OLEVIEW[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

OLEVIEW.exe
Size

229KB
MD5

8fdf8e4ecff114c1e6c9827c53742a1c
SHA1

0b4710d849171626bf1319c61f6b5045a44a141a
SHA256

2e642afdd36c129e6b50ae919ca608ac0006ce337f2a5a7a6fb1eef6a4ad99e7
SHA512

a23d9f498c48fb9bcc103a189196754e6ff695f238be6d98fda0c159d05bd995d423decb4014138ade237cf18f5a64abb6a477de550935c2b0ae63d074e691d8
SSDEEP

6144:jZRuudAuu0GZ6+8bnLCgz5dveC5zjDgCPTL:tAV0GZq5e6zjECP/

Score

1^/10

Malware Config

Signatures

Files

OLEVIEW.exe
.exe windows:6 windows x64 arch:x64

498ee520f74c67eb06f06597d1fbd2e0

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22/08/2007, 22:31

Not After

25/08/2012, 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:01:cf:3e:00:00:00:00:00:0f
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/12/2009, 22:40

Not After

07/03/2011, 22:40

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16/09/2006, 01:04

Not After

15/09/2019, 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:06:94:2d:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25/07/2008, 19:02

Not After

25/07/2013, 19:12

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:7A82-688A-9F92,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

bd:7c:57:04:06:2e:27:db:eb:e4:cf:61:3d:8b:ad:cc:af:53:70:49
Signer

Actual PE Digest

bd:7c:57:04:06:2e:27:db:eb:e4:cf:61:3d:8b:ad:cc:af:53:70:49

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegQueryValueW
RegCloseKey
RegOpenKeyExW
RegSetValueExW
GetSecurityDescriptorLength
MakeSelfRelativeSD
RegEnumKeyW
RegOpenKeyW
RegDeleteKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegQueryValueExW
RegEnumValueW
SetSecurityDescriptorDacl
MakeAbsoluteSD
SetEntriesInAclW
GetExplicitEntriesFromAclW
GetSecurityDescriptorDacl
MapGenericMask
LookupAccountSidW
GetAce
CopySid
GetLengthSid
GetTokenInformation
OpenProcessToken
LookupAccountNameW
AddAce
GetAclInformation
InitializeAcl
AddAccessAllowedAce
EqualSid
InitializeSecurityDescriptor
IsValidSid
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
RegCreateKeyExW
RegDeleteValueW
FreeSid
AllocateAndInitializeSid

kernel32

LoadLibraryW
lstrcpyW
GetModuleFileNameW
GetVersionExW
lstrlenW
lstrcmpW
lstrcmpiW
GetLastError
WinExec
ResumeThread
SuspendThread
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
FreeLibrary
GetUserDefaultLCID
GetSystemDefaultLCID
GlobalUnlock
GlobalLock
GlobalAlloc
LocalAlloc
LocalFree
CloseHandle
GetCurrentProcess
lstrcatW
FormatMessageW
VirtualProtect
Sleep
LoadLibraryExW
GetTickCount
UnhandledExceptionFilter
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
QueryPerformanceCounter
SetUnhandledExceptionFilter
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
GetStartupInfoW
GetModuleHandleW
GetProcAddress

gdi32

DeleteObject

user32

GetWindowRect
EnableWindow
SendMessageW
SetCursor
LoadCursorW
GetFocus
wsprintfW
SetActiveWindow
DeleteMenu
EnableMenuItem
GetSubMenu
OpenClipboard
LoadBitmapW
GetMessagePos
UpdateWindow
LoadIconW
CloseClipboard
SetClipboardData
EmptyClipboard
MessageBoxW
RedrawWindow
LoadMenuW
ScreenToClient

