IKEEXT[.]DLL | Triage

Sharing

Copy URL Twitter E-mail

General

Target

IKEEXT.DLL
Size

1.0MB
MD5

56129985c2c2afcdb4861fd14cc3f728
SHA1

de6baf521d033c064294360f8aedfe281aca6285
SHA256

647b2b95b26e3027eafec51bcab5d4e84d9c888a273c42116ba893df655882c3
SHA512

90fa665a5263b36c42a5b0c7f40f1eea31b7b8d1c7afae17432cd920b8a1c399fa074486a655a696416754da63a2ce446dd6f0cefd3c7944189cc990166bf570
SSDEEP

24576:/td4ynf+sTkQVCtrnvJ7pBr0u4vUA2QRVGtGI9GDZIvHVMO2ti2qJP+:/td4ynfLTkQVCtrnvJ7r0u4vUA2QRVGj

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
IKEEXT.DLL

Files

IKEEXT.DLL
.dll windows:10 windows x64

c538b9a66ae174f815b44fcd7d205656

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

memcpy
memcmp
_vsnprintf
_vsnwprintf
wcstok_s
time
bsearch
memcpy_s
sprintf_s
_ultow_s
_XcptFilter
strcmp
__C_specific_handler
_initterm
malloc
free
_amsg_exit
memset
wcscmp

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
GetModuleHandleExW
GetModuleHandleW
LoadLibraryExW
GetProcAddress
GetModuleFileNameW
DisableThreadLibraryCalls

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

TlsAlloc
OpenThreadToken
GetCurrentProcessId
GetCurrentThreadId
OpenProcessToken
TlsGetValue
GetCurrentThread
TerminateProcess
TlsFree
GetCurrentProcess
TlsSetValue
SetThreadPriority
GetThreadPriority

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetSystemInfo
GetComputerNameExW
GetSystemTime

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlCompareMemory
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
SetLastError
SetUnhandledExceptionFilter

ntdll

RtlAllocateHeap
RtlValidRelativeSecurityDescriptor
RtlIpv6AddressToStringW
RtlIpv4AddressToStringW
RtlInitString
WinSqmEndSession
WinSqmStartSession
WinSqmSetDWORD
RtlLengthSecurityDescriptor
RtlIpv4AddressToStringA
RtlIpv6StringToAddressW
RtlApplicationVerifierStop
EtwEventEnabled
EtwEventWriteTransfer
EtwEventWrite
EtwEventActivityIdControl
EtwEventUnregister
EtwEventRegister
RtlNtStatusToDosError
EtwTraceMessage
RtlIpv4StringToAddressW
EtwUnregisterTraceGuids
RtlCreateHashTable
RtlDeleteHashTable
RtlInsertEntryHashTable
RtlRemoveEntryHashTable
RtlLookupEntryHashTable
RtlGetNextEntryHashTable
RtlInitEnumerationHashTable
RtlEnumerateEntryHashTable
RtlEndEnumerationHashTable
RtlExpandHashTable
RtlContractHashTable
RtlTimeToTimeFields
RtlIntegerToUnicodeString
RtlConvertSidToUnicodeString
RtlFreeUnicodeString
RtlAdjustPrivilege
RtlInitializeSListHead
RtlInterlockedPushEntrySList
RtlInterlockedPopEntrySList
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
RtlIpv6AddressToStringA

authz

AuthzFreeAuditEvent
AuthzInitializeResourceManager
AuthzAccessCheck
AuthziInitializeAuditParamsFromArray
AuthziFreeAuditEventType
AuthziInitializeAuditEventType
AuthziInitializeAuditEvent
AuthziLogAuditEvent
AuthzFreeResourceManager

fwpuclnt

IkeextGetConfigParameters0
FwpmEngineClose0
IPsecKeyModuleUpdateAcquire0
FwpmEventProviderDestroy0
FwpmProviderContextUnsubscribeChanges0
IPsecSaContextExpire0
IPsecKeyModuleDelete0
FwpmEngineOpen0
IPsecKeyModuleAdd0
FwpsQueryIPsecDosFWUsed0
FwpsLayerReleaseInProcReplica0
FwpmEventProviderIsNetEventTypeEnabled0
FwpsClassifyUser0
FwpmProviderContextSubscribeChanges0
FwpmFilterSubscribeChanges0
FwpmEventProviderCreate0
FwpmEventProviderFireNetEvent0
FwpmFreeMemory0
FwpmFilterGetById0
FwpmFilterCreateEnumHandle0
FwpsLayerCreateInProcReplica0
IPsecSaContextUpdate0
FwpmFilterDestroyEnumHandle0
IPsecKeyDictationCheck0
IPsecGetKeyFromDictator0
IPsecKeyNotification0
FwppIPsecSaContextCreate
FwpmFilterAdd0
FwpsOpenToken0
FwppConnectionGetByIPsecInfo
IPsecSaContextAddOutboundAndTrackConnection
IPsecSaContextAddInboundAndTrackConnection
IPsecSaContextGetSpi1
FwpsQueryIPsecOffloadDone0
FwpmProviderContextGetByKey3
FwpmFilterUnsubscribeChanges0
FwpsAleExplicitCredentialsQuery0
FwpmFilterEnum0

msasn1

ASN1_CreateDecoder
ASN1_CreateModule
ASN1_FreeDecoded
ASN1_CloseDecoder
ASN1BERDecPeekTag
ASN1BERDecExplicitTag
ASN1DecSetError
ASN1_Decode
ASN1Free
ASN1BERDecOpenType2
ASN1DecRealloc
ASN1BERDecEndOfContents
ASN1BERDecNotEndOfContents
ASN1_CloseModule

api-ms-win-core-synch-l1-1-0

TryAcquireSRWLockExclusive
SetEvent
AcquireSRWLockShared
CreateEventW
ReleaseSRWLockShared
CreateEventA
AcquireSRWLockExclusive
InitializeCriticalSectionAndSpinCount
TryEnterCriticalSection
InitializeSRWLock
CreateSemaphoreExW
WaitForSingleObject
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
ReleaseSemaphore
ReleaseSRWLockExclusive

