sample[.]zip | Triage

Sharing

Copy URL Twitter E-mail

General

Target

sample.zip
Size

357KB
MD5

6c561008725f734cef42cb943aec2038
SHA1

ecd632bfa40eb3cebe9460a9ffa09129ed6945b7
SHA256

c32d4ab36ee219afc401023c470d8d1679683bfbf6b4ed82ef3d747ca4506d49
SHA512

bbf7940237680eec09aac524e83de56b894c938c870881208ab5904106b7aa45dc434c776b89000ddd69f984bbfccb04442c549ad88cf28f6fedf2f40bdfe75b
SSDEEP

6144:67jAQSOTpGNLBcbpyZ/NK1BcLSJ3rPNkJMFgEso03Kg3dZzD46W8jceqzVxDcPkW:67cQSOTO2M/zSJ5G+DYL3dZY6WG/4VmX

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/expedita.y

Files

sample.zip
.zip

Password: infected
dolor.r.bat
expedita.y
.dll windows:6 windows x64

Password: infected

37d0a713c58a38fd923640c2edd1673e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

advapi32

EventUnregister
EventWrite
EventRegister

kernel32

WideCharToMultiByte
CreateFileW
GetFileSizeEx
ReadFile
CloseHandle
ResetEvent
WaitForSingleObjectEx
CreateEventExW
VerSetConditionMask
VerifyVersionInfoW
SetEvent
InitializeSListHead
InterlockedPopEntrySList
InterlockedPushEntrySList
GetModuleHandleExW
EnterCriticalSection
GetProcAddress
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetModuleHandleW
CreateEventW
InitializeCriticalSectionAndSpinCount
LoadLibraryW
FreeLibrary
GetLastError
DisableThreadLibraryCalls
GetEnvironmentVariableW
InitOnceExecuteOnce
InitOnceInitialize
DeleteCriticalSection
InitializeCriticalSectionEx
LeaveCriticalSection
InterlockedFlushSList

