file[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

file.zip
Size

225KB
MD5

87bcfc0526bcb2e89aa19070b47a7b65
SHA1

8dee6244f300ec5fdb8e1834e7d68d75d0e3630d
SHA256

2e2a55279f776cae6420a3ee767abf2573dbefee7ac4d09a858f974461c89640
SHA512

a9d0da7b28f0becc3d0df1fe51aa32293232b096d0807455f7175923b3e3e7dd0c27f99a66af5732fe11c7789e4ce3134128d2215486cd3b78db31f8914aa722
SSDEEP

6144:c2yo7f6LSpYaTK0lHfLHHY2qO11V8Ij18KIBmDm:cXo7d9/THbqODkkDm

Score

1^/10

Malware Config

Signatures

Files

file.zip
.zip
CPSWS.exe
.exe windows x86

f0f8d2102353f9b7656b34df9fee9793

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

08/11/2006, 00:00

Not After

07/11/2021, 23:59

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageServerAuth
ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning
ExtKeyUsageNetscapeServerGatedCrypto

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

02:f2:1f:17:a0:fa:8c:c5:42:c8:9f:77:c6:50:7b:33
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

05/12/2018, 00:00

Not After

06/01/2022, 23:59

Subject

CN=Check Point Software Technologies Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Check Point Software Technologies Ltd.,L=TEL AVIV-JAFFA,ST=Ramat-Gan,C=IL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10/12/2013, 00:00

Not After

09/12/2023, 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7f:4e:3d:b8:9e:02:f2:95:4f:a8:43:d7:79:79:18:28:79:77:6c:9e:d4:3f:b9:bc:3d:c0:99:4a:8a:79:f4:aa
Signer

Actual PE Digest

7f:4e:3d:b8:9e:02:f2:95:4f:a8:43:d7:79:79:18:28:79:77:6c:9e:d4:3f:b9:bc:3d:c0:99:4a:8a:79:f4:aa

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

Imports

ntdll

RtlNtStatusToDosError
ZwDeleteKey
ZwCreateMutant
ZwCreateSemaphore
ZwReleaseSemaphore
ZwSignalAndWaitForSingleObject
ZwWaitForMultipleObjects
ZwQueryObject
ZwQueryInformationThread
ZwDelayExecution
RtlGetVersion
ZwSetInformationThread
RtlDestroyHeap
ZwSetInformationFile
LdrShutdownThread
ZwTerminateThread
ZwTerminateProcess
ZwQueueApcThread
ZwOpenKey
ZwEnumerateKey
ZwUnmapViewOfSection
ZwMapViewOfSection
ZwCreateSection
ZwSetEvent
ZwFlushBuffersFile
ZwQueryFullAttributesFile
RtlFormatCurrentUserKeyPath
RtlFreeUnicodeString
ZwCreateKey
ZwQueryValueKey
ZwSetValueKey
ZwQueryInformationFile
RtlCreateUserThread
ZwDeviceIoControlFile
RtlUnwind
ZwDuplicateObject
ZwReleaseMutant
ZwWaitForSingleObject
ZwQueryInformationProcess
ZwQueryAttributesFile
RtlSetLastWin32ErrorAndNtStatusFromNtStatus
ZwWriteFile
ZwReadFile
ZwCreateFile
ZwYieldExecution
LdrGetProcedureAddress
ZwClose
ZwOpenFile
RtlInitUnicodeString
LdrGetDllHandle
RtlFreeHeap
ZwCreateEvent
RtlAllocateHeap

