_o__configure_narrow_argv
_o__cexit
_o__callnewh
_o___stdio_common_vswprintf_s
_o___stdio_common_vswprintf
_o___stdio_common_vsprintf_s
_o___stdio_common_vsprintf
_o___stdio_common_vsnprintf_s
_o___stdio_common_vfprintf
_o___std_exception_destroy
_o___std_exception_copy

api-ms-win-core-processthreads-l1-1-0

GetExitCodeProcess
CreateThread
OpenProcessToken
CreateProcessAsUserW
TlsAlloc
GetCurrentProcessId
TlsSetValue
TlsFree
SetPriorityClass
GetThreadId
GetCurrentThreadId
GetCurrentProcess
TerminateProcess
SetThreadPriority
TlsGetValue
OpenThreadToken
GetExitCodeThread
ResumeThread
GetCurrentThread
GetThreadPriority

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap
HeapReAlloc

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls
GetProcAddress
GetModuleFileNameA
FreeLibraryAndExitThread
GetModuleHandleW
LoadLibraryExW
EnumResourceNamesExW
FreeLibrary
EnumResourceLanguagesExW
SizeofResource
LockResource
FindResourceExW
GetModuleHandleExW
GetModuleFileNameW
LoadResource

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter
RaiseException

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-synch-l1-1-0

AcquireSRWLockExclusive
ReleaseSRWLockShared
InitializeCriticalSection
WaitForMultipleObjectsEx
LeaveCriticalSection
SetEvent
ResetEvent
InitializeCriticalSectionAndSpinCount
InitializeSRWLock
CreateEventExW
AcquireSRWLockShared
CreateSemaphoreExW
InitializeCriticalSectionEx
CreateMutexExW
CreateMutexW
EnterCriticalSection
ReleaseSRWLockExclusive
CreateEventW
OpenSemaphoreW
WaitForSingleObject
DeleteCriticalSection
WaitForSingleObjectEx
ReleaseMutex
ReleaseSemaphore
SleepEx

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceExecuteOnce
InitOnceBeginInitialize
Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlUnwindEx
RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlPcToFileHeader

api-ms-win-core-util-l1-1-0

EncodePointer

api-ms-win-core-interlocked-l1-1-0

InterlockedFlushSList
InitializeSListHead

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-crt-string-l1-1-0

wcsncmp
memset

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-service-core-l1-1-0

SetServiceStatus
RegisterServiceCtrlHandlerExW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegOpenKeyExW
RegEnumValueW
RegDeleteTreeW
RegGetValueW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenCurrentUser
RegDeleteKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegSetValueExW
RegDeleteValueW

api-ms-win-core-file-l1-1-0

LocalFileTimeToFileTime
GetDriveTypeW
GetLogicalDriveStringsW
CompareFileTime
FileTimeToLocalFileTime
GetFileAttributesExW
GetVolumePathNameW
ReadFile
RemoveDirectoryW
GetFinalPathNameByHandleW
SetEndOfFile
FindNextFileW
GetDiskFreeSpaceW
FindClose
SetFileInformationByHandle
SetFileAttributesW
GetFileInformationByHandle
GetFileSize
GetFileAttributesW
GetFileTime
DeleteFileW
CreateDirectoryW
GetDiskFreeSpaceExW
GetVolumeInformationW
SetFileTime
FlushFileBuffers
SetFilePointer
FindFirstFileW
GetFileType
DeleteFileA
CreateFileW
WriteFile
GetFileSizeEx
SetFilePointerEx

api-ms-win-core-com-l1-1-0

CoWaitForMultipleHandles
CoQueryProxyBlanket
CLSIDFromString
CoSwitchCallContext
CoTaskMemAlloc
PropVariantClear
CoSetProxyBlanket
CoDisconnectContext
CoRegisterClassObject
CoRevokeClassObject
CoDisconnectObject
CoCreateGuid
CoImpersonateClient
IIDFromString
CoRevertToSelf
CoCreateFreeThreadedMarshaler
CoTaskMemFree
StringFromGUID2
CoDisableCallCancellation
CoInitializeEx
CoCreateInstance
CoUninitialize
CoEnableCallCancellation
CoCancelCall
CoTaskMemRealloc

