95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf

Sharing

Copy URL

Twitter E-mail

General

Target

95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf
Size

146KB
MD5

69bec32d50744293e85606a5e8f80425
SHA1

101b90ac7e0c2a8b570686c13dfa0e161ddd00e0
SHA256

95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf
SHA512

e01f976fcbfa67cfd6e97855d07350a27b67fcc825d4e813ac9d2f4e8f464bb4f8bbbbe58a26bc27e78fa15db0ee5271e8f041dd72f036c11964eb1c591b438f
SSDEEP

3072:V6ZkRGjkBrmKmY99UpkD1/34bIpVSrtLmqc2LVMMqqD/h2LuTeONA5tIHVcH:IS9rLPPUpa3VVEtLXcCqqD/hOQnaMcH

Score

10^/10

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects command variations typically used by ransomware 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_GENRansomware

Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_USNDeleteJournal

Detects executables containing commands for clearing Windows Event Logs 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_ClearWinLogs

Detects executables containing many references to VEEAM. Observed in ransomware 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICOUS_EXE_References_VEEAM

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf

Files

95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf
.exe windows:5 windows x86 arch:x86

e9f710b579880d1b6ff748176eb620f1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

netapi32

NetApiBufferFree
NetShareEnum

iphlpapi

GetAdaptersInfo

ws2_32

WSAGetLastError
htons
connect
socket
inet_addr
WSAStartup
select
closesocket
__WSAFDIsSet
WSACleanup
ioctlsocket

crypt32

CryptBinaryToStringA

gdiplus

GdipGetImageEncodersSize
GdipDeleteGraphics
GdipDeleteStringFormat
GdipGetImageGraphicsContext
GdipDeleteFont
GdipCreateBitmapFromScan0
GdipSetStringFormatAlign
GdipSaveImageToFile
GdipCloneBrush
GdipDrawString
GdipFree
GdipDeleteBrush
GdipAlloc
GdipDisposeImage
GdipCreateLineBrushFromRect
GdipSetStringFormatLineAlign
GdipCreateFont
GdiplusStartup
GdipGetGenericFontFamilySansSerif
GdipCreateStringFormat
GdipDeleteFontFamily
GdipGetImageEncoders
GdipFillRectangle
GdipCreateFontFamilyFromName

shlwapi

PathAddBackslashW
PathFindExtensionW
PathRemoveBackslashW
PathRemoveExtensionA
StrFormatByteSize64A
PathRemoveFileSpecW

mpr

WNetCloseEnum
WNetOpenEnumW
WNetEnumResourceW
WNetGetConnectionW
WNetAddConnection2W

ntdll

RtlEnterCriticalSection
RtlLeaveCriticalSection
RtlDeleteCriticalSection
RtlInitializeCriticalSection
NtSetInformationThread
NtAdjustPrivilegesToken
NtOpenProcessToken
NtQueryInformationToken
RtlGetAce
NtOpenProcess
RtlQueryInformationAcl
RtlAllocateAndInitializeSid
RtlAddAce
RtlLengthSid
NtClose
RtlAdjustPrivilege
RtlFreeSid
RtlAddAccessDeniedAce
NtSetInformationProcess
RtlCreateAcl
NtWaitForSingleObject
NtSetInformationFile
RtlDosPathNameToNtPathName_U
NtCreateIoCompletion
NtRemoveIoCompletion
NtQueryInformationFile
RtlInterlockedPushEntrySList
RtlInitializeSListHead
RtlInterlockedPopEntrySList
RtlInterlockedFlushSList
RtlInitUnicodeString
NtAllocateVirtualMemory
LdrEnumerateLoadedModules
RtlAcquirePebLock
RtlReleasePebLock

msvcrt

malloc
calloc
free

kernel32

GetLocalTime
GetProcAddress
SetThreadUILanguage
GetConsoleMode
GetWindowsDirectoryW
GetCurrentProcess
GlobalFree
GlobalAlloc
ReadFile
FindNextVolumeW
GetVolumePathNamesForVolumeNameW
GetModuleHandleA
SetProcessShutdownParameters
SetConsoleMode
WriteFile
GetConsoleWindow
SetConsoleTitleA
FindVolumeClose
SetVolumeMountPointW
FindFirstVolumeW
QueryDosDeviceW
GetVersion
CreateProcessA
lstrcmpiA
GetCurrentProcessId
MoveFileExW
Process32Next
CreateToolhelp32Snapshot
OpenProcess
GetUserDefaultUILanguage
TerminateProcess
GetSystemDefaultUILanguage
Process32First
LoadLibraryA
OpenMutexA
CreateMutexA
GetTickCount
Sleep
GetTempFileNameW
GetTempPathW
GetDriveTypeW
lstrcmpiW
ExitProcess
CreateThread
CloseHandle
DeleteFileW
GetDiskFreeSpaceExW
SetFileAttributesW
ExitThread
GetFileAttributesW
CreateFileW
FindClose
SetConsoleTextAttribute
WaitForMultipleObjects
FindNextFileW
FindFirstFileExW
GetLogicalDrives
AllocConsole
SetConsoleCtrlHandler

user32

wsprintfW
GetMessageW
GetSystemMenu
SystemParametersInfoW
DeleteMenu
wsprintfA
CharUpperA
SetWindowLongA
PeekMessageW
GetWindowLongA
wvsprintfA
RegisterHotKey
FlashWindow
SetLayeredWindowAttributes
EnableMenuItem
MessageBoxA
GetSystemMetrics
GetShellWindow
GetWindowThreadProcessId
IsWindowVisible
ShowWindow
CharLowerBuffW

advapi32

CloseServiceHandle
RegQueryValueExW
RegDeleteValueW
RegSetValueExA
RegSetValueExW
RegCreateKeyExA
RegQueryValueExA
OpenProcessToken
DuplicateToken
OpenThreadToken
GetTokenInformation
SetSecurityInfo
RegOpenKeyA
RegCloseKey
GetSecurityInfo
EnumDependentServicesA
SetThreadToken
OpenSCManagerA
ControlService
QueryServiceStatusEx
OpenServiceA
SetFileSecurityW
CryptAcquireContextW
SetSecurityDescriptorOwner
CryptGenRandom
LookupPrivilegeValueA
CreateWellKnownSid
CheckTokenMembership
InitializeSecurityDescriptor
CryptReleaseContext

shell32

SHEmptyRecycleBinW
ShellExecuteW
SHGetFolderPathW
ShellExecuteExA
ShellExecuteExW
CommandLineToArgvW

ole32

CoGetObject
CoUninitialize
CoInitializeEx

Sections

.text
Size: 103KB - Virtual size: 102KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

e9f710b579880d1b6ff748176eb620f1

Headers

DLL Characteristics

File Characteristics

Imports

netapi32

iphlpapi

ws2_32

crypt32

gdiplus

shlwapi

mpr

ntdll

msvcrt

kernel32

user32

advapi32

shell32

ole32

Sections

.text Size: 103KB - Virtual size: 102KB

.rdata Size: 41KB - Virtual size: 41KB

.data Size: 512B - Virtual size: 9KB

.text
Size: 103KB - Virtual size: 102KB

.rdata
Size: 41KB - Virtual size: 41KB

.data
Size: 512B - Virtual size: 9KB