mstsc[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

mstsc.exe
Size

3.5MB
MD5

3358ecc8b38c87073544a1bd325a1114
SHA1

86393c3b20224025afde42a61741e5ceb322d580
SHA256

b04ef90bcd472504e066c183617f732ee6ca4118b3996823b8547fd7d94b8f36
SHA512

f3c2082f8988c2e05d756e0db0b62f9c014dc7997df32a309133aeb3683ff96b2bfe7503623326919d420fca1366e71615c77ab9f45f331566433dd6f3634113
SSDEEP

98304:3kXwOubXDG+DS7P39yktUgweywgUB4jv1hoJ8p12e5wx6xUMg:3kXwOubXDG+DST39yktUgweywgUB4jv

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
mstsc.exe

Files

mstsc.exe
.exe windows:10 windows x64 arch:x64

cde115dd9557ad6e6d14cd2e90b69ba1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
TraceMessage
EventActivityIdControl
RegDeleteKeyValueW
RegGetValueW
EventUnregister
EventRegister
EventWriteTransfer
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
RegOpenKeyExA
SystemFunction036
RegDeleteTreeW
RegCreateKeyTransactedW
CreateWellKnownSid
CredGetSessionTypes
CredWriteW
CredReadW
IsTextUnicode
RegEnumValueW
OpenProcessToken
CredUnmarshalCredentialW
CredIsMarshaledCredentialW
CredWriteDomainCredentialsW
CredReadDomainCredentialsW
CredFree
CredDeleteW
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegQueryValueExW
RegQueryValueExA

kernel32

GetTickCount64
SetWaitableTimer
LoadLibraryW
LocalFree
GetModuleHandleExW
DelayLoadFailureHook
OpenThread
TlsFree
TlsGetValue
SwitchToThread
GetSystemInfo
TlsAlloc
TlsSetValue
QueryPerformanceFrequency
CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer
TrySubmitThreadpoolCallback
CloseThreadpool
CloseThreadpoolCleanupGroup
CloseThreadpoolCleanupGroupMembers
CreateThreadpoolCleanupGroup
SetThreadpoolThreadMinimum
SetThreadpoolThreadMaximum
CreateThreadpool
InitializeCriticalSectionAndSpinCount
LockResource
FindResourceW
SystemTimeToFileTime
GetSystemTime
CreateTimerQueueTimer
LoadLibraryA
GlobalFree
LCMapStringEx
CompareStringOrdinal
CompareStringEx
GetProcessId
TerminateThread
ProcessIdToSessionId
GetComputerNameW
CreateProcessW
CreateMutexExW
OpenSemaphoreW
OutputDebugStringW
IsDebuggerPresent
GetModuleFileNameA
HeapAlloc
GetProcessHeap
HeapFree
WaitForSingleObjectEx
ReleaseMutex
CloseThreadpoolWork
SubmitThreadpoolWork
CreateThreadpoolWork
DisconnectNamedPipe
CreateThreadpoolIo
CancelThreadpoolIo
StartThreadpoolIo
CloseThreadpoolIo
WaitForThreadpoolIoCallbacks
QueueUserWorkItem
ReleaseSemaphore
CreateSemaphoreW
FreeLibraryAndExitThread
GetExitCodeThread
WaitForMultipleObjects
CreateWaitableTimerExW
ExpandEnvironmentStringsA
LoadLibraryExA
OutputDebugStringA
GetTickCount
GetSystemTimeAsFileTime
QueryPerformanceCounter
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetStartupInfoW
WideCharToMultiByte
FreeLibrary
GetLastError
LoadLibraryExW
GetModuleHandleW
lstrcmpiW
RaiseException
MultiByteToWideChar
SizeofResource
LoadResource
FindResourceExW
GetModuleFileNameW
GetModuleHandleExA
GetCommandLineW
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetEvent
DeleteCriticalSection
GetCurrentThreadId
CreateEventW
WriteFile
Sleep
HeapSetInformation
GetCurrentProcess
CancelWaitableTimer
ResetEvent
VerifyVersionInfoW
VerSetConditionMask
FindClose
FindNextFileW
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
GetLocaleInfoW
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
GetProcAddress
GetOverlappedResult
DebugBreak
CreateThread
CloseHandle
WaitForSingleObject
DeleteFileW
GetCurrentProcessId
GetLocalTime
GetTimeFormatW
GetDateFormatW
CreateFileW
GetFileSize
FindFirstFileW
GetFileAttributesExW
GetTempPathW
SetFilePointer
TerminateProcess
lstrcmpW
CreateSemaphoreExW
ExpandEnvironmentStringsW
GetACP
SetLastError
GetFullPathNameW
GetSystemDirectoryW
CompareStringW
LocalAlloc
GetFileAttributesW
FormatMessageW
CreateDirectoryW
RemoveDirectoryW
GetStartupInfoA
MulDiv
SearchPathW
ReadFile
GetVersionExW
GetVersionExA
GetCurrentDirectoryW