dxgi

CreateDXGIFactory1

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

Exports

Exports

q?0_Event@details@Concurrency@@QEAA@AEBV012@@Z
q?0_Event@details@Concurrency@@QEAA@XZ
q?0accelerator@Concurrency@@AEAA@V?$_Reference_counted_obj_ptr@V_Accelerator_impl@details@Concurrency@@@details@1@@Z
q?0accelerator@Concurrency@@QEAA@AEBV01@@Z
q?0accelerator@Concurrency@@QEAA@XZ
q?0accelerator_view@Concurrency@@AEAA@V?$_Reference_counted_obj_ptr@V_Accelerator_view_impl@details@Concurrency@@@details@1@_N@Z
q?0accelerator_view@Concurrency@@QEAA@AEBV01@@Z
q?0accelerator_view_removed@Concurrency@@QEAA@J@Z
q?0accelerator_view_removed@Concurrency@@QEAA@PEBDJ@Z
q?0invalid_compute_domain@Concurrency@@QEAA@PEBD@Z
q?0invalid_compute_domain@Concurrency@@QEAA@XZ
q?0out_of_memory@Concurrency@@QEAA@PEBD@Z
q?0out_of_memory@Concurrency@@QEAA@XZ
q?0runtime_exception@Concurrency@@QEAA@AEBV01@@Z
q?0runtime_exception@Concurrency@@QEAA@J@Z
q?0runtime_exception@Concurrency@@QEAA@PEBDJ@Z
q?0scoped_d3d_access_lock@direct3d@Concurrency@@QEAA@$$QEAV012@@Z
q?0scoped_d3d_access_lock@direct3d@Concurrency@@QEAA@AEAVaccelerator_view@2@@Z
q?0scoped_d3d_access_lock@direct3d@Concurrency@@QEAA@AEAVaccelerator_view@2@Uadopt_d3d_access_lock_t@12@@Z
q?0unsupported_feature@Concurrency@@QEAA@PEBD@Z
q?0unsupported_feature@Concurrency@@QEAA@XZ
q?1_Amp_runtime_trace@details@Concurrency@@QEAA@XZ
q?1_Event@details@Concurrency@@QEAA@XZ
q?1accelerator@Concurrency@@QEAA@XZ
q?1accelerator_view@Concurrency@@QEAA@XZ
q?1runtime_exception@Concurrency@@UEAA@XZ
q?1scoped_d3d_access_lock@direct3d@Concurrency@@QEAA@XZ
q?4_Event@details@Concurrency@@QEAAAEAV012@AEBV012@@Z
q?4accelerator@Concurrency@@QEAAAEAV01@AEBV01@@Z
q?4accelerator_view@Concurrency@@QEAAAEAV01@AEBV01@@Z
q?4runtime_exception@Concurrency@@QEAAAEAV01@AEBV01@@Z
q?4scoped_d3d_access_lock@direct3d@Concurrency@@QEAAAEAV012@$$QEAV012@@Z
q?8_Event@details@Concurrency@@QEBA_NAEBV012@@Z
q?8accelerator@Concurrency@@QEBA_NAEBV01@@Z
q?8accelerator_view@Concurrency@@QEBA_NAEBV01@@Z
q?9_Event@details@Concurrency@@QEBA_NAEBV012@@Z
q?9accelerator@Concurrency@@QEBA_NAEBV01@@Z
q?9accelerator_view@Concurrency@@QEBA_NAEBV01@@Z
q_Add_continuation@_Event@details@Concurrency@@QEAA?AV123@AEBV?$function@$$A6A?AV_Event@details@Concurrency@@XZ@std@@@Z
q_Add_event@_Event@details@Concurrency@@QEAA?AV123@V123@@Z
q_Adopt_texture@_Texture@details@Concurrency@@SAPEAV123@IW4_Short_vector_base_type_id@23@PEAUIUnknown@@Vaccelerator_view@3@I@Z
q_Clone_texture@_Texture@details@Concurrency@@SAPEAV123@PEBV123@AEBVaccelerator_view@3@1@Z
q_Copy_async_impl@details@Concurrency@@YA?AV_Event@12@PEAV_Texture@12@PEB_KI01I11@Z
q_Copy_impl@details@Concurrency@@YA?AV_Event@12@PEAV_Buffer@12@V?$_Reference_counted_obj_ptr@V_View_shape@details@Concurrency@@@12@01@Z
q_Copy_impl@details@Concurrency@@YA?AV_Event@12@PEAV_Buffer@12@_K0111@Z
q_Copy_to_async@_Buffer@details@Concurrency@@QEAA?AV_Event@23@PEAV123@V?$_Reference_counted_obj_ptr@V_View_shape@details@Concurrency@@@23@1@Z
q_Copy_to_async@_Buffer@details@Concurrency@@QEAA?AV_Event@23@PEAV123@_K11@Z
q_Copy_to_async@_Texture@details@Concurrency@@QEAA?AV_Event@23@PEAV123@PEB_K11II@Z
q_Create@_Sampler@details@Concurrency@@SAPEAV123@IIMMMM@Z
q_Create@_Sampler@details@Concurrency@@SAPEAV123@PEAX@Z
q_Create_buffer@_Buffer@details@Concurrency@@SAPEAV123@PEAXVaccelerator_view@3@_K2@Z
q_Create_buffer@_Buffer@details@Concurrency@@SAPEAV123@Vaccelerator_view@3@0_K1_NW4access_type@3@@Z
