w3dt[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

w3dt.dll
Size

108KB
MD5

0c09ed6627d542eac98a19dec201d7ae
SHA1

1f35ce2fb41d22dc103a932333cf0ba42ff75661
SHA256

6b29c26b0b379c2d2d347c5211bfadf5daf3eacf3f9bd462698387e0038dc688
SHA512

1ce14409790c15e310cfa6b86b8bb85519ed7900b86822be4f175fa87107bd8cff002b603d4aa7723ded8446fd94a1bc918e75461762bab3f2c8c14cc13a4e7c
SSDEEP

1536:5qmg7h1JYpFiwk7/z8t32XKbY9D2S5ey2+1Xm/jOyGdjbk3gs12XJE:5qDh1ibhk7zao2/BLOyGvkL1EJE

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
w3dt.dll

Files

w3dt.dll
.dll windows:10 windows x64 arch:x64

bc4678bcfba39fa8e4063f9e759f1da1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

w3dt.pdb

Imports

msvcrt

_ultow_s
_initterm
__C_specific_handler
memset
_amsg_exit
_XcptFilter
strchr
_callnewh
malloc
free
_aligned_malloc
_aligned_free
wcstoul
_wcsicmp
wcschr
memcpy
wcscmp

api-ms-win-core-localization-l1-2-1

FormatMessageW

api-ms-win-core-com-l1-1-1

CoCreateGuid
StringFromGUID2

api-ms-win-core-processenvironment-l1-2-0

GetEnvironmentVariableW
ExpandEnvironmentStringsW
SetEnvironmentVariableW

api-ms-win-core-errorhandling-l1-1-1

UnhandledExceptionFilter
GetLastError
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-2-0

AcquireSRWLockExclusive
Sleep
ReleaseSRWLockShared
ReleaseSRWLockExclusive
AcquireSRWLockShared
InitializeSRWLock
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection

api-ms-win-core-processthreads-l1-1-2

GetCurrentProcess
GetCurrentThreadId
TerminateProcess
GetCurrentProcessId

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetModuleHandleExW
FreeLibrary
LoadLibraryExW
GetProcAddress
GetModuleFileNameW

api-ms-win-core-heap-l1-2-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime
VerSetConditionMask
GetTickCount
GetSystemInfo

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegOpenKeyExW
RegCloseKey

api-ms-win-core-io-l1-1-1

CancelIoEx

api-ms-win-core-debug-l1-1-1

OutputDebugStringA

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-rtlsupport-l1-2-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-normalization-l1-1-0

IdnToNameprepUnicode

api-ms-win-core-threadpool-legacy-l1-1-0

CreateTimerQueueTimer
DeleteTimerQueueTimer

ntdll

NtSetInformationFile
RtlVerifyVersionInfo

httpapi

HttpShutdownRequestQueue
HttpCreateUrlGroup
HttpAddUrlToUrlGroup
HttpCreateServerSession
HttpSetUrlGroupProperty
HttpCloseServerSession
HttpCloseUrlGroup
HttpSetServerSessionProperty
HttpCreateRequestQueue
HttpSetRequestQueueProperty
HttpCloseRequestQueue
HttpReceiveHttpRequest
HttpReceiveClientCertificate
HttpReadFragmentFromCache
HttpAddFragmentToCache
HttpSendHttpResponse
HttpSendResponseEntityBody
HttpReceiveRequestEntityBody
HttpFlushResponseCache
HttpCancelHttpRequest
HttpWaitForDisconnectEx
HttpInitialize
HttpWaitForDisconnect
HttpTerminate

w3tp

ThreadPoolPostCompletion
ThreadPoolBindIoCompletionCallback
ThreadPoolMapErrorCodeIfNecessary

