MpDefenderCoreService[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

MpDefenderCoreService.exe
Size

1.4MB
MD5

202e55f2e36b2767322502f8d8f729d3
SHA1

ab081cf4beb600574ef1c4f5313cb647ad6064f9
SHA256

a0a798830f92ff3daa6719aa38d62abd2e221d9256d5179063e8d4dab6b9078e
SHA512

4279ae8fd89d380625652ad47b4e0a4b7e4721c9ce7394209db1796c79521e0072506a03d88b318fcfa775e4005973aab54a0f5cef9bb68b578e5f47dfb0f0ea
SSDEEP

24576:d3lxPyPV6uWawStjQmU9qQ0pKJFuEEw5863rAVqsIpgcKcRaItnWdOf:JP+ByStjQ0Q0pMAHM8636qXueRaQWM

Score

1^/10

Malware Config

Signatures

Files

MpDefenderCoreService.exe
.exe windows:10 windows x64 arch:x64

24191fcf54498084838ba659c44f10ac

Code Sign

33:00:00:04:6f:5a:72:76:81:13:5a:26:6c:00:00:00:00:04:6f
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/02/2024, 19:22

Not After

07/02/2025, 19:22

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

94:97:d0:94:f5:91:16:9a:19:f7:be:90:67:68:f2:63:d1:c8:0a:90:01:18:c1:75:61:d5:e0:1a:56:47:91:c0
Signer

Actual PE Digest

94:97:d0:94:f5:91:16:9a:19:f7:be:90:67:68:f2:63:d1:c8:0a:90:01:18:c1:75:61:d5:e0:1a:56:47:91:c0

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

MpDefenderCoreService.pdb

Imports

advapi32

UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage
RegCloseKey
AllocateAndInitializeSid
RegGetValueA
StopTraceW
StartTraceW
ProcessTrace
CloseTrace
EnableTraceEx
OpenTraceW
SetEntriesInAclW
SetNamedSecurityInfoW
GetSecurityDescriptorSacl
EventUnregister
EventRegister
ChangeServiceConfig2W
LookupPrivilegeValueW
AdjustTokenPrivileges
CloseServiceHandle
EventWriteTransfer
RegQueryValueExW
RegOpenKeyExW
RegSetValueExW
RegDeleteKeyW
OpenProcessToken
QueryServiceStatusEx
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
StartServiceCtrlDispatcherW
ControlService
SetServiceStatus
OpenSCManagerW
QueryServiceStatus
RegisterServiceCtrlHandlerExW
GetTokenInformation
GetLengthSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetSecurityInfo
InitializeAcl
FreeSid
ConvertStringSidToSidW
CopySid

kernel32

LoadLibraryExW
SetErrorMode
VirtualLock
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
GetCurrentProcess
TerminateProcess
RaiseException
GetLastError
SetLastError
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
EncodePointer
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
FreeLibrary
DebugBreak
CloseHandle
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
Sleep
CreateIoCompletionPort
SetInformationJobObject
QueryInformationJobObject
AssignProcessToJobObject
ReleaseSRWLockShared
AcquireSRWLockShared
DeleteFileA
DeleteTimerQueueTimer
CompareFileTime
GetProcAddress
FormatMessageA
LocalFree
GetSystemInfo
OpenProcess
GetProcessTimes
UnregisterWaitEx
MultiByteToWideChar
WideCharToMultiByte
InitializeCriticalSectionAndSpinCount
GetModuleFileNameW
GetTempPathW
GetSystemDirectoryW
GetNativeSystemInfo
HeapSetInformation
GetTickCount
ReadFile
FindFirstFileW
GetFileSizeEx
CreateTimerQueueTimer
FindNextFileW
WriteFile
RegisterWaitForSingleObject
ExpandEnvironmentStringsW
SetEnvironmentVariableW
CreateJobObjectW
FindClose
WaitForSingleObject
CreateFileW
GetFileAttributesW
CreateEventW
ChangeTimerQueueTimer
SetEvent
WaitForSingleObjectEx
DeleteFileW
ResetEvent
SetFilePointerEx
QueryPerformanceFrequency
GetSystemTime
SwitchToThread
GetSystemPowerStatus
FindResourceW
LoadResource
LockResource
SizeofResource
GetModuleFileNameA
OutputDebugStringA
InitializeSRWLock
TryAcquireSRWLockExclusive
InitOnceBeginInitialize
InitOnceComplete
WakeAllConditionVariable
WakeConditionVariable
InitializeConditionVariable
SleepConditionVariableSRW
GetSystemTimePreciseAsFileTime
DecodePointer
GetLocaleInfoEx
GetStringTypeW
LCMapStringEx
GetCPInfo
CompareStringEx
GetStdHandle
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
HeapFree
HeapAlloc
CreateThread
ExitThread
FreeLibraryAndExitThread
IsValidCodePage
GetACP
GetOEMCP
HeapReAlloc
FindFirstFileExW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetProcessHeap
GetTimeZoneInformation
HeapSize
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
ReadConsoleW
SetEndOfFile
WriteConsoleW