mfc42u

ord1259
ord4262
ord1006
ord568
ord2902
ord5925
ord4181
ord6691
ord4598
ord1063
ord626
ord659
ord3916
ord4770
ord4983
ord4371
ord3164
ord4077
ord4083
ord4082
ord3046
ord3166
ord3052
ord3366
ord3231
ord4815
ord3362
ord3243
ord3049
ord6053
ord5711
ord5730
ord4368
ord5724
ord5722
ord3468
ord2412
ord5615
ord1388
ord4191
ord6071
ord2515
ord2559
ord4836
ord6813
ord1040
ord5065
ord2752
ord6887
ord6886
ord1463
ord1471
ord1441
ord852
ord6841
ord1122
ord3652
ord2518
ord372
ord1499
ord1284
ord624
ord4473
ord2846
ord3681
ord6351
ord4970
ord1337
ord598
ord2106
ord408
ord6509
ord1505
ord1812
ord822
ord912
ord4771
ord4988
ord5699
ord2140
ord2457
ord5683
ord1736
ord5484
ord3933
ord6814
ord2060
ord2670
ord5229
ord4017
ord4694
ord6812
ord5586
ord2399
ord5663
ord4752
ord1777
ord4365
ord6437
ord2517
ord5406
ord4721
ord5687
ord4557
ord6767
ord4789
ord5702
ord2393
ord665
ord3743
ord3535
ord5712
ord4741
ord1778
ord6440
ord2586
ord3806
ord3501
ord4747
ord2593
ord337
ord2329
ord5077
ord2661
ord4548
ord6612
ord6102
ord867
ord3774
ord1126
ord2384
ord2328
ord4130
ord6614
ord3761
ord5245
ord2665
ord3418
ord1837
ord1023
ord1044
ord1035
ord1056
ord4780
ord2099
ord1734
ord3932
ord5703
ord5662
ord6439
ord4405
ord5366
ord5369
ord4879
ord4884
ord4881
ord4899
ord4901
ord4886
ord5284
ord4688
ord4681
ord4888
ord5288
ord4712
ord5297
ord4945
ord4946
ord4564
ord339
ord5682
ord2094
ord3894
ord3911
ord3531
ord3902
ord3527
ord4751
ord2598
ord385
ord5449
ord6525
ord6634
ord5086
ord6632
ord2676
ord1677
ord1906
ord999
ord5227
ord5709
ord5246
ord4722
ord4699
ord5352
ord5382
ord5114
ord5304
ord5583
ord5585
ord5584
ord4582
ord549
ord1821
ord4561
ord4766
ord863
ord1124
ord351
ord4773
ord4984
ord6586
ord6464
ord3282
ord3601
ord4732
ord2414
ord5250
ord5359
ord5988
ord3254
ord5894
ord1752
ord6080
ord5665
ord2547
ord2513
ord6769
ord3146
ord3140
ord5063
ord1908
ord1365
ord1003
ord560
ord561
ord4779
ord2059
ord4787
ord5710
ord2532
ord1698
ord4583
ord5082
ord832
ord3177
ord4127
ord3751
ord4743
ord2589
ord4542
ord2023
ord2422
ord4131
ord4424
ord2783
ord1838
ord4565
ord4461
ord485
ord3748
ord3484
ord3380
ord6023
ord4900
ord4880
ord4885
ord963
ord2906
ord4476
ord1053
ord1036
ord1034
ord890
ord647
ord613
ord611
ord387
ord4774
ord5674
ord4784
ord1674
ord2671
ord5704
ord5659
ord4364
ord2919
ord2920
ord3536
ord5839
ord1316
ord5420
ord3481
ord4633
ord5524
ord5521
ord3141
ord2405
ord2750
ord2565
ord6455
ord3638
ord6379
ord2133
ord6235
ord2136
ord4806
ord5865
ord6284
ord6202
ord3637
ord2268
ord6842
ord5887
ord4014
ord2975
ord3044
ord4124
ord2408
ord6610
ord6624
ord1562
ord3682
ord4849
ord1943
ord1869
ord4596
ord1566
ord5681
ord4858
ord3830
ord6762
ord2900
ord3820
ord2595
ord4544
ord2449
ord2903
ord1650
ord1061
ord328
ord1735
ord5367
ord5370
ord5285
ord4690
ord4682
ord629
ord3754
ord1043
ord5950
ord4375
ord1404
ord1381
ord1262
ord622
ord1584

msvcrt

__wgetmainargs
__C_specific_handler
_XcptFilter
_exit
_cexit
_wcmdln
_initterm
_amsg_exit
__setusermatherr
_commode
_fmode
__set_app_type
??1type_info@@UEAA@XZ
_unlock
__dllonexit
_lock
_onexit
?terminate@@YAXXZ
__CxxFrameHandler
isspace
isdigit
toupper
wcsrchr
free
malloc
_vsnwprintf
_wcsnicmp
wcstol
_wtoi
wcstok
??_U@YAPEAX_K@Z
memset
??_V@YAXPEAX@Z
isxdigit
_wcsicmp
memcpy
exit
_itow

comctl32

ImageList_AddMasked

shell32

DragQueryFileW
DragFinish
ExtractIconW
ShellAboutW

shlwapi

wnsprintfW

ole32

CreateBindCtx
MkParseDisplayName
StringFromCLSID
CoTaskMemFree
CoGetClassObject
CLSIDFromString
CLSIDFromProgID
CoCreateInstance
StringFromGUID2
CoFreeUnusedLibraries

oleaut32

LoadRegTypeLi
LoadTypeLi

Sections

.text
Size: 170KB - Virtual size: 169KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

498ee520f74c67eb06f06597d1fbd2e0

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0Certificate

Extended Key Usages

Key Usages

61:01:cf:3e:00:00:00:00:00:0fCertificate

Extended Key Usages

Key Usages

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2Certificate

Extended Key Usages

Key Usages

61:06:94:2d:00:00:00:00:00:09Certificate

Extended Key Usages

Key Usages

bd:7c:57:04:06:2e:27:db:eb:e4:cf:61:3d:8b:ad:cc:af:53:70:49Signer

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

gdi32

user32

mfc42u

msvcrt

comctl32

shell32

shlwapi

ole32

oleaut32

Sections

.text Size: 170KB - Virtual size: 169KB

.data Size: 3KB - Virtual size: 5KB

.pdata Size: 6KB - Virtual size: 6KB

.rsrc Size: 38KB - Virtual size: 37KB

.reloc Size: 4KB - Virtual size: 4KB

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

61:01:cf:3e:00:00:00:00:00:0f
Certificate

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

61:06:94:2d:00:00:00:00:00:09
Certificate

bd:7c:57:04:06:2e:27:db:eb:e4:cf:61:3d:8b:ad:cc:af:53:70:49
Signer

.text
Size: 170KB - Virtual size: 169KB

.data
Size: 3KB - Virtual size: 5KB

.pdata
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 38KB - Virtual size: 37KB

.reloc
Size: 4KB - Virtual size: 4KB