gdi32

CreateRectRgnIndirect
DeleteObject
SetRectRgn
GetRgnBox
OffsetRgn
CombineRgn
EqualRgn
SelectPalette
RealizePalette
SelectObject
CreateSolidBrush
PatBlt
GetObjectW
SetBkMode
GetStockObject
SetTextColor
CreateFontIndirectW
GetDeviceCaps
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
StretchBlt
DeleteDC
SetMapMode
TranslateCharsetInfo
UpdateColors
CreateDCW
CreateRectRgn
GetDIBColorTable
CreatePalette
FillRgn

user32

PostMessageW
SendMessageW
IsDialogMessageW
CharNextW
TranslateAcceleratorW
DispatchMessageW
CharUpperW
PostThreadMessageW
MsgWaitForMultipleObjectsEx
GetMessageW
TranslateMessage
PeekMessageW
LoadAcceleratorsW
DialogBoxParamW
AllowSetForegroundWindow
InsertMenuItemW
MessageBoxW
RegisterClassW
DefDlgProcW
GetClassInfoW
IsRectEmpty
UnregisterClassA
CheckDlgButton
EndDialog
SetDlgItemTextW
SetFocus
GetDlgItem
SetProcessDPIAware
GetKeyboardLayout
PtInRect
SystemParametersInfoW
MonitorFromWindow
GetMenuItemCount
CreateDialogParamW
LoadStringW
CharLowerW
EnumDisplayDevicesW
FillRect
CheckRadioButton
DrawIconEx
GetWindow
MapDialogRect
ScreenToClient
SubtractRect
GetMonitorInfoW
GetWindowDC
GetFocus
DrawTextW
EnumDisplayMonitors
IsDlgButtonChecked
GetDlgItemTextW
CreateDialogIndirectParamW
EndPaint
DrawIcon
BeginPaint
SendDlgItemMessageW
MapWindowPoints
ReleaseDC
GetDC
IsWindowEnabled
RedrawWindow
SetTimer
GetMenu
KillTimer
DestroyIcon
ShowWindowAsync
AdjustWindowRectEx
EnumDisplaySettingsExW
GetCursorPos
GetTitleBarInfo
SendInput
EqualRect
EnableWindow
IsWindowVisible
SetWindowRgn
SetWindowLongW
LockWindowUpdate
UpdateWindow
InvalidateRect
SetWindowTextW
EnableMenuItem
CheckMenuItem
SetMenuItemInfoW
UnregisterClassW
GetClassInfoExW
ShowWindow
MoveWindow
GetClientRect
SetWindowPlacement
GetWindowLongW
IsZoomed
LoadCursorW
SetCursor
ModifyMenuW
GetSystemMenu
GetMenuItemInfoW
DeleteMenu
CreateMenu
InsertMenuW
AppendMenuW
PostQuitMessage
IsWindow
LoadImageW
RegisterWindowMessageW
SetRect
CopyRect
GetDesktopWindow
SetWindowPos
IntersectRect
OffsetRect
SystemParametersInfoA
GetWindowRect
GetWindowPlacement
IsIconic
GetSystemMetrics
LoadIconW
SetForegroundWindow
DefWindowProcW
GetWindowLongPtrW
SetWindowLongPtrW
RegisterClassExW
IsChild
CreateWindowExW
DestroyWindow

msvcrt

wcscspn
wcstoul
_itow_s
wcstombs_s
wcsnlen
toupper
iswspace
wcstol
towlower
_wcslwr
??0exception@@QEAA@XZ
_vsnprintf_s
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
__CxxFrameHandler3
_ltow_s
__C_specific_handler
wcsncpy_s
malloc
free
??1type_info@@UEAA@XZ
_CxxThrowException
memcmp
memcpy_s
wcscpy_s
memcpy
_purecall
_vsnwprintf
_wcsicmp
wcsncmp
wcsncat_s
bsearch
wcsrchr
_wtoi
wcsstr
swscanf_s
wcstok_s
_vsnprintf
_wcsnicmp
?terminate@@YAXXZ
_onexit
__dllonexit
_unlock
_lock
realloc
_errno
_commode
memmove
memset
pow
_fmode
_acmdln
wcscmp
__setusermatherr
_ismbblead
_cexit
wcschr
wcstok
_wtol
wcscat_s
_initterm
towupper
iswdigit
_callnewh
_exit
exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter

ole32

StringFromGUID2
CoCreateInstance
CoUninitialize
CoInitialize
CLSIDFromString
GetRunningObjectTable
CreateItemMoniker
CoCreateGuid
CoRevokeClassObject
OleInitialize
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoRegisterClassObject
IIDFromString
CoInitializeEx
OleUninitialize