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringEx
CompareStringW

api-ms-win-core-heap-l1-1-0

HeapReAlloc
HeapAlloc
HeapSize
HeapFree
HeapDestroy
HeapCreate
GetProcessHeap

api-ms-win-eventing-controller-l1-1-0

ControlTraceW
StartTraceW

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegSetValueExW
RegQueryValueExW
RegEnumValueW
RegCloseKey
RegQueryInfoKeyW
RegCreateKeyExW
RegNotifyChangeKeyValue

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolThreadMaximum
CloseThreadpool
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
CreateThreadpool
WaitForThreadpoolTimerCallbacks
CreateThreadpoolWait
CloseThreadpoolTimer
SetThreadpoolTimer
TrySubmitThreadpoolCallback
CreateThreadpoolTimer
SetThreadpoolThreadMinimum

api-ms-win-power-setting-l1-1-0

PowerSettingUnregisterNotification
PowerSettingRegisterNotification

api-ms-win-security-base-l1-1-0

SetPrivateObjectSecurityEx
RevertToSelf
GetPrivateObjectSecurity
EqualSid
GetTokenInformation
DestroyPrivateObjectSecurity
CreatePrivateObjectSecurityEx
DuplicateToken
MapGenericMask
ImpersonateLoggedOnUser
ImpersonateAnonymousToken
CopySid
GetLengthSid

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventWriteTransfer
EventSetInformation
EventUnregister

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringA

ws2_32

GetAddrInfoW
ntohl
ntohs
htons
htonl
FreeAddrInfoW
WSAGetLastError
WSACleanup
WSAStartup
WSCEnumProtocols
WSASocketW
bind
setsockopt
closesocket
WSAEventSelect
WSASocketA
WSAIoctl

rpcrt4

RpcServerInqBindings
RpcEpRegisterW
RpcEpUnregister
RpcImpersonateClient
MesEncodeDynBufferHandleCreate
MesHandleFree
I_RpcExceptionFilter
MesDecodeBufferHandleCreate
RpcServerUseProtseqW
RpcAsyncCompleteCall
NdrServerCall2
NdrMesTypeEncode3
NdrMesTypeDecode3
NdrMesTypeFree3
RpcBindingVectorFree
RpcServerUnregisterIfEx
RpcServerInqCallAttributesW
RpcRaiseException
RpcGetAuthorizationContextForClient
NdrAsyncServerCall
RpcFreeAuthorizationContext
NdrServerCallAll
Ndr64AsyncServerCallAll
RpcStringFreeW
UuidCreate
RpcRevertToSelf
RpcServerRegisterIfEx
UuidToStringW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-file-l1-1-0

CompareFileTime

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-threadpool-private-l1-1-0

RegisterWaitForSingleObjectEx

nsi

NsiGetParameter
NsiSetParameter

api-ms-win-core-perfcounters-l1-1-0

PerfStopProvider
PerfSetULongCounterValue
PerfSetCounterRefValue
PerfCreateInstance
PerfStartProvider
PerfSetCounterSetInfo

api-ms-win-security-activedirectoryclient-l1-1-0

DsBindWithSpnExW
DsCrackNamesW
DsUnBindW
DsFreeNameResultW

cryptsp

CryptHashData
CryptCreateHash
CryptReleaseContext
CryptGetHashParam
CryptDestroyHash
CryptAcquireContextA

umpdc

Pdcv2ActivationClientDeactivate
Pdcv2ActivationClientActivate
Pdcv2ActivationClientRenewActivation
Pdcv2ActivationClientUnregister
Pdcv2ActivationClientRegister

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

IkeServiceMain
SvchostPushServiceGlobals

Sections

.text
Size: 816KB - Virtual size: 815KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 175KB - Virtual size: 174KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 952B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c538b9a66ae174f815b44fcd7d205656

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

ntdll

authz

fwpuclnt

msasn1

api-ms-win-core-synch-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-power-setting-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-debug-l1-1-0

ws2_32

rpcrt4

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-threadpool-private-l1-1-0

nsi

api-ms-win-core-perfcounters-l1-1-0

api-ms-win-security-activedirectoryclient-l1-1-0

cryptsp

umpdc

api-ms-win-stateseparation-helpers-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 816KB - Virtual size: 815KB

.rdata Size: 175KB - Virtual size: 174KB

.data Size: 7KB - Virtual size: 21KB

.pdata Size: 25KB - Virtual size: 25KB

.didat Size: 1024B - Virtual size: 952B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 816KB - Virtual size: 815KB

.rdata
Size: 175KB - Virtual size: 174KB

.data
Size: 7KB - Virtual size: 21KB

.pdata
Size: 25KB - Virtual size: 25KB

.didat
Size: 1024B - Virtual size: 952B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 2KB