credwiz[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

credwiz.exe
Size

100KB
MD5

cadd55ba4888b7687d0c484bd3bfd4d2
SHA1

2a28e8db91babf2b3768537544b032b6749b5983
SHA256

d46f3609d736109cbadd46648b3092eb6fe6a1d423b716537a643e78430977eb
SHA512

cdba22f3ff2481d6a2335cbaa7c3644e4ba4ab684d533dd29e1de8e7a442032510b741b1501494dab9ea911a6b0a1b206041104621f30a30928eea5947ca6cd7
SSDEEP

1536:dIO5wg89rSsPmmBO1G9d6hicnAqI7BGO1FV5Nd0gU5yHmtp:dmMODBO8K0qyNUAHmv

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
credwiz.exe

Files

credwiz.exe
.exe windows:10 windows x64 arch:x64

e80772fea0650454a7ed9f9f4597b0d8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

GetTokenInformation
DuplicateToken
ImpersonateLoggedOnUser
RevertToSelf
EventUnregister
EventSetInformation
EventRegister
EventWriteTransfer
CredBackupCredentials
CredRestoreCredentials
CredpEncodeSecret
ConvertStringSecurityDescriptorToSecurityDescriptorW

kernel32

GetOverlappedResult
LocalFree
SleepEx
GetTempFileNameW
GetTempPath2W
GetModuleFileNameA
InitOnceBeginInitialize
CreateSemaphoreExW
HeapFree
EnterCriticalSection
ReleaseSemaphore
GetModuleHandleExW
LeaveCriticalSection
InitializeCriticalSectionEx
WaitForThreadpoolTimerCallbacks
GlobalFree
GetCurrentThreadId
ReleaseMutex
ReleaseSRWLockExclusive
HeapSetInformation
CloseThreadpoolTimer
InitOnceComplete
AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
SetThreadpoolTimer
ReleaseSRWLockShared
CreateThreadpoolTimer
HeapAlloc
GetProcAddress
CreateMutexExW
AcquireSRWLockShared
DeleteCriticalSection
GetCurrentProcessId
GetProcessHeap
GetModuleHandleW
DebugBreak
IsDebuggerPresent
DeleteFileW
CreateThread
OutputDebugStringW
CloseHandle
GetModuleHandleA
SetEvent
GetLastError
FormatMessageW
CreateEventW
OpenProcess
DuplicateHandle
CreateFileW
LocalAlloc
WaitForMultipleObjects
WriteFile
GetCommandLineW
SetLastError
GetFileSizeEx
CancelIo
ReadFile
WaitForSingleObject

gdi32

CreateFontIndirectW
GetObjectW

user32

EnableWindow
GetParent
GetDlgItem
SetFocus
SendDlgItemMessageW
GetDlgItemTextW
ShowWindow
LoadStringW
GetWindowLongPtrW
SetWindowTextW
SendMessageW
SetWindowLongPtrW
GetMessageW
CheckRadioButton
PostMessageW
PostThreadMessageW
TranslateMessage
DispatchMessageW

msvcrt

_amsg_exit
__getmainargs
__set_app_type
memmove_s
_purecall
??3@YAXPEAX@Z
memcpy_s
wcsncmp
swscanf
__C_specific_handler
_XcptFilter
_exit
_initterm
_cexit
__CxxFrameHandler4
_ismbblead
__setusermatherr
memcmp
?terminate@@YAXXZ
_onexit
__dllonexit
_unlock
_lock
_commode
_fmode
_acmdln
exit
_vsnwprintf
memset

rpcrt4

RpcBindingSetAuthInfoExW
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcAsyncCancelCall
Ndr64AsyncClientCall
RpcAsyncCompleteCall
RpcAsyncInitializeHandle
RpcStringFreeW
I_RpcExceptionFilter
RpcBindingFree

crypt32

CryptProtectData
CryptUnprotectData

samcli

NetValidatePasswordPolicy

netutils

NetApiBufferFree

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetStartupInfoW
GetCurrentProcess

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

ntdll

NtAdjustPrivilegesToken
TpWaitForWait
RtlNtStatusToDosError
TpAllocWait
NtPrivilegeCheck
NtClose
TpReleaseWait
TpSetWait
NtOpenProcessToken

comctl32

CreatePropertySheetPageW
PropertySheetW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

ole32

CoInitializeEx
CoCreateInstance
CoUninitialize

shell32

CommandLineToArgvW

Sections

.text
Size: 56KB - Virtual size: 55KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 308B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e80772fea0650454a7ed9f9f4597b0d8

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

gdi32

user32

msvcrt

rpcrt4

crypt32

samcli

netutils

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

ntdll

comctl32

comdlg32

ole32

shell32

Sections

.text Size: 56KB - Virtual size: 55KB

.rdata Size: 20KB - Virtual size: 17KB

.data Size: 4KB - Virtual size: 5KB

.pdata Size: 4KB - Virtual size: 2KB

.rsrc Size: 8KB - Virtual size: 5KB

.reloc Size: 4KB - Virtual size: 308B

.text
Size: 56KB - Virtual size: 55KB

.rdata
Size: 20KB - Virtual size: 17KB

.data
Size: 4KB - Virtual size: 5KB

.pdata
Size: 4KB - Virtual size: 2KB

.rsrc
Size: 8KB - Virtual size: 5KB

.reloc
Size: 4KB - Virtual size: 308B