kernel32

FreeLibrary
GetCurrentProcess
GetCommandLineA
GetCurrentDirectoryW
HeapCompact
GetProcessHeap
SetProcessWorkingSetSize
ExitProcess
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapAlloc
HeapFree
ExitThread
CreateThread
GetStartupInfoA
RaiseException
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
GetCurrentThread
WriteFile
LoadLibraryExW
GetModuleFileNameA
Sleep
HeapSize
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualFree
VirtualAlloc
HeapReAlloc
HeapCreate
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetSystemTimeAsFileTime
LoadLibraryA
GetLocaleInfoA
InterlockedExchange
InitializeCriticalSectionAndSpinCount
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
CompareStringW
GetLogicalDrives
DeviceIoControl
CreateFileW
CreateMutexW
ResumeThread
SuspendThread
CreateProcessW
SetEnvironmentVariableW
CreateEventW
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
SetEvent
OpenEventW
GetCommandLineW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GetEnvironmentVariableW
DeleteFileW
GetFileAttributesW
CloseHandle
GetExitCodeProcess
WaitForSingleObject
GetDriveTypeW
GetModuleFileNameW
GetLastError
SetErrorMode
GetProcAddress
LoadLibraryW
GetModuleHandleW
GetStdHandle
FlushFileBuffers
CreateFileA
VirtualQuery
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
SetStdHandle
GetConsoleMode
GetConsoleCP
SetFilePointer
GetModuleHandleA
LocalAlloc
GetLocalTime
DuplicateHandle
WaitNamedPipeW
CompareFileTime
SystemTimeToFileTime
GetSystemTime
PostQueuedCompletionStatus
WaitForMultipleObjects
GetQueuedCompletionStatus
GetExitCodeThread
GetWindowsDirectoryW
GetTempPathW
CreateDirectoryW
GetComputerNameW
LocalFree
OutputDebugStringW
FindFirstFileW
FindNextFileW
FindClose
FindResourceW
SizeofResource
LoadResource
LockResource
lstrcpynW
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
MoveFileExW
ReadFile
GetProcessAffinityMask
InterlockedCompareExchange
SetThreadIdealProcessor
ResetEvent
CancelIo
ConnectNamedPipe
GetVersion
SetThreadPriority
CreateNamedPipeW
CreateIoCompletionPort

user32

GetDC
MessageBoxW
ExitWindowsEx
SetDlgItemTextW
GetDlgItemTextW
EndDialog
SetPropW
GetPropW
DialogBoxParamW
MsgWaitForMultipleObjects
DispatchMessageW
TranslateMessage
PeekMessageW
ReleaseDC
GetSystemMetrics
wsprintfW
SetThreadDesktop
WaitForInputIdle
DestroyWindow
SetWindowLongW
CreateWindowExW
RegisterClassW
DefWindowProcW
GetWindowLongW
GetAsyncKeyState

advapi32

SetSecurityDescriptorSacl
AddAccessDeniedAce
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegSetValueExW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
ConvertStringSidToSidW
GetTokenInformation
StartServiceW
DeleteService
SetServiceObjectSecurity
CreateServiceW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
QueryServiceConfigW
QueryServiceStatus
CloseServiceHandle
QueryServiceStatusEx
OpenServiceW
OpenSCManagerW
MakeAbsoluteSD
GetSecurityDescriptorSacl
SetSecurityInfo

gdi32

GetPixel

Exports

Exports

_IswLog_Flush@4
_IswLog_FlushThread@4
_IswLog_FlushThreadPerProcess@4

Sections

.text
Size: 225KB - Virtual size: 224KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 293KB - Virtual size: 292KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f0f8d2102353f9b7656b34df9fee9793

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fdCertificate

Extended Key Usages

Key Usages

02:f2:1f:17:a0:fa:8c:c5:42:c8:9f:77:c6:50:7b:33Certificate

Extended Key Usages

Key Usages

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2aCertificate

Extended Key Usages

Key Usages

7f:4e:3d:b8:9e:02:f2:95:4f:a8:43:d7:79:79:18:28:79:77:6c:9e:d4:3f:b9:bc:3d:c0:99:4a:8a:79:f4:aaSigner

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

kernel32

user32

advapi32

gdi32

Exports

Exports

Sections

.text Size: 225KB - Virtual size: 224KB

.rdata Size: 52KB - Virtual size: 52KB

.data Size: 11KB - Virtual size: 19KB

.rsrc Size: 293KB - Virtual size: 292KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Certificate

02:f2:1f:17:a0:fa:8c:c5:42:c8:9f:77:c6:50:7b:33
Certificate

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

7f:4e:3d:b8:9e:02:f2:95:4f:a8:43:d7:79:79:18:28:79:77:6c:9e:d4:3f:b9:bc:3d:c0:99:4a:8a:79:f4:aa
Signer

.text
Size: 225KB - Virtual size: 224KB

.rdata
Size: 52KB - Virtual size: 52KB

.data
Size: 11KB - Virtual size: 19KB

.rsrc
Size: 293KB - Virtual size: 292KB