Static task
static1
General
-
Target
poqexec.exe
-
Size
556KB
-
MD5
a61ba49d808ad47dfe4f6e5fb98a157a
-
SHA1
32969cde9cdc9efd1512a45cc4b44cdcff26aa94
-
SHA256
d87614d7c1554d2c38c12022f0f601eaa6ab94399320d25732303de4f3ab3495
-
SHA512
e41ffe1e081d38fd93388167f2917ce76dbeac0e97668aeb83ccdfdaf1668ca341026507511f543673a864457f2987a75825927bab62570bc48caf759d36ba7c
-
SSDEEP
12288:z5odEog+Ls2lBhBJmlD8myKFbrEE5KRGcpF5e:9od0+57URdrSA85e
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource poqexec.exe
Files
-
poqexec.exe.sys windows:10 windows x64
e2f919b2d48793840c2eb63490b6f095
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
ntdll
RtlQueryFeatureConfiguration
RtlNotifyFeatureUsage
RtlRaiseStatus
sprintf_s
NtWriteFile
vsprintf_s
NtQuerySystemTime
NtOpenFile
NtSetInformationFile
NtClose
NtCreateFile
NtSetCachedSigningLevel
RtlCopyUnicodeString
RtlFindMessage
RtlFormatMessage
NtDrawText
NtDisplayString
NtQueryInformationFile
NtOpenProcess
NtQueryInformationProcess
_wcstoui64
RtlInitUnicodeString
NtOpenProcessToken
NtAdjustPrivilegesToken
NtOpenKey
NtLoadKey
NtUnloadKey
NtQueryInformationTransaction
NtCreateTransaction
NtCommitTransaction
RtlSetSystemBootStatus
NtShutdownSystem
NtCreateKey
NtFlushKey
RtlExpandEnvironmentStrings_U
NtFlushBuffersFile
NtReadFile
RtlSetHeapInformation
DbgPrintEx
RtlNtStatusToDosError
RtlAllocateHeap
RtlFreeHeap
NtDelayExecution
NtRollbackTransaction
NtQueryVolumeInformationFile
NtQueryAttributesFile
NtQuerySecurityObject
NtSetSecurityObject
NtCreateKeyTransacted
NtOpenKeyTransactedEx
NtOpenKeyEx
NtDeleteKey
NtQueryValueKey
NtSetValueKey
NtDeleteValueKey
NtFsControlFile
NtTerminateProcess
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnhandledExceptionFilter
memmove
RtlNormalizeProcessParams
RtlFreeUnicodeString
NtOpenThreadToken
NtQueryInformationToken
RtlCreateAcl
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlDuplicateUnicodeString
RtlGetOwnerSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetDaclSecurityDescriptor
RtlGetSaclSecurityDescriptor
RtlNewSecurityObjectEx
RtlDeleteSecurityObject
RtlEqualUnicodeString
LdrLoadDll
LdrGetProcedureAddress
NtQueryPerformanceCounter
NtSetIoCompletion
NtWaitForMultipleObjects
RtlGetControlSecurityDescriptor
RtlFindAceByType
NtQuerySystemInformation
NtCreateIoCompletion
NtCreateEvent
TpSimpleTryPost
NtRemoveIoCompletion
NtSetEvent
RtlTimeToTimeFields
NtQueryKey
RtlSetOwnerSecurityDescriptor
RtlSetCurrentTransaction
NtEnumerateKey
RtlGetLengthWithoutLastFullDosOrNtPathElement
NtEnumerateValueKey
RtlGetAce
RtlpApplyLengthFunction
LdrUnloadDll
RtlQueryInformationAcl
RtlAddAccessAllowedAceEx
NtDeleteFile
RtlCaptureStackBackTrace
RtlQueryEnvironmentVariable_U
RtlGetCurrentTransaction
RtlAddAce
RtlLengthSid
NtDuplicateObject
NtYieldExecution
NtSetInformationKey
NtQueryObject
RtlDestroyEnvironment
NtQueryDirectoryFile
RtlDeleteCriticalSection
RtlEnterCriticalSection
RtlInitializeCriticalSection
RtlLeaveCriticalSection
RtlConvertSidToUnicodeString
RtlValidAcl
RtlSetSaclSecurityDescriptor
RtlLengthSecurityDescriptor
RtlValidSid
RtlMakeSelfRelativeSD
NtDuplicateToken
NtSetInformationThread
RtlCopySid
RtlSetGroupSecurityDescriptor
RtlCreateEnvironmentEx
RtlUpcaseUnicodeChar
RtlDowncaseUnicodeChar
RtlReAllocateHeap
RtlDosPathNameToNtPathName_U
LdrGetDllHandleEx
DbgPrint
RtlCreateUnicodeStringFromAsciiz
iswspace
wcscpy_s
memcpy_s
strncmp
_snprintf_s
wcstoul
memcmp
memcpy
memset
Sections
.text Size: 400KB - Virtual size: 396KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 128KB - Virtual size: 127KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 4KB - Virtual size: 6KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 12KB - Virtual size: 9KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 4KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.reloc Size: 4KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