auditpol[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

auditpol.exe
Size

63KB
MD5

1b10370359f8b6cc355e34225c8ba6d4
SHA1

788912e66f51de9876b8ead3d97d32b5e2ccd3f2
SHA256

08009f932d5a3ca2d856ab5a40a804b3fbb0c5083d0f2c8edcd17747a727a679
SHA512

68a439decc12dc862df48d5d8d28859b1d4dd464eca7b6fb9cb61b5a8bdfd56141a59ed7156a2e9ddcbb58d877176f3c555d8b85666d773848f64c8bf54f144e
SSDEEP

1536:aCmwg5fd1z0WouTB/8dAWZ8bZ0X5yunaJbdk56:aCev1wTo0yK888C85kc

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
auditpol.exe

Files

auditpol.exe
.exe windows:6 windows x64

502f8e9f12388ef04d1ef49f4ccd4437

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

ferror
_purecall
fgetws
fclose
_amsg_exit
_wfopen
__wgetmainargs
feof
_XcptFilter
memcpy_s
??0exception@@QEAA@AEBV0@@Z
wscanf
__set_app_type
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
__CxxFrameHandler3
_CxxThrowException
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
vfwprintf
exit
_exit
_cexit
__setusermatherr
_initterm
_vsnwprintf_s
__C_specific_handler
_wtoi
free
?terminate@@YAXXZ
_onexit
malloc
__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
_commode
_callnewh
wprintf
memmove_s
wcschr
memcpy
memcmp
_wcsnicmp
_vsnwprintf
??0exception@@QEAA@AEBQEBDH@Z
_wcsicmp
_wsetlocale
qsort
_iob
_fmode
memset

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringW

api-ms-win-core-console-l1-1-0

GetConsoleOutputCP
WriteConsoleW

api-ms-win-core-localization-l1-2-1

FormatMessageW
SetThreadPreferredUILanguages

api-ms-win-core-heap-l1-2-0

HeapSetInformation

api-ms-win-core-processthreads-l1-1-2

TerminateProcess
GetCurrentProcess
OpenProcessToken
SetThreadStackGuarantee
GetCurrentProcessId
GetCurrentThreadId

api-ms-win-security-sddl-l1-1-0

ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertStringSidToSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

api-ms-win-security-lsalookup-l2-1-1

LookupPrivilegeValueW
LookupAccountSidW
LookupAccountNameW

api-ms-win-core-errorhandling-l1-1-1

UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-security-base-l1-2-0

SetSecurityDescriptorSacl
EqualSid
InitializeSecurityDescriptor
GetSecurityDescriptorSacl
GetAclInformation
GetAce
AdjustTokenPrivileges
DeleteAce
GetLengthSid

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW

api-ms-win-core-file-l1-2-1

WriteFile
CreateFileW
DeleteFileW

api-ms-win-core-processenvironment-l1-2-0

GetStdHandle

api-ms-win-core-rtlsupport-l1-2-0

RtlVirtualUnwind
RtlCompareMemory
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-debug-l1-1-1

OutputDebugStringA

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime
GetTickCount
GetSystemInfo

api-ms-win-core-kernel32-legacy-l1-1-1

GetComputerNameW

api-ms-win-security-audit-l1-1-1

AuditLookupSubCategoryNameW
AuditSetSystemPolicy
AuditEnumerateCategories
AuditQuerySystemPolicy
AuditEnumeratePerUserPolicy
AuditQueryPerUserPolicy
AuditQueryGlobalSaclW
AuditSetGlobalSaclW
AuditQuerySecurity
AuditEnumerateSubCategories
AuditSetSecurity
AuditFree
AuditSetPerUserPolicy
AuditLookupCategoryNameW

api-ms-win-security-lsapolicy-l1-1-0

LsaOpenPolicy
LsaLookupSids
LsaClose
LsaFreeMemory

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree

ntdll

RtlAllocateHeap
RtlImageNtHeader
RtlNtStatusToDosError
RtlGUIDFromString
RtlFreeHeap

api-ms-win-security-sddlparsecond-l1-1-0

LocalGetStringForCondition

api-ms-win-core-memory-l1-1-2

VirtualProtect
VirtualAlloc
VirtualQuery

Sections

.text
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 380B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

502f8e9f12388ef04d1ef49f4ccd4437

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-string-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-localization-l1-2-1

api-ms-win-core-heap-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-security-sddl-l1-1-0

api-ms-win-security-lsalookup-l2-1-1

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-security-base-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-rtlsupport-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-security-audit-l1-1-1

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

ntdll

api-ms-win-security-sddlparsecond-l1-1-0

api-ms-win-core-memory-l1-1-2

Sections

.text Size: 49KB - Virtual size: 48KB

.data Size: 2KB - Virtual size: 4KB

.pdata Size: 2KB - Virtual size: 1KB

.idata Size: 6KB - Virtual size: 6KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 380B

.text
Size: 49KB - Virtual size: 48KB

.data
Size: 2KB - Virtual size: 4KB

.pdata
Size: 2KB - Virtual size: 1KB

.idata
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 380B