erxpens[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

erxpens.exe
Size

475KB
MD5

f5e27aeb4d1ce380b3522c62ae7e012a
SHA1

c9db9d156a927d18dea343316e431b1135911daf
SHA256

c43c50f8c09713bc6e19375fe72287ce2be51485924e9922a224414b72e4bfd0
SHA512

1a3526525618f9919e99491c21e635c75b564790efe1dafde827658f1aa2451191b59463ce5d11cdd88fef13b81e34e2fc28dd28149f7d8422e11eca5014f879
SSDEEP

3072:7cE/OzhKoUi2PtWuCLAerWhOokeU3014oe:p/OzfBrWhOokeUkCd

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
erxpens.exe

Files

erxpens.exe
.exe windows:5 windows x86 arch:x86

c07e80761b6a50fda3046147e923a0f3

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

d:\B\1\754\src\Applications\CS\ERXPENS\Release\erxpens.pdb

Imports

cmsopen

?GetCMSVariable@CLOApplication@@UAEPBDPBDAAVDynamicString@@AAW4DATATYPE@@@Z
?GetGLParms@CLOApplication@@UAEHXZ
?Initialize@CLOApplication@@UAEXXZ
?GetMainWindowRect@CLOApplication@@UAEXAAUtagRECT@@@Z
?SetMainWindow@CLOApplication@@UAEXPAVTFrameWindow@OWL@@@Z
?GetMainWindow@CLOApplication@@UAEPAVTFrameWindow@OWL@@XZ
?MainMenu@CLOApplication@@UAEPAVCMSMenu@@XZ
?InstantLaunch@CLOApplication@@UAEXXZ
?AddPopupMenuPopup@CLOApplication@@UAEXPBD00P6AHHPAUMENUITEM@@PAX@ZH@Z
?AddPopupMenuItem@CLOApplication@@UAEXPBD00P6AHHPAUMENUITEM@@PAX@ZH@Z
?AddMainMenuPopup@CLOApplication@@UAEXPBD0P6AHHPAUMENUITEM@@PAX@ZH@Z
?AddMainMenuItem@CLOApplication@@UAEXPBD0P6AHHPAUMENUITEM@@PAX@ZH@Z
?BuildDefaultAppMenu@CLOApplication@@UAEXPAVCMSMenu@@@Z
?CreateDefaultAppMenu@CLOApplication@@UAEPAVCMSMenu@@PBD@Z
?ProcessAppMsg@CLOApplication@@UAE_NAAUtagMSG@@@Z
?InitInstance@CLOApplication@@UAEXXZ
??1CLOApplication@@UAE@XZ
??0CLOApplication@@QAE@PADPBDPAX20HJ@Z
?GetAppStartupInfo@CLOApplication@@UAEXXZ

cmsbase

?ApplicationWarning@CMSApplicationBase@@UAEXPBDH@Z
?ApplicationError@CMSApplicationBase@@UAEXPBD@Z
?ApplicationClosing@CMSApplicationBase@@UAEXXZ
?ApplicationOpening@CMSApplicationBase@@UAEXXZ
?LogConduit@CMSApplicationBase@@UAEPAVTLogConduit@@XZ
?UnsupervisedResponse@CMSApplicationBase@@UAEXH@Z
?SetApplicationContext@CMSApplicationBase@@UAEXKPBD0@Z
?UnsupervisedMode@CMSApplicationBase@@UAEX_N@Z
?UnsupervisedMode@CMSApplicationBase@@UAE_NXZ
?GetApplicationName@CMSApplicationBase@@UAEXAAVDynamicString@@@Z
?IsMobile@CMSApplicationBase@@UAE_NXZ
??1MouseCursor@@QAE@XZ
??0MouseCursor@@QAE@PAUHWND__@@PBDPAUHINSTANCE__@@@Z
?AppContext@CMSApplicationBase@@UAEPAVCMSAppContext@@XZ
?GetKeepAliveLock@CMSApplicationBase@@UAEPAXXZ
?CMSPreviousInstanceExists@@YA_NPAD@Z
?InputStream@CMSObjectReader@@UAEPAV?$basic_istream@DU?$char_traits@D@std@@@std@@XZ
?ReadLine@CMSObjectReader@@UAEHAAVDynamicString@@@Z
?ReadLine@CMSObjectReader@@UAEPADXZ
?ResetReader@CMSObjectReader@@UAEXXZ
?UnsupervisedResponse@CMSApplicationBase@@UAEHXZ
?SetOldBlockItem@CMSObjectReader@@UAEHPBD@Z
?ReadObject@CMSObjectReader@@UAEHAAV?$basic_istream@DU?$char_traits@D@std@@@std@@@Z