q_Create_stage_buffer@_Buffer@details@Concurrency@@SAPEAV123@Vaccelerator_view@3@0_K1_N@Z
q_Create_stage_texture@_Texture@details@Concurrency@@SAPEAV123@Vaccelerator_view@3@0I_K11II_N@Z
q_Create_stage_texture@_Texture@details@Concurrency@@SAPEAV123@Vaccelerator_view@3@0I_K11IW4_Short_vector_base_type_id@23@II@Z
q_Create_texture@_Texture@details@Concurrency@@SAPEAV123@Vaccelerator_view@3@I_K11IW4_Short_vector_base_type_id@23@II_N@Z
q_Create_ubiquitous_buffer@_Ubiquitous_buffer@details@Concurrency@@SAPEAV123@V?$_Reference_counted_obj_ptr@V_Buffer@details@Concurrency@@@23@@Z
q_Create_ubiquitous_buffer@_Ubiquitous_buffer@details@Concurrency@@SAPEAV123@_K0@Z
q_Create_view_shape@_View_shape@details@Concurrency@@SAPEAV123@IIPEBI00PEB_N@Z
q_Discard@_Ubiquitous_buffer@details@Concurrency@@QEAAXPEAU_Buffer_descriptor@23@@Z
q_Exclusively_owns_data@_Buffer@details@Concurrency@@QEAA_NXZ
q_Get@_Event@details@Concurrency@@QEAAXXZ
q_Get_CPU_access@_Buffer_descriptor@details@Concurrency@@QEBAXW4_Access_mode@@@Z
q_Get_D3D_buffer@_D3D_interop@details@Concurrency@@SAPEAUIUnknown@@PEAV_Buffer@23@@Z
q_Get_D3D_sampler@_D3D_interop@details@Concurrency@@SAPEAUIUnknown@@AEBVaccelerator_view@3@PEAV_Sampler@23@@Z
q_Get_D3D_sampler_data_ptr@_D3D_interop@details@Concurrency@@SAPEAXPEAUIUnknown@@@Z
q_Get_D3D_texture@_D3D_interop@details@Concurrency@@SAPEAUIUnknown@@PEAV_Texture@23@@Z
q_Get_accelerator_view@_Buffer@details@Concurrency@@QEBA?AVaccelerator_view@3@XZ
q_Get_access_async@_Ubiquitous_buffer@details@Concurrency@@AEAA?AV_Event@23@PEAU_Buffer_descriptor@23@Vaccelerator_view@3@W4_Access_mode@@AEAV?$_Reference_counted_obj_ptr@V_Buffer@details@Concurrency@@@23@PEA_K@Z
q_Get_access_async@_Ubiquitous_buffer@details@Concurrency@@QEAA?AV_Event@23@PEAU_Buffer_descriptor@23@V?$_Reference_counted_obj_ptr@V_Accelerator_view_impl@details@Concurrency@@@23@W4_Access_mode@@AEAV?$_Reference_counted_obj_ptr@V_Buffer@details@Concurrency@@@23@PEA_K@Z
q_Get_access_on_accelerator_view@_Buffer@details@Concurrency@@QEBA?AVaccelerator_view@3@XZ
q_Get_amp_trace@details@Concurrency@@YAPEAV_Amp_runtime_trace@12@XZ
q_Get_description@accelerator@Concurrency@@AEBAPEB_WXZ
q_Get_device_path@accelerator@Concurrency@@AEBAPEB_WXZ
q_Get_devices@details@Concurrency@@YAPEAV?$_Reference_counted_obj_ptr@V_Accelerator_impl@details@Concurrency@@@12@XZ
q_Get_master_accelerator_view@_Ubiquitous_buffer@details@Concurrency@@QEBA?AVaccelerator_view@3@XZ
q_Get_master_buffer@_Ubiquitous_buffer@details@Concurrency@@QEBA?AV?$_Reference_counted_obj_ptr@V_Buffer@details@Concurrency@@@23@XZ
q_Get_num_devices@details@Concurrency@@YA_KXZ
q_Get_preferred_copy_chunk_size@details@Concurrency@@YA_K_K@Z
q_Get_recommended_buffer_host_access_mode@details@Concurrency@@YA?AW4_Access_mode@@AEBVaccelerator_view@2@@Z
q_Get_reduced_shape_for_copy@_View_shape@details@Concurrency@@QEAAPEAV123@XZ
q_Get_src_dest_accelerator_view@details@Concurrency@@YA?AU?$pair@Vaccelerator_view@Concurrency@@V12@@std@@PEBU_Buffer_descriptor@12@0@Z
q_Get_temp_staging_buffer@_Buffer@details@Concurrency@@SAPEAV123@Vaccelerator_view@3@_K1@Z
q_Get_temp_staging_texture@_Texture@details@Concurrency@@SAPEAV123@Vaccelerator_view@3@I_K11II@Z
q_Get_view_shape@_Ubiquitous_buffer@details@Concurrency@@QEAA?AV?$_Reference_counted_obj_ptr@V_View_shape@details@Concurrency@@@23@PEAU_Buffer_descriptor@23@@Z
