8664cc1e4a3efec4261a31f8d269eeb0

Sharing

Copy URL Twitter E-mail

General

Target

8664cc1e4a3efec4261a31f8d269eeb0
Size

181KB
MD5

8664cc1e4a3efec4261a31f8d269eeb0
SHA1

9e64010bb126f08a541cd90cff6cd0dca17e79b5
SHA256

e51be7091a3e0b109ec44379a570045a9d9a87d6f4244972f58ef960ca82d34f
SHA512

fc0ec3b266bd6df10836c4c98a7d65128ccb7780d31de9470f1936712a753cf17ca98d69ebc8a4184df311faf52948ecb3f3200330f25a5b65829aa46ec8bbb9
SSDEEP

3072:HPST2/tDHMazCg7TaOw89v3jLJynZcgjdBI4CU9H/tou6BA8o3BZT9G1Mk:HP3/tQIJwcv3jtEBIxUpfoo34

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
8664cc1e4a3efec4261a31f8d269eeb0

Files

8664cc1e4a3efec4261a31f8d269eeb0
.dll windows:5 windows x86 arch:x86

1c1ab794004c8a89c660e01bc19a0ebf

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

schedsvc.pdb

Imports

msvcrt

fgetws
towupper
_wcsnicmp
wcsncmp
wcscmp
fclose
_wfopen
wcsncpy
_wcsicmp
_except_handler3
wcsstr
qsort
free
_initterm
malloc
_adjust_fdiv
wcscat
_onexit
wcstoul
wcsspn
wcspbrk
rand
_wtol
wcschr
_ultow
_wcsrev
wcsrchr
sscanf
_purecall
_vsnwprintf
??2@YAPAXI@Z
??3@YAXPAX@Z
swprintf
wcslen
wcscpy
__dllonexit
memmove
_snwprintf
_wcsupr
_itow

ntdll

RtlNtStatusToDosError
NtSetSystemInformation
NtOpenProcessToken
RtlNewSecurityObject
RtlCreateAcl
RtlAddAce
RtlGetVersion
NtCreateFile
NtQueryInformationFile
NtQueryAttributesFile
RtlInitUnicodeString
RtlDosPathNameToNtPathName_U
NtOpenFile
NtQueryDirectoryFile
RtlFreeHeap
NtClose
NtQuerySystemInformation
RtlInitString
NtSetInformationThread
NtDuplicateToken
NtDuplicateObject
NtAccessCheck
NtOpenThreadToken
NtPowerInformation
RtlInitializeSid
RtlLengthRequiredSid
RtlSubAuthoritySid
RtlCopySid
RtlSubAuthorityCountSid
RtlDeleteSecurityObject
RtlLengthSid
RtlSetSaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlCreateSecurityDescriptor

advapi32

LsaClose
LsaFreeMemory
IsValidSid
GetSidIdentifierAuthority
WmiOpenBlock
WmiCloseBlock
WmiQueryAllDataW
AccessCheck
AddAce
OpenProcessToken
GetSecurityDescriptorDacl
GetSecurityInfo
SetEntriesInAclW
SetSecurityInfo
RegOpenKeyExA
GetUserNameW
LookupAccountSidW
LsaStorePrivateData
LsaRetrievePrivateData
CreateProcessAsUserW
ImpersonateLoggedOnUser
GetKernelObjectSecurity
RegisterEventSourceW
GetFileSecurityW
GetSecurityDescriptorOwner
DeregisterEventSource
RegConnectRegistryW
IsTokenRestricted
EqualSid
LogonUserW
LsaQueryInformationPolicy
LsaNtStatusToWinError
CopySid
LookupAccountNameW
GetTokenInformation
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextW
CryptGenKey
RegCloseKey
RegQueryValueExW
RegOpenKeyW
RegSetValueExW
RegCreateKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
FreeSid
SetKernelObjectSecurity
SetFileSecurityW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
GetLengthSid
SetNamedSecurityInfoW
AllocateAndInitializeSid
RevertToSelf
OpenThreadToken
ImpersonateSelf
UnregisterIdleTask
CloseServiceHandle
QueryServiceStatus
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
RegisterIdleTask
EnumServicesStatusExW
CheckTokenMembership
SetServiceStatus
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegisterServiceCtrlHandlerExW
RegOpenKeyExW
RegDeleteValueW
ReportEventW
GetSidSubAuthorityCount
LsaAddAccountRights
LsaOpenPolicy
CryptDestroyHash
CryptSignHashW
CryptHashData
CryptCreateHash
GetSidSubAuthority
CryptDestroyKey

ole32

CoTaskMemAlloc
CoCreateInstance
CoUninitialize
CoInitializeEx
CoGetCallContext
CoTaskMemFree

netapi32

NetApiBufferFree
DsGetDcNameW
NetUserGetInfo

secur32

LsaFreeReturnBuffer
LsaDeregisterLogonProcess
LsaCallAuthenticationPackage
LsaLookupAuthenticationPackage
LsaConnectUntrusted
GetUserNameExW