cmsform

?TableObject@CMSForm@@UAEXPAVCMSTable@@@Z
??0CMSApplicationSecurity@@QAE@PAVSQLObject@@AAVGroupList@@PBD@Z
?SetAttributeByName@CMSField@@UAEHPBDAAVAttributeLine@@@Z
??1CMSApplicationSecurity@@UAE@XZ
?AppName@CMSApplication@@UAEPADXZ
?KeyConnection@CMSApplication@@UAEPAVSQLObject@@XZ
?DefaultConnection@CMSApplication@@UAEXPAVSQLObject@@@Z
?DefaultConnection@CMSApplication@@UAEPAVSQLObject@@XZ
?Event_FormStatusBarChanged@CMSApplication@@UAEXPAVCMSForm@@@Z
?Event_FormShowStateChanged@CMSApplication@@UAEXPAVCMSForm@@H@Z
?TableObject@CMSForm@@UAEPAVCMSTable@@XZ
?Event_FormWaitStateChanged@CMSApplication@@UAEXPAVCMSForm@@_N@Z
?Event_FormActivated@CMSApplication@@UAEXPAVCMSForm@@@Z
?Event_FormFocused@CMSApplication@@UAEXPAVCMSForm@@@Z
?Event_FormClosed@CMSApplication@@UAEXPAVCMSForm@@@Z
?DefaultHInstance@CMSApplication@@UAEPAUHINSTANCE__@@XZ
??3CMSForm@@SAXPAX@Z
?Prev@TableNotification@@UAEPAV1@XZ
?Next@TableNotification@@UAEPAV1@XZ
?TableHasChanged@CMSForm@@UAEXPAVCMSDataField@@W4NOTIFYACTION@@@Z
?SetAttributeByName@CMSForm@@UAEHPBDAAVAttributeLine@@@Z
?ReadObject@CMSForm@@UAEHAAV?$basic_istream@DU?$char_traits@D@std@@@std@@@Z
?SetOldBlockItem@CMSForm@@UAEHPBD@Z
?Event_FormModalStateChanged@CMSApplication@@UAEXPAVCMSForm@@_N@Z
?Error@CMSApplication@@UAEHAAVexception@std@@II@Z
?AllowScriptDebugging@CMSApplication@@UAEXW4SCRIPT_DEBUG_STATE@@@Z
?InitializeBasicScript@CMSApplication@@UAEXXZ
?UninitializeBasicScript@CMSApplication@@UAEXXZ
?SetScriptDebugState@CMSApplication@@UAEXXZ
?AppAvailable@CMSApplication@@UAEHXZ
?LogNavigation@CMSApplication@@UAEXPBD@Z
?WriteNavigationLog@CMSApplication@@UAEXXZ
?BasicScriptContextPointer@CMSApplication@@UAEPAXAAVBasicThread@@PBDK@Z
?Event_FormCreated@CMSApplication@@UAEXPAVCMSForm@@@Z
?ModuleID@CMSApplication@@UAEJXZ
?SubsystemID@CMSApplication@@UAEJXZ
?AllowScriptDebugging@CMSApplication@@UAE?AW4SCRIPT_DEBUG_STATE@@XZ
?UserInfoIsUtilized@CMSApplication@@UAE_NXZ
?UserLanguageCode@CMSApplication@@UAEPBDXZ
?SecurityMask@CMSApplication@@UAEKXZ
?GetSystemCurrency@CMSApplication@@UAEPBDXZ
?ChangeCurrencyDisplay@CMSApplication@@MAEXPBD@Z
?NewDefaultConnection@CMSApplication@@MAEPAVSQLObject@@XZ
?GetDefaultConnectionParameters@CMSApplication@@MAEXAAHPADH1H0@Z
?Find@CMSApplication@@UAE_NAAVTEventInfo@TEventHandler@OWL@@P6A_NAAV?$TResponseTableEntry@VGENERIC@@@4@0@Z@Z
?GetDecimalPlaces@CMSApplication@@UAEXPBDAAHAAD@Z
?MessageLibrary@CMSApplication@@UAEPAVCMSMessageLibrary@@PBD@Z
?MessageLibrary@CMSApplication@@UAEPAVCMSMessageLibrary@@XZ
?UnloadMessageLibrary@CMSApplication@@UAEXXZ
?GlobalFontsList@CMSApplication@@UAEPAVGlobalFontList@@XZ
?GetGlobalStyleBase@CMSApplication@@UAEPAVGlobalStyleBase@@XZ
?NewLogConduit@CMSApplication@@UAEPAVTLogConduit@@PBDG@Z
?GetANewExchangeRateObject@CMSApplication@@UAE_NXZ
?MainForm@CMSApplication@@UAEXPBD@Z
?KeyConnection@CMSApplication@@UAEXPAVSQLObject@@@Z
?ConnectionVersionValid@CMSApplication@@UAEHPAVSQLObject@@@Z
?ModulePath@CMSApplication@@UAEPBDXZ
?ModulePath@CMSApplication@@UAEXPBD@Z
?DisplayCurrency@CMSApplication@@UAEXPBD@Z
?DisplayCurrency@CMSApplication@@UAEPBDXZ
?SpellcheckLanguage@CMSApplication@@UAEPBDXZ
?ProductCode@CMSApplication@@UAEPBDXZ
?CMSHelp@CMSApplication@@UAEXPAUHWND__@@PBD@Z
?CMSHelpSearch@CMSApplication@@UAEXPAUHWND__@@@Z
?CMSHelpIndex@CMSApplication@@UAEXPAUHWND__@@@Z
?CMSHelpOnHelp@CMSApplication@@UAEXPAUHWND__@@@Z
?CMSHelpAbout@CMSApplication@@UAEXPAVTWindow@OWL@@@Z
?Event_FormInitialized@CMSApplication@@UAEXPAVCMSForm@@@Z
?PrintScreen@CMSApplication@@UAEHPAVCMSForm@@H@Z
?UserInfoIsValid@CMSApplication@@UAE_NXZ