ntdll

NtQueryInformationProcess
RtlGetVersion
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnwindEx
RtlPcToFileHeader
RtlUnwind
NtQuerySystemInformation
RtlNtStatusToDosError

crypt32

CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CryptHashCertificate
CertGetNameStringA

ole32

CoInitializeEx
CoCreateInstance
StringFromGUID2
CoUninitialize
CoCreateGuid

rpcrt4

UuidFromStringW

wintrust

WinVerifyTrust
WTHelperGetProvSignerFromChain
CryptCATAdminEnumCatalogFromHash
WTHelperProvDataFromStateData
CryptCATAdminReleaseContext
CryptCATAdminReleaseCatalogContext
CryptCATCatalogInfoFromContext
CryptCATAdminAcquireContext
CryptCATAdminCalcHashFromFileHandle

tdh

TdhGetEventInformation
TdhGetEventMapInformation
TdhGetProperty
TdhGetPropertySize

ws2_32

ntohs

mpclient

MpClientUtilExportFunctions
MpConfigGetValue
MpConfigClose
MpConfigOpen

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

wininet

InternetCrackUrlA
HttpQueryInfoA
InternetReadFile
InternetConnectA
InternetCloseHandle
HttpSendRequestW
HttpAddRequestHeadersA
InternetOpenW
HttpOpenRequestA
InternetSetStatusCallbackW
InternetQueryOptionW

iphlpapi

GetAdaptersInfo

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 252KB - Virtual size: 250KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

24191fcf54498084838ba659c44f10ac

Code Sign

33:00:00:04:6f:5a:72:76:81:13:5a:26:6c:00:00:00:00:04:6fCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

94:97:d0:94:f5:91:16:9a:19:f7:be:90:67:68:f2:63:d1:c8:0a:90:01:18:c1:75:61:d5:e0:1a:56:47:91:c0Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

ntdll

crypt32

ole32

rpcrt4

wintrust

tdh

ws2_32

mpclient

version

wininet

iphlpapi

Sections

.text Size: 1.0MB - Virtual size: 1.0MB

.rdata Size: 252KB - Virtual size: 250KB

.data Size: 16KB - Virtual size: 28KB

.pdata Size: 48KB - Virtual size: 44KB

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 8KB - Virtual size: 7KB

33:00:00:04:6f:5a:72:76:81:13:5a:26:6c:00:00:00:00:04:6f
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

94:97:d0:94:f5:91:16:9a:19:f7:be:90:67:68:f2:63:d1:c8:0a:90:01:18:c1:75:61:d5:e0:1a:56:47:91:c0
Signer

.text
Size: 1.0MB - Virtual size: 1.0MB

.rdata
Size: 252KB - Virtual size: 250KB

.data
Size: 16KB - Virtual size: 28KB

.pdata
Size: 48KB - Virtual size: 44KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 8KB - Virtual size: 7KB