osk[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

osk.exe
Size

556KB
MD5

669799aad2d88a64dcd430e553081a85
SHA1

6712edd509a3aab723cf22e03204ce4caa3c080f
SHA256

9ae48a80ccbc0b161df11ac59f2927266fb974d01b2b8dcb1798e8f0ef9c1053
SHA512

7b15f1b25d9f7e5782a3c803bee2fafb178e35f9db68b863781ad6dfb879b98c8a8d0257544753c736e05bf0479cfb6cb3d9a6a6859f25e89913baf1532e7702
SSDEEP

6144:9stgJ/oP9W3wuB8xpkmZ+SdZc1Oc5RNU0w7lslnCUGw/xIRLtxIRLuovZ:cs/SMwYSDZeU0w7lzaoo

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
osk.exe

Files

osk.exe
.exe windows:10 windows x64 arch:x64

5dd120dc6a23a12489d1e4e7b5afb1aa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

osk.pdb

Imports

advapi32

EventUnregister
RegOpenKeyExW
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
RegSetValueExW
GetTraceEnableFlags
GetTraceLoggerHandle
EventSetInformation
TraceMessage
EventRegister
EventWriteTransfer
RegCloseKey
RegQueryValueExW
RegCreateKeyExW
RegDeleteValueW
RegGetValueW
CheckTokenMembership
FreeSid
AllocateAndInitializeSid
RegNotifyChangeKeyValue
RegEnumKeyExW
OpenProcessToken
GetTokenInformation
ConvertSidToStringSidW
RegLoadMUIStringW
RegDeleteTreeW
RegEnumValueW

kernel32

RaiseException
EnterCriticalSection
LeaveCriticalSection
VirtualQuery
GetSystemInfo
LoadLibraryExA
VirtualProtect
FreeLibrary
CreateThreadpoolTimer
InitializeCriticalSectionEx
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
ReleaseSRWLockShared
AcquireSRWLockShared
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
IsDebuggerPresent
CreateMutexExW
OpenSemaphoreW
WaitForSingleObjectEx
InitOnceComplete
OutputDebugStringW
ReleaseSemaphore
CreateSemaphoreExW
InitOnceBeginInitialize
K32GetModuleBaseNameW
K32EnumProcessModules
K32EnumProcesses
DeleteFileW
InitializeCriticalSection
DeleteProcThreadAttributeList
CreateProcessW
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
OpenProcess
SetLastError
LocalFree
OOBEComplete
DebugBreak
CreateThread
SetEvent
FormatMessageW
CreateEventW
HeapFree
MultiByteToWideChar
OpenJobObjectW
WaitForSingleObject
CompareStringOrdinal
HeapSize
GetModuleFileNameA
GetModuleFileNameW
ReleaseActCtx
CreateActCtxW
DeactivateActCtx
ActivateActCtx
GetSystemTimeAsFileTime
GetCurrentThreadId
QueryPerformanceCounter
TerminateProcess
DeleteCriticalSection
GetFileAttributesW
HeapDestroy
OpenMutexW
GetSystemDefaultLocaleName
GetStringTypeExW
GetModuleHandleW
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetStartupInfoW
Sleep
GetProcAddress
GlobalAddAtomW
GlobalDeleteAtom
LoadLibraryExW
MulDiv
GetTickCount
LocaleNameToLCID
GetCurrentProcessId
ResolveLocaleName
ProcessIdToSessionId
LCIDToLocaleName
FreeResource
GetUserPreferredUILanguages
GetLocaleInfoEx
ExpandEnvironmentStringsW
IsProcessInJob
HeapReAlloc
GetProcessHeap
HeapAlloc
RegisterApplicationRestart
LoadResource
FindResourceExW
HeapSetInformation
CloseHandle
LockResource
GetLastError
GetTickCount64
ReleaseMutex
CreateMutexW
SetProcessShutdownParameters
SizeofResource
GetModuleHandleExW

