Microsoft[.]AAD[.]BrokerPlugin[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

Microsoft.AAD.BrokerPlugin.exe
Size

229KB
MD5

aebafc0b531ca931277e69048971ecb2
SHA1

09b8f5d2e4a7cefd1862744860f69f401d2f7f32
SHA256

7ade172856bdfdd09056fce43f8b62fce46437473ed54d85fdeb1a10530405a0
SHA512

84c7ba33abc8aad4459c2a71872b7b4402bba078545839912b69429c77895eb00a4e562839a287cfcebb07426dd062c47ea7f0e2a9593234f49d472dce82dc7f
SSDEEP

3072:VQH1zjkPvl5cr+QE6EgBJ9XZXL2WsEKbDBujZrr4262HtVNqW:VazEvrjQE6RBn5L3u3BaWjA2W

Score

1^/10

Malware Config

Signatures

Files

Microsoft.AAD.BrokerPlugin.exe
.exe windows:6 windows x86

207d0f5d649c5786fdeebbcad582828a

Code Sign

33:00:00:00:bc:e1:20:fd:d2:7c:c8:ee:93:00:00:00:00:00:bc
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/08/2015, 17:15

Not After

18/11/2016, 17:15

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

aa:fb:a4:b4:41:81:ea:15:2f:de:eb:aa:f6:45:a3:3c:bf:3b:42:a1:69:b3:95:6b:78:36:43:27:7e:48:8a:64
Signer

Actual PE Digest

aa:fb:a4:b4:41:81:ea:15:2f:de:eb:aa:f6:45:a3:3c:bf:3b:42:a1:69:b3:95:6b:78:36:43:27:7e:48:8a:64

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

api-ms-win-core-synch-l1-2-0

InitializeCriticalSectionEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
DeleteCriticalSection
Sleep

api-ms-win-core-winrt-error-l1-1-1

RoReportUnhandledError

api-ms-win-core-errorhandling-l1-1-1

SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-util-l1-1-0

DecodePointer

wincorlib

?GetIidsFn@@YGJHPAKPBU__s_GUID@@PAPAVGuid@Platform@@@Z
?GetActivationFactoryByPCWSTR@@YGJPAXAAVGuid@Platform@@PAPAX@Z
?UninitializeData@Details@Platform@@YGXH@Z
?InitializeData@Details@Platform@@YGJH@Z
?EventSourceGetTargetArrayEvent@Details@Platform@@YGPAXPAXIPBXPA_J@Z
?GetCmdArguments@Details@Platform@@YGPAPA_WPAH@Z
?EventSourceGetTargetArraySize@Details@Platform@@YGIPAX@Z
?EventSourceGetTargetArray@Details@Platform@@YGPAXPAXPAUEventLock@12@@Z
??0ChangedStateException@Platform@@Q$AAA@XZ
?EventSourceInitialize@Details@Platform@@YGXPAPAX@Z
??0OutOfBoundsException@Platform@@Q$AAA@XZ
??0FailureException@Platform@@Q$AAA@XZ
??0OutOfMemoryException@Platform@@Q$AAA@XZ
?EventSourceAdd@Details@Platform@@YG?AVEventRegistrationToken@Foundation@Windows@@PAPAXPAUEventLock@12@P$AAVDelegate@2@@Z
?EventSourceRemove@Details@Platform@@YGXPAPAXPAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z
?EventSourceUninitialize@Details@Platform@@YGXPAPAX@Z
?ResolveWeakReference@Details@Platform@@YGP$AAVObject@2@ABU_GUID@@PAPAU__abi_IUnknown@@@Z
??0NotImplementedException@Platform@@Q$AAA@XZ
?GetWeakReference@Details@Platform@@YGPAU__abi_IUnknown@@Q$ADVObject@2@@Z
?GetIBoxArrayVtable@Details@Platform@@YGPAXPAX@Z
??0Delegate@Platform@@Q$AAA@XZ
??0DisconnectedException@Platform@@Q$AAA@XZ
?__abi_translateCurrentException@@YGJ_N@Z
??0FailureException@Platform@@Q$AAA@P$AAVString@1@@Z
?AllocateException@Heap@Details@Platform@@SAPAXII@Z
?__abi_make_type_id@@YGP$AAVType@Platform@@ABU__abi_type_descriptor@@@Z
??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@P$AAV01@@Z
?__abi_cast_String_to_Object@__abi_details@@YGP$AAVObject@Platform@@P$AAVString@3@@Z
?Allocate@Heap@Details@Platform@@SAPAXII@Z
?__abi_WinRTraiseNotImplementedException@@YGXXZ
?__abi_WinRTraiseInvalidCastException@@YGXXZ
?__abi_WinRTraiseNullReferenceException@@YGXXZ
?__abi_WinRTraiseOperationCanceledException@@YGXXZ
?__abi_WinRTraiseFailureException@@YGXXZ
?__abi_WinRTraiseAccessDeniedException@@YGXXZ
?__abi_WinRTraiseOutOfMemoryException@@YGXXZ
?__abi_WinRTraiseInvalidArgumentException@@YGXXZ
?__abi_WinRTraiseOutOfBoundsException@@YGXXZ
?__abi_WinRTraiseChangedStateException@@YGXXZ
?__abi_WinRTraiseClassNotRegisteredException@@YGXXZ
?__abi_WinRTraiseWrongThreadException@@YGXXZ
?__abi_WinRTraiseDisconnectedException@@YGXXZ
?__abi_WinRTraiseObjectDisposedException@@YGXXZ
?__abi_WinRTraiseCOMException@@YGXJ@Z
?ReleaseTarget@ControlBlock@Details@Platform@@AAEXXZ
?AlignedFree@Heap@Details@Platform@@SAXPAX@Z
?Free@Heap@Details@Platform@@SAXPAX@Z
??0Object@Platform@@Q$AAA@XZ
?GetActivationFactory@Details@Platform@@YGJPAVModuleBase@1WRL@Microsoft@@PAUHSTRING__@@PAPAUIActivationFactory@@@Z
?TerminateModule@Details@Platform@@YG_NPAVModuleBase@1WRL@Microsoft@@@Z