oleaut32

VarBstrCat
VariantChangeType
VarUI4FromStr
UnRegisterTypeLi
SysAllocString
LoadTypeLi
RegisterTypeLi
SysFreeString
SafeArrayGetVartype
SysStringByteLen
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayUnlock
SafeArrayLock
SafeArrayDestroy
VariantInit
VariantClear
SysAllocStringLen
SysAllocStringByteLen
SafeArrayCreate
VariantCopy
SysStringLen

shell32

SHAddToRecentDocs
ShellExecuteExW
SHGetFileInfoW
SHGetSpecialFolderLocation
SHGetDesktopFolder
SHGetMalloc
SHGetPathFromIDListW
SHFileOperationW

comctl32

ord17
ord413
ImageList_GetImageCount
ImageList_LoadImageW
ImageList_Destroy
ImageList_ReplaceIcon
ImageList_Create
ord410
ord412
InitCommonControlsEx

comdlg32

GetSaveFileNameW
GetOpenFileNameW
GetFileTitleW

shlwapi

PathCanonicalizeW
UrlCreateFromPathW
ord388
SHStrDupW
UrlCombineW
PathFindExtensionW
PathFindFileNameW
PathAppendW
PathRemoveFileSpecW
PathStripPathW
StrStrIW

crypt32

CertFreeCertificateChain
CryptMsgUpdate
CryptMsgOpenToDecode
CertVerifyCertificateChainPolicy
CertCloseStore
CryptVerifyDetachedMessageSignature
CryptSignMessage
CertGetCertificateContextProperty
CryptDecodeObject
CertGetCertificateChain
CertFindExtension
CertFreeCertificateContext
CertDuplicateCertificateChain
CertDuplicateCertificateContext
CryptStringToBinaryW
CryptProtectData
CryptUnprotectData
CryptBinaryToStringW
CryptMsgClose
CertOpenStore

winhttp

WinHttpSetOption
WinHttpSetStatusCallback
WinHttpCrackUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetProxyForUrl
WinHttpAddRequestHeaders
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpCreateUrl
WinHttpSetTimeouts
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSendRequest
WinHttpCloseHandle
WinHttpQueryOption

credui

CredUIPromptForWindowsCredentialsW
CredPackAuthenticationBufferW
CredUIParseUserNameW
CredUnPackAuthenticationBufferW

secur32

LsaDeregisterLogonProcess
LsaLookupAuthenticationPackage
FreeContextBuffer
QuerySecurityPackageInfoW
LsaConnectUntrusted
GetUserNameExW

cryptui

CryptUIDlgViewCertificateW

ntdll

RtlNtStatusToDosError
RtlInitString
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

cfgmgr32

CM_Get_Sibling
CM_Get_DevNode_Registry_PropertyW
CM_Get_Child
CM_Get_Parent

ws2_32

WSAStartup
WSASend
GetAddrInfoExW
shutdown
listen
bind
GetNameInfoW
WSASocketW
WSAIoctl
WSACleanup
FreeAddrInfoExW
ntohs
WSAAddressToStringW
WSAStringToAddressW
getsockname
FreeAddrInfoW
WSARecv
select
send
WSAEventSelect
getsockopt
WSAGetLastError
closesocket
socket
setsockopt
connect
htons
recv
accept
getpeername
GetAddrInfoW

rpcrt4

RpcBindingFromStringBindingW
RpcStringBindingComposeW
NdrClientCall3
I_RpcExceptionFilter
RpcStringFreeW
RpcBindingFree
RpcBindingSetAuthInfoExW

netapi32

NetApiBufferFree
NetGetJoinInformation

winmm

timeGetTime
timeKillEvent
timeSetEvent

wininet

HttpSendRequestExW
HttpOpenRequestW
InternetConnectW
InternetOpenW
InternetCloseHandle
InternetSetStatusCallbackW
InternetCrackUrlW

ktmw32

CommitTransaction
CreateTransaction

iphlpapi

FreeMibTable
GetAdaptersAddresses
CreateSortedAddressPairs

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 215KB - Virtual size: 215KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 35KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2.1MB - Virtual size: 2.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

cde115dd9557ad6e6d14cd2e90b69ba1

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

gdi32

user32

msvcrt

ole32

oleaut32

shell32

comctl32

comdlg32

shlwapi

crypt32

winhttp

credui

secur32

cryptui

ntdll

cfgmgr32

ws2_32

rpcrt4

netapi32

winmm

wininet

ktmw32

iphlpapi

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 215KB - Virtual size: 215KB

.data Size: 3KB - Virtual size: 10KB

.pdata Size: 35KB - Virtual size: 34KB

.didat Size: 512B - Virtual size: 40B

.rsrc Size: 2.1MB - Virtual size: 2.1MB

.reloc Size: 11KB - Virtual size: 10KB

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 215KB - Virtual size: 215KB

.data
Size: 3KB - Virtual size: 10KB

.pdata
Size: 35KB - Virtual size: 34KB

.didat
Size: 512B - Virtual size: 40B

.rsrc
Size: 2.1MB - Virtual size: 2.1MB

.reloc
Size: 11KB - Virtual size: 10KB