gdi32

GetDeviceCaps
GetStockObject

user32

GetWindowMinimizeRect
UnregisterClassA
CreateDialogParamW
GetKeyState
GetShellWindow
GetUserObjectInformationW
GetThreadDesktop
SendNotifyMessageW
SetDesktopColorTransform
ChangeWindowMessageFilterEx
MessageBoxW
SetDlgItemTextW
SendDlgItemMessageW
SetFocus
GetDlgItem
CheckDlgButton
EnableWindow
AdjustWindowRectEx
AllowSetForegroundWindow
MonitorFromPoint
MonitorFromWindow
SetWindowLongPtrW
RemovePropW
GetSystemMetrics
SetClassLongPtrW
GetWindowLongPtrW
IsWindow
GetMonitorInfoW
GetDoubleClickTime
SetPropW
LoadIconW
SetForegroundWindow
GetWindowLongW
GetWindowThreadProcessId
GetMessageExtraInfo
GetWindowRect
GetDC
GetPropW
MonitorFromRect
CallNextHookEx
GetCursorInfo
WindowFromPhysicalPoint
MapVirtualKeyExW
MapWindowPoints
GetKeyboardLayout
GetForegroundWindow
UnhookWindowsHookEx
SetLayeredWindowAttributes
LoadCursorW
GetClassNameW
SetWindowsHookExW
SetWinEventHook
GetParent
PtInRect
UnhookWinEvent
InvalidateRect
ReleaseDC
GetGUIThreadInfo
SendInput
SetWindowPos
CreateWindowExW
ScreenToClient
SendMessageW
SetTimer
GetClientRect
KillTimer
SystemParametersInfoW
LoadImageW
GetCursorPos
GetMessageW
PostMessageW
DestroyWindow
LoadStringW
ShowWindow
DispatchMessageW
IsDialogMessageW
PeekMessageW
SetWindowFeedbackSetting
TranslateMessage
FindWindowW
IsIconic
SetWindowPlacement

msvcrt

_wcslwr_s
memset
_wtoi
wcschr
memcpy_s
??3@YAXPEAX@Z
wcsrchr
memcmp
__CxxFrameHandler4
_ltow_s
_onexit
__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_commode
_fmode
_wcmdln
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
memmove
memcpy
__CxxFrameHandler3
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
_purecall
_callnewh
malloc
__C_specific_handler
wcsstr
wcscpy_s
free
calloc
wcstoul
_vsnwprintf
??_V@YAXPEAX@Z
wcscspn
memmove_s
wcsspn
_wcsicmp
wcscmp

osksupport

UninitializeOSKSupport
InitializeOSKSupport

dwmapi

DwmSetWindowAttribute

gdiplus

GdiplusStartup
GdiplusShutdown

ntdll

WinSqmIncrementDWORD
WinSqmSetDWORD
RtlCaptureContext
RtlLookupFunctionEntry
WinSqmAddToStream
WinSqmIsOptedIn
RtlVirtualUnwind

