Static task
static1
General
-
Target
poqexec.rar
-
Size
196KB
-
MD5
adc4c798d5645992529b88409b000a50
-
SHA1
f1e57204777ede2272940f0ffc73814d39fd399b
-
SHA256
4489e8454e46a6886db27777591ca74ee7fa4d9a2f71801f4680962e02a9a2eb
-
SHA512
38cf9fc87c4fd5cd615f56bb12e5309ca9a564d13c3740f71be9749e06e23ca22881e72d7e46c92caed5b4e7a1b7c9d98bf660cd36e123915b24df6ce2d0d0c0
-
SSDEEP
6144:myhYkk+YnBhbwBCZ5rFl90FgMIBCv917f0wL6x6UX:m0lcBw0Z1H90FgQtL6xH
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/poqexec.exe
Files
-
poqexec.rar.rar
-
poqexec.exe.sys windows:10 windows x64
e2f919b2d48793840c2eb63490b6f095
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
ntdll
RtlQueryFeatureConfiguration
RtlNotifyFeatureUsage
RtlRaiseStatus
sprintf_s
NtWriteFile
vsprintf_s
NtQuerySystemTime
NtOpenFile
NtSetInformationFile
NtClose
NtCreateFile
NtSetCachedSigningLevel
RtlCopyUnicodeString
RtlFindMessage
RtlFormatMessage
NtDrawText
NtDisplayString
NtQueryInformationFile
NtOpenProcess
NtQueryInformationProcess
_wcstoui64
RtlInitUnicodeString
NtOpenProcessToken
NtAdjustPrivilegesToken
NtOpenKey
NtLoadKey
NtUnloadKey
NtQueryInformationTransaction
NtCreateTransaction
NtCommitTransaction
RtlSetSystemBootStatus
NtShutdownSystem
NtCreateKey
NtFlushKey
RtlExpandEnvironmentStrings_U
NtFlushBuffersFile
NtReadFile
RtlSetHeapInformation
DbgPrintEx
RtlNtStatusToDosError
RtlAllocateHeap
RtlFreeHeap
NtDelayExecution
NtRollbackTransaction
NtQueryVolumeInformationFile
NtQueryAttributesFile
NtQuerySecurityObject
NtSetSecurityObject
NtCreateKeyTransacted
NtOpenKeyTransactedEx
NtOpenKeyEx
NtDeleteKey
NtQueryValueKey
NtSetValueKey
NtDeleteValueKey
NtFsControlFile
NtTerminateProcess
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnhandledExceptionFilter
memmove
RtlNormalizeProcessParams
RtlFreeUnicodeString
NtOpenThreadToken
NtQueryInformationToken
RtlCreateAcl
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlDuplicateUnicodeString
RtlGetOwnerSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetDaclSecurityDescriptor
RtlGetSaclSecurityDescriptor
RtlNewSecurityObjectEx
RtlDeleteSecurityObject
RtlEqualUnicodeString
LdrLoadDll
LdrGetProcedureAddress
NtQueryPerformanceCounter
NtSetIoCompletion
NtWaitForMultipleObjects
RtlGetControlSecurityDescriptor
RtlFindAceByType
NtQuerySystemInformation
NtCreateIoCompletion
NtCreateEvent
TpSimpleTryPost
NtRemoveIoCompletion
NtSetEvent
RtlTimeToTimeFields
NtQueryKey
RtlSetOwnerSecurityDescriptor
RtlSetCurrentTransaction
NtEnumerateKey
RtlGetLengthWithoutLastFullDosOrNtPathElement
NtEnumerateValueKey
RtlGetAce
RtlpApplyLengthFunction
LdrUnloadDll
RtlQueryInformationAcl
RtlAddAccessAllowedAceEx
NtDeleteFile
RtlCaptureStackBackTrace
RtlQueryEnvironmentVariable_U
RtlGetCurrentTransaction
RtlAddAce
RtlLengthSid
NtDuplicateObject
NtYieldExecution
NtSetInformationKey
NtQueryObject
RtlDestroyEnvironment
NtQueryDirectoryFile
RtlDeleteCriticalSection
RtlEnterCriticalSection
RtlInitializeCriticalSection
RtlLeaveCriticalSection
RtlConvertSidToUnicodeString
RtlValidAcl
RtlSetSaclSecurityDescriptor
RtlLengthSecurityDescriptor
RtlValidSid
RtlMakeSelfRelativeSD
NtDuplicateToken
NtSetInformationThread
RtlCopySid
RtlSetGroupSecurityDescriptor
RtlCreateEnvironmentEx
RtlUpcaseUnicodeChar
RtlDowncaseUnicodeChar
RtlReAllocateHeap
RtlDosPathNameToNtPathName_U
LdrGetDllHandleEx
DbgPrint
RtlCreateUnicodeStringFromAsciiz
iswspace
wcscpy_s
memcpy_s
strncmp
_snprintf_s
wcstoul
memcmp
memcpy
memset
Sections
.text Size: 400KB - Virtual size: 396KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 128KB - Virtual size: 127KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 12KB - Virtual size: 9KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 4KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.reloc Size: 4KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