cipher[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

cipher.exe
Size

43KB
MD5

ff0a04c62155fe80fb556ba38fc7aaa4
SHA1

4b7c1580520eaa82c137e5e85e86dc5ec8c9a510
SHA256

be2bd11e37b186379f9ae0136bb555c8c30c22a14bcc8064e05c0c6735261cdb
SHA512

eec08fc49abba0b24e7f7b965a8f7c0a856e94a24a55f5cc071a10cc8d3f737e7b0e140cab74c95565f976291c33b94a2d34ede6024ced27f692cf313a003142
SSDEEP

768:N356P+6hH6rDnwwUBKP/579sCpuQnze1CwvGX8WX0fYGm8cfo9WFgP7:N3h6hY5xgQpwv43kAJ83EmP7

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
cipher.exe

Files

cipher.exe
.exe windows:6 windows x64

69d9ffba8cc8e6a695d3a73b11cb32be

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

EncryptedFileKeyInfo
AddUsersToEncryptedFile
CryptAcquireContextW
FlushEfsCache
DecryptFileW
EqualSid
CryptReleaseContext
RegQueryValueExW
ConvertStringSidToSidW
LookupAccountSidW
QueryRecoveryAgentsOnEncryptedFile
RegOpenKeyExW
CryptDestroyKey
SetUserFileEncryptionKey
AddUsersToEncryptedFileEx
FreeEncryptedFileKeyInfo
FreeEncryptionCertificateHashList
QueryUsersOnEncryptedFile
CryptGetUserKey
EncryptFileW
RegCloseKey
RemoveUsersFromEncryptedFile

kernel32

SetFilePointer
GetDriveTypeW
SetEndOfFile
SetErrorMode
VerSetConditionMask
CreateDirectoryW
GetComputerNameW
VirtualFree
ReadConsoleW
GetVolumePathNameW
FindNextVolumeW
GetLastError
GetFileAttributesW
CreateFileW
lstrcmpW
FlushFileBuffers
VerifyVersionInfoW
GetCurrentDirectoryW
SetLastError
VirtualAlloc
GetDiskFreeSpaceW
FindClose
FindVolumeClose
RemoveDirectoryW
QueryDosDeviceW
DeviceIoControl
HeapSetInformation
FindNextFileW
GetDiskFreeSpaceExW
CloseHandle
FindFirstVolumeW
GetVolumeNameForVolumeMountPointW
GetVolumeInformationW
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
DelayLoadFailureHook
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep
FindFirstFileW
GetFullPathNameW
GetTempFileNameW
LocalFree
GetFileType
SetCurrentDirectoryW
GetProcAddress
GetStdHandle
lstrlenW
WriteConsoleW
FormatMessageW
GetConsoleMode
WideCharToMultiByte
WriteFile
GetProcessHeap
GetModuleHandleW
HeapFree
HeapAlloc
SetConsoleMode
ResolveDelayLoadedAPI

msvcrt

__C_specific_handler
_initterm
__setusermatherr
_fmode
_commode
memcpy
?terminate@@YAXXZ
strcmp
memset
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
getchar
towupper
_putws
_iob
printf
_wcsnicmp
_get_osfhandle
_vsnwprintf
_wcsicmp
wcschr
fgetws
wcscmp

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
RtlNtStatusToDosError
RtlVirtualUnwind

rpcrt4

UuidToStringW
UuidCreate
RpcStringFreeW

user32

MessageBoxW

ntdsapi

DsBindW
DsFreeNameResultW
DsUnBindW
DsCrackNamesW

crypt32

CertOpenStore
CertGetEnhancedKeyUsage
CertFreeCertificateContext
CertAddCertificateContextToStore
CertFindCertificateInStore
CertCloseStore
CertGetCertificateContextProperty
CertEnumCertificatesInStore
CryptStringToBinaryW
PFXExportCertStoreEx
CryptQueryObject

bcrypt

BCryptGetProperty
BCryptDestroyKey
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider
BCryptGenerateSymmetricKey
BCryptGenRandom
BCryptEncrypt

netapi32

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

efsutil

EfsUtilGetCurrentUserInformation
EfsUtilCreateSelfSignedCertificate
EfsUtilGetSmartcardProviderName

feclient

EfsClientQueryProtectors
EfsClientFreeProtectorList

Sections

.text
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

69d9ffba8cc8e6a695d3a73b11cb32be

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

msvcrt

ntdll

rpcrt4

user32

ntdsapi

crypt32

bcrypt

netapi32

efsutil

feclient

Sections

.text Size: 31KB - Virtual size: 31KB

.data Size: 512B - Virtual size: 10KB

.pdata Size: 1024B - Virtual size: 984B

.idata Size: 6KB - Virtual size: 5KB

.didat Size: 512B - Virtual size: 32B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 512B - Virtual size: 52B

.text
Size: 31KB - Virtual size: 31KB

.data
Size: 512B - Virtual size: 10KB

.pdata
Size: 1024B - Virtual size: 984B

.idata
Size: 6KB - Virtual size: 5KB

.didat
Size: 512B - Virtual size: 32B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 512B - Virtual size: 52B