q_Init@accelerator@Concurrency@@AEAAXPEB_W@Z
q_Is_D3D_accelerator_view@details@Concurrency@@YA_NAEBVaccelerator_view@2@@Z
q_Is_empty@_Event@details@Concurrency@@QEBA_NXZ
q_Is_finished@_Event@details@Concurrency@@QEAA_NXZ
q_Is_finished_nothrow@_Event@details@Concurrency@@QEAA_NXZ
q_Is_mappable@_Buffer@details@Concurrency@@QEBA_NXZ
q_Launch_array_view_synchronize_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAKAEBU_Buffer_descriptor@23@@Z
q_Launch_async_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAK$$TAEBU_Buffer_descriptor@23@_K@Z
q_Launch_async_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAK$$TAEBU_Texture_descriptor@23@_K@Z
q_Launch_async_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAKAEBU_Buffer_descriptor@23@$$T_K@Z
q_Launch_async_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAKAEBU_Buffer_descriptor@23@0_K@Z
q_Launch_async_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAKAEBU_Texture_descriptor@23@$$T_K@Z
q_Launch_async_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAKAEBU_Texture_descriptor@23@0_K@Z
q_Map_buffer@_Buffer@details@Concurrency@@QEAAXW4_Access_mode@@_N@Z
q_Map_buffer_async@_Buffer@details@Concurrency@@QEAA?AV_Event@23@W4_Access_mode@@@Z
q_Recursive_array_copy@details@Concurrency@@YAJAEBU_Array_copy_desc@12@IV?$function@$$A6AJAEBU_Array_copy_desc@details@Concurrency@@@Z@std@@@Z
q_Register_async_event@details@Concurrency@@YAXAEBV_Event@12@AEBV?$shared_future@X@std@@@Z
q_Register_view@_Buffer@details@Concurrency@@QEAAXPEAU_Buffer_descriptor@23@@Z
q_Register_view@_Ubiquitous_buffer@details@Concurrency@@QEAAXPEAU_Buffer_descriptor@23@Vaccelerator_view@3@V?$_Reference_counted_obj_ptr@V_View_shape@details@Concurrency@@@23@QEAU423@@Z
q_Register_view_copy@_Ubiquitous_buffer@details@Concurrency@@QEAAXPEAU_Buffer_descriptor@23@0@Z
q_Release@_Reference_counter@details@Concurrency@@QEAAXXZ
q_Release_D3D_sampler_data_ptr@_D3D_interop@details@Concurrency@@SAXPEAX@Z
q_Select_copy_src_accelerator_view@details@Concurrency@@YA?AVaccelerator_view@2@PEAU_Buffer_descriptor@12@AEBV32@@Z
q_Select_default_accelerator@details@Concurrency@@YA?AVaccelerator@2@XZ
q_Set_default_accelerator@details@Concurrency@@YA_NV?$_Reference_counted_obj_ptr@V_Accelerator_impl@details@Concurrency@@@12@@Z
q_Start_array_view_synchronize_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAKAEBU_Buffer_descriptor@23@@Z
q_Start_async_op_wait_event@_Amp_runtime_trace@details@Concurrency@@AEAAKK@Z
q_Start_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAK$$TAEBU_Buffer_descriptor@23@_K@Z
q_Start_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAK$$TAEBU_Texture_descriptor@23@_K@Z
q_Start_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAKAEBU_Buffer_descriptor@23@$$T_K@Z
q_Start_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAKAEBU_Buffer_descriptor@23@0_K@Z
q_Start_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAKAEBU_Texture_descriptor@23@$$T_K@Z
q_Start_copy_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAKAEBU_Texture_descriptor@23@0_K@Z
q_Start_parallel_for_each_event_helper@_Amp_runtime_trace@details@Concurrency@@QEAAKPEAU_DPC_call_handle@23@@Z
q_Unmap_buffer@_Buffer@details@Concurrency@@QEAAXXZ
q_Unregister_view@_Buffer@details@Concurrency@@QEAAXPEAU_Buffer_descriptor@23@@Z
q_Unregister_view@_Ubiquitous_buffer@details@Concurrency@@QEAAXPEAU_Buffer_descriptor@23@@Z
