EtwRundown[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

EtwRundown.dll
Size

39KB
MD5

0d6e3ae5bb99af2dab93e5f668272091
SHA1

b580d5606791f4e6d5c6a8e597f814c2e1bcacc8
SHA256

7614e95cdb37e74d181603ab09b12f4d721ab1e27867abadebd0ca0740b692e5
SHA512

681b3c63cf1fdbe994fb82daa4f9616dcfc693f33ed1f0fdd0b4a7a115014b756ff594c3607ec92efb038e860cebcec04b094aa54743722fda82846266e343eb
SSDEEP

768:SgJr4FIb63lIOLoMjydkcJ6cbD/+vicm2v4Ef5g2wc0xZSQNMqFZGUeShPGeH2B:dyoMjTaPr0g2wdxQQe4eSLH2B

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
EtwRundown.dll

Files

EtwRundown.dll
.dll windows:10 windows x86 arch:x86

d20e2ecffd3819a0d297448009c5e4b5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

etwrundown.pdb

Imports

ntdll

wcsrchr
NtQueryInformationProcess
NtEnumerateKey
EtwpGetCpuSpeed
NtOpenFile
RtlGUIDFromString
RtlIpv6AddressToStringW
RtlGetNativeSystemInformation
RtlIpv4AddressToStringW
RtlImpersonateSelf
RtlQueryHeapInformation
RtlCreateQueryDebugBuffer
RtlAdjustPrivilege
NtSetInformationThread
RtlQueryProcessDebugInformation
RtlDestroyQueryDebugBuffer
memcpy
NtOpenKey
_vsnwprintf
NtQuerySystemInformation
NtClose
wcsncmp
NtQueryVolumeInformationFile
RtlNtStatusToDosError
_wcsicmp
NtPowerInformation
wcsstr
RtlReAllocateHeap
NtTraceEvent
NtQueryValueKey
RtlFreeHeap
RtlAllocateHeap
RtlInitUnicodeString
RtlGetDeviceFamilyInfoEnum
memset

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-file-l1-1-0

GetDriveTypeW
GetLogicalDriveStringsW
LocalFileTimeToFileTime
GetVolumeInformationW
CreateFileW

api-ms-win-core-file-l1-2-0

GetVolumePathNamesForVolumeNameW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-io-l1-1-0

GetOverlappedResult
DeviceIoControl

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
GetCurrentProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-registry-l1-1-0

RegEnumKeyExW
RegOpenKeyExW
RegQueryValueExW
RegEnumValueW
RegQueryInfoKeyW
RegCloseKey

api-ms-win-core-synch-l1-1-0

CreateEventW

api-ms-win-core-sysinfo-l1-1-0

GetSystemWindowsDirectoryW
GetComputerNameExW
GetTickCount
GetSystemTimeAsFileTime
GlobalMemoryStatusEx

api-ms-win-core-sysinfo-l1-2-0

GetSystemFirmwareTable
GetNativeSystemInfo

devobj

DevObjGetDeviceInstanceId
DevObjEnumDeviceInterfaces
DevObjGetClassDevs
DevObjGetDeviceInterfaceDetail
DevObjDestroyDeviceInfoList
DevObjGetDeviceInfoListDetail
DevObjGetDeviceRegistryProperty
DevObjEnumDeviceInfo
DevObjOpenDevRegKey
DevObjCreateDeviceInfoList

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

iphlpapi

GetAdaptersAddresses

cfgmgr32

CM_Free_Res_Des_Handle
CM_Get_Res_Des_Data_Ex
CM_Get_First_Log_Conf_Ex
CM_Get_Res_Des_Data_Size_Ex
CM_Free_Log_Conf_Handle
CM_Get_Next_Res_Des_Ex
CM_Get_DevNode_Status_Ex

api-ms-win-service-core-l1-1-1

EnumServicesStatusExW

api-ms-win-service-private-l1-1-0

I_QueryTagInformation

api-ms-win-service-management-l1-1-0

CloseServiceHandle
OpenSCManagerW

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

EtwLogHeapRundown
EtwLogSysConfigRundown

Sections

.text
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 820B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 20B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d20e2ecffd3819a0d297448009c5e4b5

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

devobj

api-ms-win-core-timezone-l1-1-0

iphlpapi

cfgmgr32

api-ms-win-service-core-l1-1-1

api-ms-win-service-private-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 30KB - Virtual size: 29KB

.data Size: 512B - Virtual size: 820B

.idata Size: 4KB - Virtual size: 4KB

.didat Size: 512B - Virtual size: 20B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 30KB - Virtual size: 29KB

.data
Size: 512B - Virtual size: 820B

.idata
Size: 4KB - Virtual size: 4KB

.didat
Size: 512B - Virtual size: 20B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1KB - Virtual size: 1KB