SoS[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

SoS.exe
Size

6.5MB
MD5

bbb94fc663f9e16ba4ad38ce29b52d70
SHA1

4077610438a206d1a9168a9de8fd79e0dbb99bb2
SHA256

17c965d6f56deca90e20ba5145726aff65288b04c26a19e5c04b4febddf8e731
SHA512

a3b1668140eaef021a481fd35d5cfa1f636a3704ce8416cb77759f78b8d49904ebc9c7b074d4e837b0284196a9aca37ca242286102baa597617b891ab1a7be9e
SSDEEP

49152:EEezaZU3by9kkAVZF+SpOBtQR9nTrQAM6hdsk3mBrnGJdOKGVWmJh6uYuLMDvoT6:5LQfid4BPojFoBAFpxZL6Pn9J0L++J

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
SoS.exe

Files

SoS.exe
.exe windows:6 windows x64 arch:x64

08cfd530fb1fa89de5dfe30f24615b8d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

secur32

LsaGetLogonSessionData
LsaFreeReturnBuffer
LsaEnumerateLogonSessions

kernel32

SetUnhandledExceptionFilter
TerminateProcess
IsDebuggerPresent
CloseHandle
GetTickCount
Sleep
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
CreateMutexA
GetLastError
GetCurrentProcess
IsWow64Process
GetModuleHandleA
GetSystemInfo
VirtualProtect
GetModuleHandleW
lstrcmpiW
WaitForSingleObject
GetExitCodeProcess
GetComputerNameW
GetCurrentProcessId
CreateToolhelp32Snapshot
Thread32First
OpenThread
Thread32Next
WakeAllConditionVariable
GetCurrentThread
GetUserPreferredUILanguages
GetTickCount64
GetLogicalDrives
GetComputerNameExW
LoadLibraryExW
GetProcAddress
FreeLibrary
GetFileInformationByHandleEx
DeleteFileW
AddVectoredExceptionHandler
SetThreadStackGuarantee
HeapAlloc
GetProcessHeap
HeapFree
HeapReAlloc
SwitchToThread
SleepConditionVariableSRW
TryAcquireSRWLockExclusive
GetQueuedCompletionStatusEx
CreateIoCompletionPort
SetFileCompletionNotificationModes
WakeConditionVariable
GetFileInformationByHandle
DuplicateHandle
GetStdHandle
GetConsoleMode
MultiByteToWideChar
WriteConsoleW
SetLastError
QueryPerformanceFrequency
FormatMessageW
GetCurrentDirectoryW
ReleaseMutex
WaitForSingleObjectEx
LoadLibraryA
RtlCaptureContext
RtlLookupFunctionEntry
GetEnvironmentVariableW
GetTempPathW
GetModuleFileNameW
CreateFileW
GetFullPathNameW
GetFinalPathNameByHandleW
SetFilePointerEx
FindNextFileW
CreateDirectoryW
FindFirstFileW
FindClose
SetHandleInformation
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
CreateNamedPipeW
CreateThread
ReadFileEx
SleepEx
WriteFileEx
ExitProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
AcquireSRWLockShared
ReleaseSRWLockShared
SetFileInformationByHandle
CopyFileExW
GetProcessTimes
GetSystemTimes
GetProcessIoCounters
LocalFree
ReadProcessMemory
VirtualQueryEx
OpenProcess
GetDriveTypeW
GetVolumeInformationW
GetDiskFreeSpaceExW
DeviceIoControl
GlobalMemoryStatusEx
PostQueuedCompletionStatus
LoadLibraryExA
RtlVirtualUnwind
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
GetSystemDirectoryA
WideCharToMultiByte
GetEnvironmentVariableA
MoveFileExA
VerSetConditionMask
VerifyVersionInfoW
CreateFileA
GetFileSizeEx
ReadFile
FlushFileBuffers
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
SystemTimeToFileTime
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
HeapCreate
AreFileApisANSI
InitializeCriticalSection
TryEnterCriticalSection
GetCurrentThreadId
IsProcessorFeaturePresent
InitializeSListHead
UnhandledExceptionFilter

pdh

PdhGetFormattedCounterValue
PdhOpenQueryA
PdhCollectQueryData
PdhAddEnglishCounterW
PdhRemoveCounter
PdhCloseQuery

advapi32

LookupAccountSidW
RegQueryValueExW
GetUserNameW
GetTokenInformation
OpenProcessToken
CopySid
GetLengthSid
IsValidSid
CryptGetHashParam
CryptReleaseContext
CryptCreateHash
RegSetValueExW
RegOpenKeyExW
CryptAcquireContextA
RegCreateKeyExW
CryptDestroyHash
SystemFunction036
RegCloseKey
RegEnumKeyExW
CryptHashData

wininet

InternetOpenA
InternetReadFile
InternetCloseHandle
InternetOpenUrlA

ntdll

NtCancelIoFileEx
RtlNtStatusToDosError
NtQueryInformationProcess
NtDeviceIoControlFile
RtlGetVersion
NtCreateFile
NtSetInformationThread
NtResumeThread
NtQuerySystemInformation
NtWriteFile
RtlGetCurrentPeb
NtQueryInformationThread
NtReadFile