msvcrt

??3@YAXPAX@Z
memmove
_purecall
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
wcsrchr
free
??0exception@@QAE@ABV0@@Z
memset
wcslen
_lock
_unlock
__dllonexit
_onexit
_XcptFilter
_amsg_exit
malloc
_initterm
__p__commode
__getmainargs
__set_app_type
exit
_exit
_cexit
__p__fmode
_ismbblead
__setusermatherr
_acmdln
_except_handler4_common
__CxxFrameHandler3
?terminate@@YAXXZ
_controlfp
_callnewh
??0exception@@QAE@ABQBDH@Z
_CxxThrowException
memcpy
??1type_info@@UAE@XZ

ntdll

RtlGetDeviceFamilyInfoEnum

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo
RoOriginateError
RoFailFastWithErrorContext

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsCreateString
WindowsDuplicateString
WindowsDeleteString
WindowsCompareStringOrdinal
WindowsIsStringEmpty
WindowsGetStringRawBuffer
WindowsConcatString

api-ms-win-core-com-l1-1-1

CoCreateFreeThreadedMarshaler
CoTaskMemAlloc
CoTaskMemFree

api-ms-win-core-processthreads-l1-1-2

TerminateProcess
GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-2-1

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleA

api-ms-win-core-kernel32-legacy-l1-1-0

GetStartupInfoA

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
VSDesignerDllMain

Sections

.text
Size: 130KB - Virtual size: 130KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 15KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

207d0f5d649c5786fdeebbcad582828a

Code Sign

33:00:00:00:bc:e1:20:fd:d2:7c:c8:ee:93:00:00:00:00:00:bcCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

aa:fb:a4:b4:41:81:ea:15:2f:de:eb:aa:f6:45:a3:3c:bf:3b:42:a1:69:b3:95:6b:78:36:43:27:7e:48:8a:64Signer

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-core-synch-l1-2-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-util-l1-1-0

wincorlib

msvcrt

ntdll

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-0

Exports

Exports

Sections

.text Size: 130KB - Virtual size: 130KB

.rdata Size: 56KB - Virtual size: 55KB

.data Size: 15KB - Virtual size: 16KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 16KB - Virtual size: 16KB

33:00:00:00:bc:e1:20:fd:d2:7c:c8:ee:93:00:00:00:00:00:bc
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

aa:fb:a4:b4:41:81:ea:15:2f:de:eb:aa:f6:45:a3:3c:bf:3b:42:a1:69:b3:95:6b:78:36:43:27:7e:48:8a:64
Signer

.text
Size: 130KB - Virtual size: 130KB

.rdata
Size: 56KB - Virtual size: 55KB

.data
Size: 15KB - Virtual size: 16KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 16KB - Virtual size: 16KB