q_Write_end_event@_Amp_runtime_trace@details@Concurrency@@QEAAXK@Z
qamp_uninitialize@Concurrency@@YAXXZ
qcpu_accelerator@accelerator@Concurrency@@2QB_WB
qcreate_accelerator_view@direct3d@Concurrency@@YA?AVaccelerator_view@2@AEAVaccelerator@2@_NW4queuing_mode@2@@Z
qcreate_accelerator_view@direct3d@Concurrency@@YA?AVaccelerator_view@2@PEAUIUnknown@@W4queuing_mode@2@@Z
qcreate_marker@accelerator_view@Concurrency@@QEAA?AVcompletion_future@2@XZ
qcreate_view@accelerator@Concurrency@@QEAA?AVaccelerator_view@2@W4queuing_mode@2@@Z
qd3d_access_lock@direct3d@Concurrency@@YAXAEAVaccelerator_view@2@@Z
qd3d_access_try_lock@direct3d@Concurrency@@YA_NAEAVaccelerator_view@2@@Z
qd3d_access_unlock@direct3d@Concurrency@@YAXAEAVaccelerator_view@2@@Z
qdefault_accelerator@accelerator@Concurrency@@2QB_WB
qdirect3d_ref@accelerator@Concurrency@@2QB_WB
qdirect3d_warp@accelerator@Concurrency@@2QB_WB
qflush@accelerator_view@Concurrency@@QEAAXXZ
qget_accelerator@accelerator_view@Concurrency@@QEBA?AVaccelerator@2@XZ
qget_auto_selection_view@accelerator@Concurrency@@SA?AVaccelerator_view@2@XZ
qget_dedicated_memory@accelerator@Concurrency@@QEBA_KXZ
qget_default_cpu_access_type@accelerator@Concurrency@@QEBA?AW4access_type@2@XZ
qget_default_view@accelerator@Concurrency@@QEBA?AVaccelerator_view@2@XZ
qget_device@direct3d@Concurrency@@YAPEAUIUnknown@@AEBVaccelerator_view@2@@Z
qget_error_code@runtime_exception@Concurrency@@QEBAJXZ
qget_has_display@accelerator@Concurrency@@QEBA_NXZ
qget_is_auto_selection@accelerator_view@Concurrency@@QEBA_NXZ
qget_is_debug@accelerator@Concurrency@@QEBA_NXZ
qget_is_debug@accelerator_view@Concurrency@@QEBA_NXZ
qget_is_emulated@accelerator@Concurrency@@QEBA_NXZ
qget_queuing_mode@accelerator_view@Concurrency@@QEBA?AW4queuing_mode@2@XZ
qget_supports_cpu_shared_memory@accelerator@Concurrency@@QEBA_NXZ
qget_supports_double_precision@accelerator@Concurrency@@QEBA_NXZ
qget_supports_limited_double_precision@accelerator@Concurrency@@QEBA_NXZ
qget_version@accelerator@Concurrency@@QEBAIXZ
qget_version@accelerator_view@Concurrency@@QEBAIXZ
qget_view_removed_reason@accelerator_view_removed@Concurrency@@QEBAJXZ
qis_timeout_disabled@direct3d@Concurrency@@YA_NAEBVaccelerator_view@2@@Z
qset_default_cpu_access_type@accelerator@Concurrency@@QEAA_NW4access_type@2@@Z
qwait@accelerator_view@Concurrency@@QEAAXXZ
q_dpc_create_call_handle
q_dpc_dispatch_kernel
q_dpc_dispatch_kernel_test
q_dpc_release_call_handle
q_dpc_set_const_buffer_info
q_dpc_set_device_resource_info
q_dpc_set_kernel_dispatch_info
scab

Sections

.text
Size: 708KB - Virtual size: 708KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 355KB - Virtual size: 355KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 61KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 28KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

37d0a713c58a38fd923640c2edd1673e

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

dxgi

version

Exports

Exports

Sections

.text Size: 708KB - Virtual size: 708KB

.rdata Size: 355KB - Virtual size: 355KB

.data Size: 13KB - Virtual size: 15KB

.pdata Size: 61KB - Virtual size: 61KB

.rsrc Size: 28KB - Virtual size: 25KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 708KB - Virtual size: 708KB

.rdata
Size: 355KB - Virtual size: 355KB

.data
Size: 13KB - Virtual size: 15KB

.pdata
Size: 61KB - Virtual size: 61KB

.rsrc
Size: 28KB - Virtual size: 25KB

.reloc
Size: 2KB - Virtual size: 1KB