KrampUI[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

KrampUI.exe
Size

12.5MB
MD5

870cd7c265520af7682dbb8de61b8b98
SHA1

63f1c01e6ccbf5482a1b3b4f0587c7c89903415e
SHA256

dcc5dd24fe0d979ebdf1a780d1fdc3e930e182ff37142428d89e2049bc56a7eb
SHA512

cc53b7fbfb8d2453732df1192bc556d672887fcbb4544ce998b69fa035f2dc28744c919928ebc9e211fd8d4d042a4a65ca79cc9758ab907100b4083db4fe1604
SSDEEP

98304:zYd5WZVljHwAh64FZl/7RnJM2I9MfXwEKHiWIrnbBiAU7hXiBPLefAC5cQzRjrmm:q4Rw3FJVWPLefAs/PSsqv

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
KrampUI.exe

Files

KrampUI.exe
.exe windows:6 windows x64 arch:x64

085527170cff2b45d58d740fed578ab6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegOpenKeyExW
RegQueryValueExW
SystemFunction036
RegCloseKey
OpenProcessToken
GetTokenInformation
IsValidSid
GetLengthSid
CopySid
EventRegister
EventSetInformation
EventWriteTransfer
EventUnregister
RegGetValueW

ws2_32

getsockname
send
WSAGetOverlappedResult
WSAIoctl
WSAGetLastError
closesocket
listen
recv
ioctlsocket
setsockopt
WSASocketW
bind
WSACleanup
WSASend
WSARecv
shutdown
connect
getsockopt
getaddrinfo
freeaddrinfo
WSAStartup
getpeername

kernel32

TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
EncodePointer
RaiseException
RtlPcToFileHeader
RtlUnwindEx
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
InitializeSListHead
TlsFree
LoadLibraryExW
OutputDebugStringW
OutputDebugStringA
HeapFree
AcquireSRWLockExclusive
CloseHandle
ReleaseSRWLockExclusive
SwitchToThread
QueryPerformanceCounter
GetLastError
CompareStringOrdinal
CreatePipe
TryAcquireSRWLockExclusive
SetFileCompletionNotificationModes
GlobalLock
GlobalSize
GlobalUnlock
MultiByteToWideChar
GlobalAlloc
GetModuleHandleA
GetProcAddress
GetUserDefaultLocaleName
GetSystemInfo
GetNativeSystemInfo
GetCurrentThreadId
GetModuleHandleW
lstrlenW
CreateMutexW
CreateIoCompletionPort
SleepConditionVariableSRW
GetQueuedCompletionStatusEx
WakeConditionVariable
CreateWaitableTimerExW
Sleep
SetWaitableTimer
WaitForSingleObject
GetExitCodeProcess
GetStdHandle
GetConsoleMode
SetConsoleMode
FindClose
CancelIoEx
WaitForMultipleObjects
GetOverlappedResult
SetEnvironmentVariableW
ReleaseMutex
AddVectoredExceptionHandler
SetThreadStackGuarantee
RemoveDirectoryW
MoveFileExW
CopyFileExW
HeapReAlloc
GlobalFree
GetFileType
GetFileInformationByHandleEx
PostQueuedCompletionStatus
SetHandleInformation
WakeAllConditionVariable
QueryPerformanceFrequency
GetProcessId
TerminateProcess
GetCurrentThread
WriteConsoleW
SetLastError
FormatMessageW
GetCurrentDirectoryW
WaitForSingleObjectEx
LoadLibraryA
GetCurrentProcess
GetCurrentProcessId
CreateMutexA
RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry
GetEnvironmentVariableW
GetTempPathW
GetModuleFileNameW
GetCommandLineW
CreateFileW
SetFileInformationByHandle
GetFileInformationByHandle
GetFullPathNameW
GetFinalPathNameByHandleW
FindNextFileW
CreateDirectoryW
FindFirstFileW
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
DuplicateHandle
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
CreateNamedPipeW
CreateThread
ReadFileEx
SleepEx
WriteFileEx
CreateEventW
CancelIo
ReadFile
ExitProcess
GetSystemTimeAsFileTime
GetProcessHeap
HeapAlloc
AcquireSRWLockShared
ReleaseSRWLockShared
DeleteFileW
GetProcessTimes
GetSystemTimes
GetProcessIoCounters
ReadProcessMemory
VirtualQueryEx
LocalFree
GlobalMemoryStatusEx
K32GetPerformanceInfo
OpenProcess
LoadLibraryW
LoadLibraryExA
FreeLibrary
SetFilePointerEx
GetUserDefaultUILanguage
LCIDToLocaleName

ntdll

NtWriteFile
NtReadFile
NtQueryInformationProcess
NtCreateFile
NtDeviceIoControlFile
RtlGetVersion
NtQuerySystemInformation
RtlGetNtVersionNumbers
NtCancelIoFileEx
RtlNtStatusToDosError

shell32

Shell_NotifyIconGetRect
SHAppBarMessage
ShellExecuteW
SHGetKnownFolderPath
Shell_NotifyIconW
SHCreateItemFromParsingName
CommandLineToArgvW
DragFinish
DragQueryFileW

