MDMAppInstaller[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

MDMAppInstaller.exe
Size

196KB
MD5

b41a4c82ddcc53012eeba994f78e1c14
SHA1

7ee6a55aae8cac8d5ad617277733fd85ebd1eaf0
SHA256

320dbbfd56b742460b1c4b3a4d5c46b8dcb4a09c1c57d072559ed744ba28ef1d
SHA512

e145a5facee31b544c191f8ac77acd81d5917a5fb913828d79f60f0337eac197bf8b83cd91aae9f9b48f069e811bf8f31b23c76d15bda23121583d21c2b55324
SSDEEP

3072:ZopI5RYJ8TSqwqjHJz/9/AtOBcT7YrM3nK6DwQrXF8Cz4l7:ZoWEm9z/tA2cTuM3PJp8W4

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
MDMAppInstaller.exe

Files

MDMAppInstaller.exe
.exe windows:10 windows x64 arch:x64

ffb2aac4be2a90018e814da4b9f290fb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

mdmappinstaller.pdb

Imports

advapi32

EventWriteTransfer
EventRegister
EventUnregister
OpenThreadToken
SetThreadToken
RevertToSelf
CreateProcessAsUserW
CryptReleaseContext
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
LookupAccountNameW
ConvertSidToStringSidW
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
RegQueryValueExW
RegSetValueExW
RegDeleteKeyExW
GetTokenInformation
GetLengthSid
CopySid
OpenProcessToken
ImpersonateLoggedOnUser
OpenSCManagerW
OpenServiceW
QueryServiceStatusEx
CloseServiceHandle
TraceMessage
EventSetInformation

kernel32

DeleteFileW
GetExitCodeProcess
CreateProcessW
GetTempFileNameW
GetSystemDirectoryW
CreateThread
LeaveCriticalSection
InitializeCriticalSection
ReleaseSRWLockShared
ReleaseSRWLockExclusive
CreateThreadpoolTimer
GetCurrentThread
DeleteCriticalSection
InitializeCriticalSectionEx
EnterCriticalSection
AcquireSRWLockShared
DelayLoadFailureHook
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
LocalFree
InitOnceComplete
InitOnceBeginInitialize
GetTickCount
GetSystemTimeAsFileTime
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
WakeAllConditionVariable
SleepConditionVariableSRW
CreateFileW
ReadFile
ResolveDelayLoadedAPI
AcquireSRWLockExclusive
CreateMutexW
CreateSemaphoreExW
CreateMutexExW
GetCurrentProcessId
Sleep
OpenSemaphoreW
WaitForSingleObject
WaitForSingleObjectEx
ReleaseMutex
ReleaseSemaphore
CloseHandle
SetLastError
OutputDebugStringW
IsDebuggerPresent
GetProcAddress
GetModuleHandleW
DebugBreak
GetModuleFileNameA
GetModuleHandleExW
HeapFree
GetProcessHeap
HeapAlloc
GetLastError
FormatMessageW
GetCurrentThreadId
CloseThreadpoolTimer

msvcp110_win

?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Winerror_map@std@@YAPEBDH@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z

msvcrt

_wcsicmp
toupper
memmove
memcpy
??_V@YAXPEAX@Z
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_onexit
__dllonexit
_unlock
_lock
memcmp
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
_callnewh
malloc
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
_vsnprintf_s
memcpy_s
_vsnwprintf
_purecall
__CxxFrameHandler4
??3@YAXPEAX@Z
free
_CxxThrowException
_commode
memmove_s
_wcsnicmp
swprintf_s
wcscat_s
memset

dmenrollengine

ord7
ord18
GetEnrollmentSID
GetEnrollmentType
GetEnrollmentAadResourceUrl

crypt32

CertCloseStore
CertFreeCertificateContext

ntdll

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

rpcrt4

UuidToStringW
UuidFromStringW
RpcStringFreeW

shell32

SHGetSpecialFolderPathW
SHCreateDirectoryExW

ole32

StringFromGUID2
CoCreateGuid
CoTaskMemFree
CoSetProxyBlanket
CoInitializeEx
CoTaskMemAlloc
CoUninitialize
CoCreateInstance

oleaut32

VariantClear
VariantInit
SysFreeString
SysAllocString

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

wtsapi32

WTSFreeMemoryExW
WTSEnumerateSessionsExW
WTSQueryUserToken

msi

ord70
ord177
ord6

omadmapi

ord38
ord34
ord40
ord39

Sections

.text
Size: 112KB - Virtual size: 108KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 56KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 40B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 228B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ffb2aac4be2a90018e814da4b9f290fb

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

msvcp110_win

msvcrt

dmenrollengine

crypt32

ntdll

rpcrt4

shell32

ole32

oleaut32

userenv

wtsapi32

msi

omadmapi

Sections

.text Size: 112KB - Virtual size: 108KB

.rdata Size: 56KB - Virtual size: 52KB

.data Size: 4KB - Virtual size: 3KB

.pdata Size: 8KB - Virtual size: 4KB

.didat Size: 4KB - Virtual size: 40B

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 228B

.text
Size: 112KB - Virtual size: 108KB

.rdata
Size: 56KB - Virtual size: 52KB

.data
Size: 4KB - Virtual size: 3KB

.pdata
Size: 8KB - Virtual size: 4KB

.didat
Size: 4KB - Virtual size: 40B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 228B