crypt32

CertGetEnhancedKeyUsage
CertFreeCertificateContext
CertFreeCertificateChain
CertDuplicateCertificateContext
CryptQueryObject
CryptUnprotectData
CertEnumCertificatesInStore
CryptStringToBinaryA
CertFindExtension
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertGetNameStringA
PFXImportCertStore
CertAddCertificateContextToStore
CryptDecodeObjectEx
CertCloseStore
CertFindCertificateInStore
CertOpenStore

iphlpapi

GetIfTable2
FreeMibTable
GetAdaptersAddresses
GetIfEntry2

netapi32

NetUserGetLocalGroups
NetUserGetInfo
NetUserEnum
NetApiBufferFree

user32

GetMonitorInfoW
EnumDisplaySettingsExW
EnumDisplayMonitors

gdi32

GetDeviceCaps
StretchBlt
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
DeleteObject
GetObjectW
SetStretchBltMode
CreateDCW
GetDIBits
DeleteDC

ole32

CoUninitialize
CoSetProxyBlanket
CoInitializeEx
CoCreateInstance
CoInitializeSecurity
CoTaskMemFree

shell32

SHGetKnownFolderPath
CommandLineToArgvW

bcrypt

BCryptGenRandom

ws2_32

send
listen
htonl
accept
__WSAFDIsSet
WSASetLastError
ntohs
socket
htons
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
WSADuplicateSocketW
select
shutdown
WSASend
getsockname
WSARecv
recv
getpeername
freeaddrinfo
WSACleanup
WSAStartup
getaddrinfo
WSASocketW
bind
getsockopt
setsockopt
ioctlsocket
WSAIoctl
connect
closesocket
WSAGetLastError
recvfrom

psapi

GetModuleFileNameExW
GetPerformanceInfo

powrprof

CallNtPowerInformation

oleaut32

SysStringLen
SafeArrayGetLBound
SysFreeString
SysAllocString
SafeArrayUnaccessData
SafeArrayGetUBound
SafeArrayAccessData
SysAllocStringLen
GetErrorInfo
VariantClear

vcruntime140

memset
__CxxFrameHandler3
memmove
memcmp
strchr
strrchr
strstr
memchr
__C_specific_handler
__current_exception
__current_exception_context
memcpy

api-ms-win-crt-string-l1-1-0

strspn
strpbrk
strcspn
strncmp
strcpy
strcmp
strncpy
wcslen
_strdup
strlen

api-ms-win-crt-heap-l1-1-0

_set_new_mode
_msize
realloc
free
calloc
malloc

api-ms-win-crt-math-l1-1-0

__setusermatherr
_dclass
pow
_fdopen
log

api-ms-win-crt-runtime-l1-1-0

__p___argv
__sys_errlist
_errno
_initialize_onexit_table
__sys_nerr
_beginthreadex
_register_onexit_function
__p___argc
_cexit
_c_exit
_seh_filter_exe
_set_app_type
_configure_narrow_argv
abort
_wassert
_initialize_narrow_environment
_get_initial_narrow_environment
_initterm
_initterm_e
_crt_atexit
_endthreadex
exit
_exit
terminate
_register_thread_local_exe_atexit_callback

api-ms-win-crt-convert-l1-1-0

wcstombs
strtol
strtoll
atoi
strtoul

api-ms-win-crt-stdio-l1-1-0

_fileno
fread
_write
_read
fseek
__acrt_iob_func
_fseeki64
fwrite
fclose
_set_fmode
ftell
fputc
__stdio_common_vsprintf
feof
fflush
fputs
__stdio_common_vsscanf
fopen
_open
_lseeki64
__p__commode
fgets
_close

api-ms-win-crt-time-l1-1-0

_gmtime64
strftime
_time64
_localtime64_s

api-ms-win-crt-utility-l1-1-0

_rotl64
qsort

api-ms-win-crt-filesystem-l1-1-0

_unlink
_fstat64
_access
_stat64

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 4.5MB - Virtual size: 4.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.8MB - Virtual size: 1.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 29KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 125KB - Virtual size: 125KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

08cfd530fb1fa89de5dfe30f24615b8d

Headers

DLL Characteristics

File Characteristics

Imports

secur32

kernel32

pdh

advapi32

wininet

ntdll

crypt32

iphlpapi

netapi32

user32

gdi32

ole32

shell32

bcrypt

ws2_32

psapi

powrprof

oleaut32

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 4.5MB - Virtual size: 4.5MB

.rdata Size: 1.8MB - Virtual size: 1.8MB

.data Size: 29KB - Virtual size: 32KB

.pdata Size: 125KB - Virtual size: 125KB

.reloc Size: 50KB - Virtual size: 49KB

.text
Size: 4.5MB - Virtual size: 4.5MB

.rdata
Size: 1.8MB - Virtual size: 1.8MB

.data
Size: 29KB - Virtual size: 32KB

.pdata
Size: 125KB - Virtual size: 125KB

.reloc
Size: 50KB - Virtual size: 49KB