user32

TrackPopupMenu
SetMenuItemInfoW
AppendMenuW
CreateAcceleratorTableW
PostQuitMessage
AdjustWindowRectEx
SystemParametersInfoA
VkKeyScanW
GetDC
IsProcessDPIAware
EnableMenuItem
DestroyIcon
RegisterClassW
CreateMenu
CreatePopupMenu
UnregisterHotKey
RegisterHotKey
MapVirtualKeyExW
DispatchMessageA
GetAsyncKeyState
ShowCursor
CheckMenuItem
MonitorFromPoint
ClipCursor
EnumChildWindows
EnumDisplayMonitors
GetWindowTextLengthW
DestroyAcceleratorTable
SetMenu
GetWindowLongPtrW
GetActiveWindow
GetClipCursor
MessageBoxW
GetSystemMenu
GetMenu
IsWindowVisible
GetKeyboardState
AttachThreadInput
GetKeyState
ShowWindow
GetCursorPos
CloseTouchInputHandle
ScreenToClient
GetTouchInputInfo
ReleaseCapture
DestroyWindow
TrackMouseEvent
SetWindowLongW
MonitorFromRect
GetWindowRect
ClientToScreen
GetClientRect
GetWindowLongW
CallNextHookEx
MsgWaitForMultipleObjectsEx
GetMessageA
SetWindowsHookExA
ToUnicodeEx
GetKeyboardLayout
SetWindowDisplayAffinity
SendInput
SetForegroundWindow
RegisterTouchWindow
IsWindow
SendMessageW
RegisterClassExW
FindWindowW
SetCursor
LoadCursorW
FlashWindowEx
InvalidateRgn
SetWindowPos
MonitorFromWindow
GetWindowPlacement
SetWindowPlacement
ChangeDisplaySettingsExW
GetMonitorInfoW
PostMessageW
DispatchMessageW
TranslateMessage
TranslateAcceleratorW
GetAncestor
MapVirtualKeyW
GetUpdateRect
PeekMessageW
PostThreadMessageW
ValidateRect
GetRawInputData
RegisterRawInputDevices
GetMessageW
CreateWindowExW
DefWindowProcW
RedrawWindow
SetWindowLongPtrW
GetSystemMetrics
CloseClipboard
SetClipboardData
EmptyClipboard
GetClipboardData
IsClipboardFormatAvailable
CreateIcon
GetWindowThreadProcessId
IsIconic
SetWindowTextW
GetForegroundWindow
SetCapture
OpenClipboard
SetCursorPos
GetWindowTextW
RegisterWindowMessageA

comctl32

RemoveWindowSubclass
SetWindowSubclass
TaskDialogIndirect
DefSubclassProc

gdi32

DeleteObject
GetDeviceCaps
CreateRectRgn

dwmapi

DwmEnableBlurBehindWindow

ole32

RevokeDragDrop
CoTaskMemAlloc
OleInitialize
CoUninitialize
CoInitializeEx
CreateStreamOnHGlobal
CoCreateInstance
CoTaskMemFree
RegisterDragDrop

bcrypt

BCryptGenRandom

crypt32

CertFreeCertificateContext
CertCloseStore
CertEnumCertificatesInStore
CertOpenStore
CertDuplicateStore
CertAddCertificateContextToStore
CertDuplicateCertificateContext
CertGetCertificateChain
CertDuplicateCertificateChain
CertVerifyCertificateChainPolicy
CertFreeCertificateChain

secur32

DeleteSecurityContext
ApplyControlToken
FreeCredentialsHandle
DecryptMessage
AcquireCredentialsHandleA
EncryptMessage
AcceptSecurityContext
QueryContextAttributesW
FreeContextBuffer
InitializeSecurityContextW

psapi

GetModuleFileNameExW
GetProcessMemoryInfo

pdh

PdhCloseQuery
PdhRemoveCounter
PdhAddEnglishCounterW
PdhCollectQueryData
PdhGetFormattedCounterValue
PdhOpenQueryA

powrprof

CallNtPowerInformation

uxtheme

SetWindowTheme

oleaut32

GetErrorInfo
SysStringLen
SetErrorInfo
SysFreeString

api-ms-win-crt-math-l1-1-0

__setusermatherr
pow
floor
trunc
round

api-ms-win-crt-string-l1-1-0

strlen
strcpy_s
wcslen
wcsncmp
_wcsicmp

api-ms-win-crt-convert-l1-1-0

wcstol
_ultow_s

api-ms-win-crt-runtime-l1-1-0

_set_app_type
_initterm_e
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initterm
exit
_seh_filter_exe
abort
_register_thread_local_exe_atexit_callback
_c_exit
_cexit
_get_initial_narrow_environment
terminate
_configure_narrow_argv
__p___argv
__p___argc
_exit
_initialize_narrow_environment

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

_set_new_mode
_callnewh
calloc
free
malloc

Sections

.text
Size: 8.0MB - Virtual size: 8.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4.0MB - Virtual size: 4.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 359KB - Virtual size: 358KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

085527170cff2b45d58d740fed578ab6

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

ws2_32

kernel32

ntdll

shell32

user32

comctl32

gdi32

dwmapi

ole32

bcrypt

crypt32

secur32

psapi

pdh

powrprof

uxtheme

oleaut32

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: 8.0MB - Virtual size: 8.0MB

.rdata Size: 4.0MB - Virtual size: 4.0MB

.data Size: 2KB - Virtual size: 14KB

.pdata Size: 359KB - Virtual size: 358KB

_RDATA Size: 512B - Virtual size: 500B

.rsrc Size: 67KB - Virtual size: 67KB

.reloc Size: 44KB - Virtual size: 43KB

.text
Size: 8.0MB - Virtual size: 8.0MB

.rdata
Size: 4.0MB - Virtual size: 4.0MB

.data
Size: 2KB - Virtual size: 14KB

.pdata
Size: 359KB - Virtual size: 358KB

_RDATA
Size: 512B - Virtual size: 500B

.rsrc
Size: 67KB - Virtual size: 67KB

.reloc
Size: 44KB - Virtual size: 43KB