iisutil

PuDeleteDebugPrintsObject
IISGetPlatformType
PuLoadDebugFlagsFromRegStr
PuCreateDebugPrintsObject
??1STRA@@QEAA@XZ
?QueryStr@STRA@@QEAAPEADXZ
?IsEmpty@STRA@@QEBA_NXZ
??0STRU@@QEAA@XZ
??1STRU@@QEAA@XZ
PuDbgPrintError
?Copy@STRU@@QEAAJPEBG@Z
?Append@STRU@@QEAAJPEBG@Z
?CopyWToUTF8Unescaped@STRA@@QEAAJPEBG@Z
?QueryStr@STRU@@QEAAPEAGXZ
?QueryPtr@BUFFER@@QEBAPEAXXZ
??1BUFFER@@QEAA@XZ
??0BUFFER@@QEAA@XZ
?QueryStr@STRU@@QEBAPEBGXZ
??0STRU@@QEAA@PEAGK@Z
?QuerySizeCCH@STRU@@QEBAKXZ
?QuerySize@BUFFER@@QEBAKXZ
?SyncWithBuffer@STRU@@QEAAXXZ
?Append@MULTISZ@@QEAAHPEBG@Z
?Reset@STRU@@QEAAXXZ
?Append@MULTISZ@@QEAAHAEAVSTRU@@@Z
?QueryCCH@STRU@@QEBAKXZ
?Resize@BUFFER@@QEAA_NK@Z
?Append@STRU@@QEAAJAEBV1@@Z
?FindStringNoCase@MULTISZ@@QEAAHPEBG@Z
?Append@STRU@@QEAAJPEBGK@Z
?First@MULTISZ@@QEBAPEBGXZ
PuDbgPrint
?Next@MULTISZ@@QEBAPEBGPEBG@Z
??1MULTISZ@@QEAA@XZ
??0MULTISZ@@QEAA@XZ
?Alloc@ALLOC_CACHE_HANDLER@@QEAAPEAXXZ
?Free@ALLOC_CACHE_HANDLER@@QEAAHPEAX@Z
??0ALLOC_CACHE_HANDLER@@QEAA@PEBDPEBUALLOC_CACHE_CONFIGURATION@@H@Z
??1ALLOC_CACHE_HANDLER@@QEAA@XZ
?QueryOutstandingAllocationCount@ALLOC_CACHE_HANDLER@@QEBAKXZ
?CleanupLookaside@ALLOC_CACHE_HANDLER@@QEAAXH@Z
?DisableFreeList@ALLOC_CACHE_HANDLER@@QEAAXXZ
??0STRA@@QEAA@XZ

nativerd

GetDefaultNativeConfigurationSystem

Exports

Exports

?QueryState@HTTP_WRAPPER@@QEBA?AW4HTTP_WRAPPER_STATE@@XZ
UlAtqAddFragmentToCache
UlAtqAllocateMainContext
UlAtqCancelIo
UlAtqCancelRequest
UlAtqFlushUlCache
UlAtqFreeContext
UlAtqGetContextProperty
UlAtqInitialize
UlAtqPushPromise
UlAtqReadFragmentFromCache
UlAtqReceiveChannelBindingToken
UlAtqReceiveClientCertificate
UlAtqReceiveEntityBody
UlAtqRemoveFragmentFromCache
UlAtqSendEntityBody
UlAtqSendHttpResponse
UlAtqSetContextProperty
UlAtqStartListen
UlAtqStopListen
UlAtqTerminate
UlAtqWaitForDisconnect

Sections

.text
Size: 74KB - Virtual size: 73KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 240B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

bc4678bcfba39fa8e4063f9e759f1da1

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-localization-l1-2-1

api-ms-win-core-com-l1-1-1

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-heap-l2-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-io-l1-1-1

api-ms-win-core-debug-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-rtlsupport-l1-2-0

api-ms-win-core-normalization-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

ntdll

httpapi

w3tp

iisutil

nativerd

Exports

Exports

Sections

.text Size: 74KB - Virtual size: 73KB

.rdata Size: 27KB - Virtual size: 27KB

.data Size: 1024B - Virtual size: 2KB

.pdata Size: 2KB - Virtual size: 2KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 240B

.text
Size: 74KB - Virtual size: 73KB

.rdata
Size: 27KB - Virtual size: 27KB

.data
Size: 1024B - Virtual size: 2KB

.pdata
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 240B