Defrag[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Defrag.exe
Size

240KB
MD5

662ba4db4d348d5152ebc73f12a7ab49
SHA1

b70099ce5945540ebb63603a5c3d328e58047034
SHA256

edf1fbb7770d5d8e4daaf40ac72a4fac4cb5983d076cfe413e29786e59123953
SHA512

0b2a59547e6eee3928b5cffc8c1fbaa234024d17655f187d600c70ed86bcc1f335c6a6f1c7710b17d4a2f89a76d85e036ae4b76e3d12b795ecbbaac284608af8
SSDEEP

6144:HnLPK/hxnzVq8jbYl3lRGOUZGKc4YFnwjCpW:Hn+JxnzVBA3lRkRc4YFwjsW

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Defrag.exe

Files

Defrag.exe
.exe windows:10 windows x64 arch:x64

98b596156d97a7ea63632cfc56d4c734

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

localeconv
_wsetlocale
_XcptFilter
_amsg_exit
__wgetmainargs
__set_app_type
exit
fclose
_vsnwprintf
memcpy_s
_exit
sprintf_s
_cexit
__setusermatherr
_initterm
swscanf_s
iswspace
_vscwprintf
_callnewh
strchr
wcschr
__iob_func
_fmode
_commode
_lock
_unlock
__dllonexit
_onexit
wprintf
__CxxFrameHandler3
_wcsicmp
?terminate@@YAXXZ
memmove
free
fflush
fputws
malloc
memcpy
mbtowc
_wfopen
__C_specific_handler
memset

ntdll

RtlGetPersistedStateLocation
RtlGetLastNtStatus
RtlSetThreadErrorMode
RtlNtStatusToDosError
EtwTraceMessage
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlFreeHeap
RtlAllocateHeap
RtlCaptureStackBackTrace

oleaut32

SysAllocString
VariantInit
VariantClear
SysFreeString
SysStringLen

api-ms-win-core-file-l1-1-0

GetFileAttributesW
GetVolumeInformationW
ReadFile
CreateDirectoryW
CreateFileW
WriteFile
GetVolumePathNameW
FindFirstFileW
DeleteFileW
FindNextFileW
FindClose
GetTempFileNameW
GetFullPathNameW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceLoggerHandle
RegisterTraceGuidsW
TraceMessage
UnregisterTraceGuids
GetTraceEnableLevel
GetTraceEnableFlags

api-ms-win-core-console-l1-1-0

SetConsoleCtrlHandler
GetConsoleOutputCP

api-ms-win-core-processthreads-l1-1-0

OpenProcessToken
GetCurrentProcess
CreateThread
TerminateProcess
GetCurrentThreadId
GetCurrentProcessId

api-ms-win-core-com-l1-1-0

CoInitializeEx
CoUninitialize
CoTaskMemAlloc
CoTaskMemFree
CoCreateInstance
StringFromGUID2
CoDisconnectObject
CoCreateGuid

api-ms-win-core-file-l1-2-4

GetTempPath2W

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-processenvironment-l1-1-0

GetStdHandle
ExpandEnvironmentStringsW
GetCommandLineW

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount
GetTickCount64
GetVersionExW

api-ms-win-core-synch-l1-1-0

InitializeCriticalSection
EnterCriticalSection
CreateEventW
LeaveCriticalSection
DeleteCriticalSection
WaitForSingleObject
ResetEvent
SetEvent

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
LoadLibraryExW
LoadStringW
GetModuleHandleW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapSetInformation

api-ms-win-core-localization-l1-2-0

FormatMessageW
SetThreadUILanguage

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventUnregister
EventWriteTransfer
EventSetInformation

rpcrt4

UuidCreate

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegQueryValueExW
RegCreateKeyExW
RegCloseKey

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead
InterlockedPushEntrySList
InterlockedPopEntrySList

api-ms-win-security-base-l1-1-0

IsWellKnownSid
GetTokenInformation

api-ms-win-security-lsalookup-l2-1-0

LookupAccountSidW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

sxshared

SxTracerDebuggerBreak
SxTracerGetThreadContextRetail
SxTracerShouldTrackFailure

api-ms-win-eventing-controller-l1-1-0

StartTraceW
EnableTraceEx2
ControlTraceW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-file-l1-2-0

GetVolumeNameForVolumeMountPointW
GetVolumePathNamesForVolumeNameW

api-ms-win-eventlog-legacy-l1-1-0

RegisterEventSourceW
ReportEventW
DeregisterEventSource

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 136B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 124KB - Virtual size: 123KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 140B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

98b596156d97a7ea63632cfc56d4c734

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ntdll

oleaut32

api-ms-win-core-file-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-file-l1-2-4

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-eventing-provider-l1-1-0

rpcrt4

api-ms-win-core-registry-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-interlocked-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-profile-l1-1-0

sxshared

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-eventlog-legacy-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 68KB - Virtual size: 67KB

.rdata Size: 28KB - Virtual size: 26KB

.data Size: 4KB - Virtual size: 2KB

.pdata Size: 4KB - Virtual size: 2KB

.didat Size: 4KB - Virtual size: 136B

.rsrc Size: 124KB - Virtual size: 123KB

.reloc Size: 4KB - Virtual size: 140B

.text
Size: 68KB - Virtual size: 67KB

.rdata
Size: 28KB - Virtual size: 26KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 2KB

.didat
Size: 4KB - Virtual size: 136B

.rsrc
Size: 124KB - Virtual size: 123KB

.reloc
Size: 4KB - Virtual size: 140B