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks

api-ms-win-security-base-l1-1-0

SetSecurityDescriptorDacl
AllocateAndInitializeSid
FreeSid
DuplicateTokenEx
CreateWellKnownSid
ImpersonateSelf
GetTokenInformation
GetLengthSid
CopySid
ImpersonateLoggedOnUser
EqualSid
IsValidSid
InitializeSecurityDescriptor
RevertToSelf
CheckTokenMembership
CreateRestrictedToken

api-ms-win-security-sddl-l1-1-0

ConvertStringSidToSidW
ConvertSidToStringSidW

api-ms-win-core-heap-l2-1-0

LocalReAlloc
GlobalFree
LocalFree
LocalAlloc

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-kernel32-legacy-l1-1-0

GetSystemPowerStatus
GetComputerNameW
DosDateTimeToFileTime

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringW
WideCharToMultiByte

api-ms-win-core-realtime-l1-1-0

QueryUnbiasedInterruptTime

rpcrt4

RpcStringFreeW
RpcStringFreeA
UuidToStringA
UuidFromStringW
UuidCreate
I_RpcBindingInqTransportType
UuidToStringW
RpcServerInqCallAttributesW

api-ms-win-core-threadpool-legacy-l1-1-0

CreateTimerQueue
DeleteTimerQueueEx
CreateTimerQueueTimer
DeleteTimerQueueTimer

api-ms-win-core-apiquery-l2-1-0

IsApiSetImplemented

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo
GetSystemFirmwareTable
VerSetConditionMask
GetNativeSystemInfo

api-ms-win-power-base-l1-1-0

PowerDeterminePlatformRoleEx
CallNtPowerInformation

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-security-cryptoapi-l1-1-0

CryptGenRandom
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptCreateHash
CryptAcquireContextW

api-ms-win-service-management-l1-1-0

OpenSCManagerW
CloseServiceHandle
OpenServiceW

api-ms-win-service-management-l2-1-0

QueryServiceStatusEx
ChangeServiceConfig2W
ChangeServiceConfigW
QueryServiceConfig2W
QueryServiceConfigW

api-ms-win-power-setting-l1-1-0

PowerSettingUnregisterNotification
PowerSettingRegisterNotification

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus
ControlService

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-processthreads-l1-1-2

SetThreadInformation

api-ms-win-core-processthreads-l1-1-3

SetProcessInformation

api-ms-win-core-memory-l1-1-0

CreateFileMappingW
MapViewOfFileEx
FlushViewOfFile
MapViewOfFile
UnmapViewOfFile

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
VerQueryValueW
GetFileVersionInfoSizeExW

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW
FindResourceW

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

api-ms-win-core-datetime-l1-1-1

GetDateFormatEx

api-ms-win-eventing-controller-l1-1-0

ControlTraceW
StartTraceW
EnableTraceEx2

api-ms-win-eventing-consumer-l1-1-0

CloseTrace

api-ms-win-core-registry-l2-1-0

RegEnumKeyW
RegDeleteKeyW

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

ntdll

RtlGetDeviceFamilyInfoEnum
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlNtStatusToDosError
RtlPublishWnfStateData
NtQueryWnfStateData
NtClose

api-ms-win-core-winrt-error-l1-1-0

RoTransformError
RoOriginateError

api-ms-win-core-sysinfo-l1-2-1

GetPhysicallyInstalledSystemMemory

Exports

Exports

DllMain
GeneralizeForImaging
WUCreateExpressionEvaluator
WUCreateUpdateHandler
WUServiceMain

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 768KB - Virtual size: 767KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 50KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 512B - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 64KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7aef069f5ccba652ab391df77305c36c

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

43:24:d5:c4:d9:c3:d1:27:c5:95:fd:a5:0d:d8:42:5f:70:1d:e9:a0:e8:a0:6b:61:43:4d:db:8d:0e:0b:97:88Signer

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-crt-private-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-string-l1-1-0

api-ms-win-core-realtime-l1-1-0

rpcrt4

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-apiquery-l2-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-power-base-l1-1-0

api-ms-win-core-registry-l1-1-1

api-ms-win-security-cryptoapi-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-power-setting-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-core-file-l2-1-2

api-ms-win-core-string-l2-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-memory-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-datetime-l1-1-1

api-ms-win-eventing-controller-l1-1-0

api-ms-win-eventing-consumer-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-security-lsalookup-l2-1-0

ntdll

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

Exports

Exports

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

43:24:d5:c4:d9:c3:d1:27:c5:95:fd:a5:0d:d8:42:5f:70:1d:e9:a0:e8:a0:6b:61:43:4d:db:8d:0e:0b:97:88
Signer

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 768KB - Virtual size: 767KB

.data
Size: 50KB - Virtual size: 61KB

.pdata
Size: 68KB - Virtual size: 68KB

.didat
Size: 2KB - Virtual size: 1KB

_RDATA
Size: 512B - Virtual size: 256B

.rsrc
Size: 64KB - Virtual size: 64KB

.reloc
Size: 21KB - Virtual size: 20KB