WindowsBackup[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

WindowsBackup.dll
Size

1.3MB
MD5

5e4fea010f46d7f2388df78655b084ae
SHA1

cbfb6e8dbf4ee4f6bb70c9b5b8ce927eac439a6c
SHA256

276e2bb51a891197e19197a220adc454daae7d8d87937d6367dcaf6773f1a35f
SHA512

8bdb641d78578685ebacc4bc364d0902e7fc20ad525ec74c36b72eb0874349ced5572e8c914a29de17e6e9736eaf890d469269c446dc13c86f5c2434646bbbac
SSDEEP

24576:oWx31gdkKRzFvVDxSTsaWRlROCj8i/h0pshSMXlsZkZ9OPjhF:ZgdkKRd9xUvCMuoVF

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
WindowsBackup.dll

Files

WindowsBackup.dll
.dll windows:6 windows x64 arch:x64

fc6c7d3bb9bffecb743afe8bcca9ab3f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_APPCONTAINER
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

advapi32

EventUnregister
EventRegister
EventSetInformation
EventWriteTransfer
RegDeleteValueW
RegOpenKeyExW
EventActivityIdControl
GetTokenInformation
RegGetValueW
RegQueryValueExW
ConvertSidToStringSidW
RegCloseKey

kernel32

WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
FormatMessageW
GetLastError
OutputDebugStringW
WaitForSingleObjectEx
OpenSemaphoreW
CloseHandle
HeapAlloc
CompareStringOrdinal
GetVersionExW
ExpandEnvironmentStringsW
GetProcAddress
CreateMutexExW
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
FreeLibrary
DebugBreak
IsDebuggerPresent
CreateEventExW
MultiByteToWideChar
GetModuleHandleExW
Sleep
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
FindClose
FindNextFileA
FindFirstFileA
GetDateFormatEx
SetThreadpoolTimer
LocalFree
ReleaseSemaphore
LoadLibraryExW
FormatMessageA
SetLastError
GetFileAttributesExW
CreateFile2
GetFileInformationByHandleEx
WakeAllConditionVariable
SleepConditionVariableSRW
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
LoadLibraryW
InterlockedFlushSList
GetComputerNameExW
InterlockedPushEntrySList
TrySubmitThreadpoolCallback
EncodePointer
CloseThreadpoolWait
GetCurrentProcess
SetThreadpoolWait
CreateThreadpoolWait
HeapFree
CreateSemaphoreExW
ResetEvent
LeaveCriticalSection
EnterCriticalSection
CreateThreadpoolTimer
GetModuleFileNameA
DeleteCriticalSection
InitializeCriticalSection
InitOnceComplete
InitOnceBeginInitialize
CreateEventW
SetEvent
WideCharToMultiByte

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo
GetRestrictedErrorInfo
RoFailFastWithErrorContext

oleaut32

VariantClear
SysFreeString
SafeArrayPutElement
SafeArrayCreate
GetErrorInfo
SetErrorInfo
SysStringLen
SysAllocString

msvcp140_app

?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ
?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ
?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z
?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ
?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ
?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z
?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z
?width@ios_base@std@@QEAA_J_J@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?pbase@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXPEA_W0@Z
?tie@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_ostream@_WU?$char_traits@_W@std@@@2@XZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?eback@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ
?egptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ
?setg@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXPEA_W00@Z
?epptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ
?setp@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXPEA_W00@Z
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ
?fill@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WXZ
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
?_Xbad_function_call@std@@YAXXZ
?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
?sbumpc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA_N_N@Z
?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ
_Xtime_get_ticks
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
_Wcsxfrm
_Wcscoll
?_Incref@facet@locale@std@@UEAAXXZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?is@?$ctype@_W@std@@QEBA_NF_W@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??1_Locinfo@std@@QEAA@XZ
??1_Lockit@std@@QEAA@XZ
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
??0_Locinfo@std@@QEAA@PEBD@Z
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?id@?$ctype@_W@std@@2V0locale@2@A
??Bid@locale@std@@QEAA_KXZ
?tolower@?$ctype@_W@std@@QEBA_W_W@Z
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?id@?$collate@_W@std@@2V0locale@2@A
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?tolower@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?flags@ios_base@std@@QEBAHXZ
?good@ios_base@std@@QEBA_NXZ
?uncaught_exception@std@@YA_NXZ
??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ
?gbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ
?gptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ
_Mtx_init_in_situ
_Mtx_destroy_in_situ
_Mtx_unlock
?_Throw_C_error@std@@YAXH@Z
_Mtx_lock
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?peek@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
?_Xbad_alloc@std@@YAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
_Thrd_yield
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
?width@ios_base@std@@QEBA_JXZ
?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z