ole32

CoInitialize
CoUninitialize
CoCreateInstance

oleacc

AccSetRunningUtilityState
AccessibleObjectFromWindow

oleaut32

SysAllocStringLen
SysStringLen
SysFreeString
SysAllocString

winmm

waveOutGetNumDevs
PlaySoundW
joyReleaseCapture
joySetCapture

wmsgapi

WmsgSendMessage

duser

InvalidateGadget

dui70

?ShowWindow@NativeHWNDHost@DirectUI@@QEAAXH@Z
UnInitThread
UnInitProcessPriv
?EndDefer@Element@DirectUI@@QEAAXK@Z
InitThread
InitProcessPriv
?WndProc@HWNDElement@DirectUI@@UEAA_JPEAUHWND__@@I_K_J@Z
?ElementFromPoint@HWNDElement@DirectUI@@QEAAPEAVElement@2@PEAUtagPOINT@@@Z
?RemoveTooltip@HWNDElement@DirectUI@@UEAAXPEAVElement@2@@Z
?ActivateTooltip@HWNDElement@DirectUI@@UEAAXPEAVElement@2@K@Z
?UpdateTooltip@HWNDElement@DirectUI@@UEAAXPEAVElement@2@@Z
?_OnUIStateChanged@HWNDElement@DirectUI@@MEAAXGG@Z
?OnWmSettingChanged@HWNDElement@DirectUI@@UEAAX_K_J@Z
?OnWmThemeChanged@HWNDElement@DirectUI@@UEAAX_K_J@Z
?OnGetDlgCode@HWNDElement@DirectUI@@UEAAXPEAUtagMSG@@PEA_J@Z
?OnNoChildWithShortcutFound@HWNDElement@DirectUI@@UEAAXPEAUKeyboardEvent@2@@Z
?OnInput@HWNDElement@DirectUI@@UEAAXPEAUInputEvent@2@@Z
?OnImmersiveColorSchemeChanged@HWNDElement@DirectUI@@UEAAXXZ
?OnThemeChanged@HWNDElement@DirectUI@@UEAAXPEAUThemeChangedEvent@2@@Z
?OnEvent@HWNDElement@DirectUI@@UEAAXPEAUEvent@2@@Z
?OnDestroy@HWNDElement@DirectUI@@UEAAXXZ
?OnGroupChanged@HWNDElement@DirectUI@@UEAAXH_N@Z
?OnPropertyChanged@HWNDElement@DirectUI@@UEAAXPEBUPropertyInfo@2@HPEAVValue@2@1@Z
?Host@NativeHWNDHost@DirectUI@@QEAAXPEAVElement@2@@Z
?GetUiaFocusDelegate@Element@DirectUI@@UEAAPEAV12@XZ
?HandleUiaEventListener@Element@DirectUI@@UEAAXPEAUEvent@2@@Z
?HandleUiaPropertyChangingListener@Element@DirectUI@@UEAAXPEBUPropertyInfo@2@@Z
?HandleUiaPropertyListener@Element@DirectUI@@UEAAXPEBUPropertyInfo@2@HPEAVValue@2@1@Z
?HandleUiaDestroyListener@Element@DirectUI@@UEAAXXZ
?GetElementProviderImpl@Element@DirectUI@@UEAAJPEAVInvokeHelper@2@PEAPEAVElementProvider@2@@Z
?GetUIAElementProvider@Element@DirectUI@@UEAAJAEBU_GUID@@PEAPEAX@Z
?DefaultAction@Element@DirectUI@@UEAAJXZ
?DoubleBuffered@Element@DirectUI@@QEAAX_N@Z
?OnUnHosted@Element@DirectUI@@MEAAXPEAV12@@Z
?OnHosted@Element@DirectUI@@MEAAXPEAV12@@Z
?_SelfLayoutUpdateDesiredSize@Element@DirectUI@@MEAA?AUtagSIZE@@HHPEAVSurface@2@@Z
?_SelfLayoutDoLayout@Element@DirectUI@@MEAAXHH@Z
?GetImmersiveFocusRectOffsets@Element@DirectUI@@UEAAXPEAUtagRECT@@@Z
?MessageCallback@Element@DirectUI@@UEAAIPEAUtagGMSG@@@Z
?RemoveBehavior@Element@DirectUI@@UEAAJPEAUIDuiBehavior@@@Z
?AddBehavior@Element@DirectUI@@UEAAJPEAUIDuiBehavior@@@Z
?SetKeyFocus@Element@DirectUI@@UEAAXXZ
?EnsureVisible@Element@DirectUI@@UEAA_NHHHH@Z
?Initialize@HWNDElement@DirectUI@@QEAAJPEAUHWND__@@_NIPEAVElement@2@PEAK@Z
??1HWNDElement@DirectUI@@UEAA@XZ
??0HWNDElement@DirectUI@@QEAA@XZ
?GetAccessibleImpl@HWNDElement@DirectUI@@UEAAJPEAPEAUIAccessible@@@Z
?Register@HWNDElement@DirectUI@@SAJXZ
?ThemeChange@HWNDElement@DirectUI@@SA?AVUID@@XZ
?GetHWND@NativeHWNDHost@DirectUI@@QEAAPEAUHWND__@@XZ
?OnCompositionChanged@HWNDElement@DirectUI@@UEAAXXZ
?GetAdjacent@Element@DirectUI@@UEAAPEAV12@PEAV12@HPEBUNavReference@2@K@Z
?OnMessage@NativeHWNDHost@DirectUI@@UEAAJI_K_JPEA_J@Z
?Destroy@NativeHWNDHost@DirectUI@@QEAAXXZ
??0NativeHWNDHost@DirectUI@@QEAA@XZ
?Initialize@NativeHWNDHost@DirectUI@@QEAAJPEBG0PEAUHWND__@@PEAUHICON__@@HHHHHHPEAUHINSTANCE__@@I@Z