ntdsapi

DsCrackNamesW
DsUnBindW
DsFreeNameResultW
DsBindW

imagehlp

ImageDirectoryEntryToData
ImageNtHeader
ImageRvaToVa

shlwapi

PathFindExtensionW

kernel32

FormatMessageW
TlsFree
TlsAlloc
FindNextChangeNotification
GetComputerNameW
LoadLibraryW
WTSGetActiveConsoleSessionId
InterlockedIncrement
InterlockedDecrement
SetThreadPriority
SetEnvironmentVariableW
GetEnvironmentVariableW
SetLastError
GetStartupInfoW
SearchPathW
SetCurrentDirectoryW
LocalReAlloc
GetFileInformationByHandle
GetFileType
lstrcpynW
GetVolumeInformationW
LoadLibraryExA
LoadLibraryExW
GetLocaleInfoW
GetUserDefaultUILanguage
GetUserDefaultLCID
IsBadWritePtr
TlsSetValue
TlsGetValue
GetComputerNameExW
ChangeTimerQueueTimer
DeleteTimerQueueTimer
OpenProcess
CreateTimerQueueTimer
DuplicateHandle
SetEndOfFile
DelayLoadFailureHook
GetDateFormatW
GetTimeFormatW
SetFilePointer
ReadFile
InitializeCriticalSectionAndSpinCount
ExitProcess
GetModuleFileNameW
lstrcmpiW
FindFirstChangeNotificationW
lstrlenW
CreateWaitableTimerW
GetCurrentDirectoryW
LocalFileTimeToFileTime
GetVersionExW
FindCloseChangeNotification
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
SetWaitableTimer
CancelWaitableTimer
InitializeCriticalSection
VirtualAlloc
SetUnhandledExceptionFilter
UnhandledExceptionFilter
CloseHandle
VirtualFree
GetProcessHeap
HeapFree
GetLastError
GetWindowsDirectoryW
HeapAlloc
ReleaseMutex
WaitForSingleObject
FindClose
FindFirstFileW
FindNextFileW
MapViewOfFile
CreateFileMappingW
GetFileSize
CreateFileW
WriteFile
GetFileTime
MultiByteToWideChar
CompareFileTime
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
FileTimeToLocalFileTime
GetCurrentThread
GetFileAttributesW
GetSystemDirectoryW
GetFullPathNameW
ExpandEnvironmentStringsW
UnregisterWaitEx
SetEvent
InterlockedCompareExchange
ResetEvent
Sleep
RegisterWaitForSingleObject
GetTickCount
LocalFree
LocalAlloc
OpenEventW
WaitForMultipleObjects
GetCurrentProcess
CreateMutexW
CreateEventW
SetFileAttributesW
CreateDirectoryW
FlushFileBuffers
GetExitCodeProcess
CreateProcessW
GetCurrentProcessId
GetLocalTime
FindVolumeClose
FindNextVolumeW
QueryDosDeviceW
GetVolumePathNamesForVolumeNameW
FindFirstVolumeW
DeleteFileW
UnmapViewOfFile
GetDriveTypeW
GetSystemTimeAsFileTime
CreateThread
QueueUserWorkItem
DisableThreadLibraryCalls
GetSystemPowerStatus
InterlockedExchange
DeleteAtom
GetModuleHandleW
GetProcAddress
FreeLibrary
LoadLibraryA
QueryPerformanceCounter
GetCurrentThreadId
TerminateProcess

user32

GetMessageW
DispatchMessageW
UpdateWindow
TranslateMessage
SystemParametersInfoW
GetProcessWindowStation
SetProcessWindowStation
SetUserObjectSecurity
CreateDesktopW
CreateWindowStationW
CloseDesktop
CloseWindowStation
LoadStringW
EnumWindows
EnumThreadWindows
IsWindow
GetWindowThreadProcessId
LoadStringA
MessageBoxA
PostMessageW
UnregisterClassW
SendMessageW
RegisterWindowMessageW
RegisterClassW
CreateWindowExW
ShowWindow
DestroyWindow
DefWindowProcW
PostQuitMessage

rpcrt4

RpcServerRegisterIfEx
RpcServerInqBindings
RpcServerUseProtseqEpW
RpcServerUseProtseqW
RpcEpUnregister
RpcServerUnregisterIf
RpcBindingVectorFree
RpcImpersonateClient
RpcEpRegisterW
RpcServerRegisterAuthInfoW
NdrServerCall2
RpcRevertToSelf
UuidCreate
RpcServerUnregisterIfEx
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcStringFreeW

userenv

LoadUserProfileW
UnloadUserProfile
DestroyEnvironmentBlock
CreateEnvironmentBlock

wtsapi32

WTSQueryUserToken
WTSQuerySessionInformationW
WTSEnumerateSessionsW
WTSFreeMemory

Exports

Exports

CloseProc
SPUninstall
SPUninstallCallback
SchedServiceMain
SysPrepBackup
SysPrepCallback
SysPrepRestore

Sections

.text
Size: 163KB - Virtual size: 162KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1c1ab794004c8a89c660e01bc19a0ebf

Headers

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

advapi32

ole32

netapi32

secur32

ntdsapi

imagehlp

shlwapi

kernel32

user32

rpcrt4

userenv

wtsapi32

Exports

Exports

Sections

.text Size: 163KB - Virtual size: 162KB

.data Size: 2KB - Virtual size: 4KB

.rsrc Size: 6KB - Virtual size: 6KB

.reloc Size: 8KB - Virtual size: 8KB

.text
Size: 163KB - Virtual size: 162KB

.data
Size: 2KB - Virtual size: 4KB

.rsrc
Size: 6KB - Virtual size: 6KB

.reloc
Size: 8KB - Virtual size: 8KB