vcruntime140_1_app

__CxxFrameHandler4

vcruntime140_app

_purecall
__current_exception_context
__std_exception_copy
__std_type_info_destroy_list
_CxxThrowException
memcmp
wcsrchr
__std_terminate
memcpy
memmove
strchr
__current_exception
memset
__C_specific_handler
__std_exception_destroy

api-ms-win-crt-runtime-l1-1-0

_initialize_narrow_environment
_configure_narrow_argv
_register_onexit_function
terminate
_errno
_execute_onexit_table
_crt_atexit
_initialize_onexit_table
_cexit
_invalid_parameter_noinfo
_initterm
_initterm_e
_seh_filter_dll
_invalid_parameter_noinfo_noreturn
abort

api-ms-win-crt-string-l1-1-0

_wcslwr_s
strncmp
wcscmp
towupper
towlower
iswspace

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vswprintf
__stdio_common_vsnprintf_s
__stdio_common_vswprintf_s

api-ms-win-crt-heap-l1-1-0

free
realloc
malloc
_callnewh

api-ms-win-crt-math-l1-1-0

ceilf
round
floor
log
pow

api-ms-win-crt-convert-l1-1-0

wcstol

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func

ntdll

NtQueryWnfStateData
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfNotificationWaitForCompletion

user32

AllowSetForegroundWindow

ole32

CoGetObjectContext
CoCreateFreeThreadedMarshaler
CoGetApartmentType
CoCreateGuid
CoTaskMemFree
CoCreateInstance
CoTaskMemAlloc
StringFromGUID2

shell32

SHGetKnownFolderPath

api-ms-win-core-featurestaging-l1-1-0

RecordFeatureUsage
SubscribeFeatureStateChangeNotification
UnsubscribeFeatureStateChangeNotification
GetFeatureEnabledState

api-ms-win-core-featurestaging-l1-1-1

GetFeatureVariant

rpcrt4

UuidCreate

api-ms-win-core-slapi-l1-1-0

SLQueryLicenseValueFromApp

api-ms-win-core-winrt-l1-1-0

RoInitialize

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
StartApplication
VSDesignerCanUnloadNow
VSDesignerDllMain

Sections

.text
Size: 850KB - Virtual size: 850KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 342KB - Virtual size: 342KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 71KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fc6c7d3bb9bffecb743afe8bcca9ab3f

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

api-ms-win-core-winrt-error-l1-1-0

oleaut32

msvcp140_app

vcruntime140_1_app

vcruntime140_app

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

ntdll

user32

ole32

shell32

api-ms-win-core-featurestaging-l1-1-0

api-ms-win-core-featurestaging-l1-1-1

rpcrt4

api-ms-win-core-slapi-l1-1-0

api-ms-win-core-winrt-l1-1-0

Exports

Exports

Sections

.text Size: 850KB - Virtual size: 850KB

.rdata Size: 342KB - Virtual size: 342KB

.data Size: 4KB - Virtual size: 11KB

.pdata Size: 71KB - Virtual size: 70KB

.rsrc Size: 1024B - Virtual size: 944B

.reloc Size: 11KB - Virtual size: 11KB

.text
Size: 850KB - Virtual size: 850KB

.rdata
Size: 342KB - Virtual size: 342KB

.data
Size: 4KB - Virtual size: 11KB

.pdata
Size: 71KB - Virtual size: 70KB

.rsrc
Size: 1024B - Virtual size: 944B

.reloc
Size: 11KB - Virtual size: 11KB