??1NativeHWNDHost@DirectUI@@UEAA@XZ
?CreateHostWindow@NativeHWNDHost@DirectUI@@UEAAPEAUHWND__@@KPEBG0KHHHHPEAU3@PEAUHMENU__@@PEAUHINSTANCE__@@PEAX@Z
?GetDisplayNode@Element@DirectUI@@QEAAPEAUHGADGET__@@XZ
?SetWidth@Element@DirectUI@@QEAAJH@Z
?SetHeight@Element@DirectUI@@QEAAJH@Z
?SetX@Element@DirectUI@@QEAAJH@Z
?SetY@Element@DirectUI@@QEAAJH@Z
?SetEnabled@Element@DirectUI@@QEAAJ_N@Z
?Remove@Element@DirectUI@@QEAAJPEAV12@@Z
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z
StrToID
?IsRTL@Element@DirectUI@@QEAA_NXZ
?IsRTLReading@Element@DirectUI@@UEAA_NXZ
?IsContentProtected@Element@DirectUI@@UEAA_NXZ
?QueryInterface@Element@DirectUI@@UEAAJAEBU_GUID@@PEAPEAX@Z
?GetParent@Element@DirectUI@@QEAAPEAV12@XZ
?GetKeyFocused@Element@DirectUI@@UEAA_NXZ
?SetVisible@Element@DirectUI@@QEAAJ_N@Z
?SetAccessible@Element@DirectUI@@QEAAJ_N@Z
?SetLayout@Element@DirectUI@@QEAAJPEAVLayout@2@@Z
?CanSetFocus@HWNDElement@DirectUI@@UEAA_NXZ
?IsMSAAEnabled@HWNDElement@DirectUI@@UEAA_NXZ
?GetHWND@HWNDElement@DirectUI@@UEAAPEAUHWND__@@XZ
?GetClassInfoW@HWNDElement@DirectUI@@UEAAPEAUIClassInfo@2@XZ
?Create@FillLayout@DirectUI@@SAJPEAPEAVLayout@2@@Z
?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z
?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ
?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z
?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z
?Destroy@Layout@DirectUI@@QEAAXXZ
?Destroy@Element@DirectUI@@QEAAJ_N@Z
?StartDefer@Element@DirectUI@@QEAAXPEAK@Z
?GetContentStringAsDisplayed@Element@DirectUI@@UEAAPEBGPEAPEAVValue@2@@Z
?OnPropertyChanging@Element@DirectUI@@UEAA_NPEBUPropertyInfo@2@HPEAVValue@2@1@Z
?OnPropertyChanging@Element@DirectUI@@UEAA_NPEAUPropertyInfo@2@HPEAVValue@2@1@Z
?OnPropertyChanged@Element@DirectUI@@UEAAXPEAUPropertyInfo@2@HPEAVValue@2@1@Z
?OnKeyFocusMoved@Element@DirectUI@@UEAAXPEAV12@0@Z
?OnMouseFocusMoved@Element@DirectUI@@UEAAXPEAV12@0@Z
?Paint@Element@DirectUI@@UEAAXPEAUHDC__@@PEBUtagRECT@@1PEAU4@2@Z
?GetContentSize@Element@DirectUI@@UEAA?AUtagSIZE@@HHPEAVSurface@2@@Z
?Add@Element@DirectUI@@UEAAJPEAPEAV12@I@Z
?Insert@Element@DirectUI@@UEAAJPEAPEAV12@II@Z
?Remove@Element@DirectUI@@UEAAJPEAPEAV12@I@Z
?GetWindowClassNameAndStyle@HWNDElement@DirectUI@@UEAAXPEAPEBGPEAI@Z

shell32

ShellExecuteW

Sections

.text
Size: 132KB - Virtual size: 130KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 352KB - Virtual size: 351KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 804B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5dd120dc6a23a12489d1e4e7b5afb1aa

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

gdi32

user32

msvcrt

osksupport

dwmapi

gdiplus

ntdll

ole32

oleacc

oleaut32

winmm

wmsgapi

duser

dui70

shell32

Sections

.text Size: 132KB - Virtual size: 130KB

.rdata Size: 48KB - Virtual size: 46KB

.data Size: 4KB - Virtual size: 6KB

.pdata Size: 8KB - Virtual size: 6KB

.didat Size: 4KB - Virtual size: 16B

.rsrc Size: 352KB - Virtual size: 351KB

.reloc Size: 4KB - Virtual size: 804B

.text
Size: 132KB - Virtual size: 130KB

.rdata
Size: 48KB - Virtual size: 46KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 8KB - Virtual size: 6KB

.didat
Size: 4KB - Virtual size: 16B

.rsrc
Size: 352KB - Virtual size: 351KB

.reloc
Size: 4KB - Virtual size: 804B