cmsexpns

??_DCMSExpenseCalendar@@QAEXXZ
?RefreshExpense@@YAXH@Z
??0ExpDesktop@@QAE@PAVTWindow@OWL@@@Z
??0CMSExpenseCalendar@@QAE@PAVTWindow@OWL@@HHHJPAVSQLObject@@@Z
??_DExpDesktop@@QAEXXZ

kernel32

GetModuleFileNameA
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetStartupInfoA
InterlockedCompareExchange
Sleep
InterlockedExchange
GetCommandLineA

user32

LoadCursorA
ShowWindow
SetWindowPos
BringWindowToTop
RegisterWindowMessageA
LoadIconA
IsIconic
GetSystemMetrics

cmsowl

?EnableTooltip@TApplication@OWL@@UAEX_N@Z
?InitApplication@TApplication@OWL@@MAEXXZ
?TermInstance@TApplication@OWL@@MAEHH@Z
?MessageBox@TApplication@OWL@@UAEHPAUHWND__@@PBD1I@Z
?PreProcessMenu@TApplication@OWL@@UAEXPAUHMENU__@@@Z
?WaitOnObject@TApplication@OWL@@UAEXPAX_N@Z
?ProcessMsg@TApplication@OWL@@UAE_NAAUtagMSG@@@Z
?IdleAction@TApplication@OWL@@UAE_NJ@Z
?MessageLoop@TApplication@OWL@@UAEHXZ
?Dispatch@TApplication@OWL@@UAEJAAVTEventInfo@TEventHandler@2@IJ@Z
?Start@TApplication@OWL@@UAEHXZ
?Run@TApplication@OWL@@UAEHXZ
?CanClose@TApplication@OWL@@UAE_NXZ
?Terminate@TThread@OWL@@UAEXXZ
?SetName@TModule@OWL@@QAEXPBD@Z
??_7TEventHandler@OWL@@6B@
?GetTooltip@TApplication@OWL@@UBEPAVTTooltip@2@XZ
?ObjectSignaled@TApplication@OWL@@UAEXPAX_N@Z
??0TModule@OWL@@QAE@PBDPAUHINSTANCE__@@_N@Z
?SetWinMainParams@TApplication@OWL@@SAXPAUHINSTANCE__@@0PBDH@Z
?HandleGlobalException@OWL@@YAHAAVexception@std@@PBD1@Z
??1TModule@OWL@@UAE@XZ

msvcr90

_amsg_exit
??2@YAPAXI@Z
??3@YAXPAX@Z
_XcptFilter
_ismbblead
__getmainargs
_acmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer
__set_app_type
_crt_debugger_hook
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
_except_handler4_common
_cexit
_invoke_watson
_controlfp_s
exit
__CxxFrameHandler3
_exit

Sections

.text
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 453KB - Virtual size: 452KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c07e80761b6a50fda3046147e923a0f3

Headers

File Characteristics

PDB Paths

Imports

cmsopen

cmsbase

cmsform

cmsexpns

kernel32

user32

cmsowl

msvcr90

Sections

.text Size: 5KB - Virtual size: 5KB

.rdata Size: 14KB - Virtual size: 13KB

.data Size: 1KB - Virtual size: 2KB

.rsrc Size: 453KB - Virtual size: 452KB

.text
Size: 5KB - Virtual size: 5KB

.rdata
Size: 14KB - Virtual size: 13KB

.data
Size: 1KB - Virtual size: 2KB

.rsrc
Size: 453KB - Virtual size: 452KB