0eca094ac422e8d7b0b58532b5a1fb7a59b4cc6cb6bbe1ec49259ebf10522ae5[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

0eca094ac422e8d7b0b58532b5a1fb7a59b4cc6cb6bbe1ec49259ebf10522ae5.exe
Size

2.0MB
MD5

456442e5615445a54f15eae38140c50a
SHA1

f81074ce9855601a33b97fb357fbee1bbdd7fcf6
SHA256

0eca094ac422e8d7b0b58532b5a1fb7a59b4cc6cb6bbe1ec49259ebf10522ae5
SHA512

b69f617e0deb48af12f230dcf016211f94eea612f364357d84e96499f61b1bdc028cca43bbfa7f8f169b2645f6f6d6f243671e4c10ab2080f9c5896b45bc8ed0
SSDEEP

24576:oynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52jOXuq01dKqOFWYuO:ZjN3CdJ81nEQhs30e1uqsrOFA

Score

10^/10

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF 1 IoCs

Processes:

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
0eca094ac422e8d7b0b58532b5a1fb7a59b4cc6cb6bbe1ec49259ebf10522ae5.exe

Files

0eca094ac422e8d7b0b58532b5a1fb7a59b4cc6cb6bbe1ec49259ebf10522ae5.exe
.exe windows:6 windows x64 arch:x64

79856d4b034c49dc3dd3e403b25b6bbf

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegCloseKey
RegEnumKeyExW
RegEnumValueW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegSetValueExA
GetTokenInformation
DuplicateTokenEx
OpenThreadToken
RevertToSelf
ImpersonateLoggedOnUser
CheckTokenMembership
EventWrite
EventRegister
EventEnabled

bcrypt

BCryptGenRandom
BCryptEncrypt
BCryptDecrypt
BCryptImportKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptCloseAlgorithmProvider
BCryptDestroyKey

kernel32

TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
EncodePointer
RaiseException
RtlPcToFileHeader
CloseThreadpoolIo
GetStdHandle
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
FileTimeToSystemTime
GetSystemTime
GetCalendarInfoEx
CompareStringOrdinal
CompareStringEx
FindNLSStringEx
GetLocaleInfoEx
ResolveLocaleName
GetUserPreferredUILanguages
FindStringOrdinal
GetTickCount64
GetCurrentProcess
GetCurrentThread
Sleep
InitializeCriticalSection
InitializeConditionVariable
DeleteCriticalSection
LocalFree
EnterCriticalSection
SleepConditionVariableCS
LeaveCriticalSection
WakeConditionVariable
QueryPerformanceCounter
WaitForMultipleObjectsEx
GetLastError
QueryPerformanceFrequency
SetLastError
GetFullPathNameW
GetLongPathNameW
MultiByteToWideChar
WideCharToMultiByte
LocalAlloc
GetConsoleOutputCP
GetProcAddress
RaiseFailFastException
CreateThreadpoolIo
StartThreadpoolIo
CancelThreadpoolIo
LocaleNameToLCID
LCMapStringEx
EnumTimeFormatsEx
EnumCalendarInfoExEx
CopyFileExW
CreateFileW
DeleteFileW
DeviceIoControl
ExpandEnvironmentStringsW
FindClose
FindFirstFileExW
FlushFileBuffers
FreeLibrary
GetFileAttributesExW
GetFileInformationByHandleEx
GetFileType
GetModuleFileNameW
GetOverlappedResult
GetSystemDirectoryW
LoadLibraryExW
ReadFile
SetFileInformationByHandle
SetThreadErrorMode
GetDynamicTimeZoneInformation
GetTimeZoneInformation
WriteFile
GetCurrentProcessorNumberEx
CloseHandle
SetEvent
CreateEventExW
GetEnvironmentVariableW
FormatMessageW
DuplicateHandle
GetThreadPriority
SetThreadPriority
GetConsoleMode
WriteConsoleW
GetExitCodeProcess
TerminateProcess
OpenProcess
K32EnumProcesses
GetProcessId
CreateProcessA
GetConsoleWindow
FreeConsole
AllocConsole
VirtualAllocEx
ResumeThread
CreateProcessW
GetThreadContext
SetThreadContext
FlushProcessWriteBuffers
GetCurrentThreadId
WaitForSingleObjectEx
VirtualQuery
RtlRestoreContext
AddVectoredExceptionHandler
FlsAlloc
FlsGetValue
FlsSetValue
CreateEventW
SwitchToThread
CreateThread
SuspendThread
FlushInstructionCache
VirtualAlloc
VirtualProtect
VirtualFree
QueryInformationJobObject
GetModuleHandleW
GetModuleHandleExW
GetProcessAffinityMask
InitializeContext
GetEnabledXStateFeatures
SetXStateFeaturesMask
InitializeCriticalSectionEx
GetSystemTimeAsFileTime
ResetEvent
DebugBreak
WaitForSingleObject
SleepEx
GlobalMemoryStatusEx
GetSystemInfo
GetLogicalProcessorInformation
GetLogicalProcessorInformationEx
GetLargePageMinimum
VirtualUnlock
VirtualAllocExNuma
IsProcessInJob
GetNumaHighestNodeNumber
GetProcessGroupAffinity
K32GetProcessMemoryInfo
RtlUnwindEx
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetCurrentProcessId

ole32

CoUninitialize
CoTaskMemAlloc
CoGetApartmentType
CoCreateGuid
CoTaskMemFree
CoWaitForMultipleHandles
CoInitializeEx

user32

LoadStringW

api-ms-win-crt-math-l1-1-0

pow
modf
ceil
__setusermatherr

api-ms-win-crt-heap-l1-1-0

calloc
malloc
_callnewh
_set_new_mode
free

api-ms-win-crt-string-l1-1-0

wcsncmp
strncpy_s
_stricmp
strcpy_s
strcmp
_wcsicmp

api-ms-win-crt-runtime-l1-1-0

_c_exit
_register_thread_local_exe_atexit_callback
_get_initial_wide_environment
_cexit
__p___wargv
__p___argc
_exit
exit
_initterm_e
_initterm
terminate
_crt_atexit
_initialize_wide_environment
_configure_wide_argv
_register_onexit_function
_initialize_onexit_table
_set_app_type
_seh_filter_exe
abort

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf_s
__stdio_common_vsscanf
__stdio_common_vfprintf
__acrt_iob_func
_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Exports

Exports

DotNetRuntimeDebugHeader

Sections

.text
Size: 455KB - Virtual size: 454KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.managed
Size: 740KB - Virtual size: 740KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

hydrated
Size: - Virtual size: 318KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 497KB - Virtual size: 497KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 76KB - Virtual size: 76KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 500B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 240KB - Virtual size: 240KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

79856d4b034c49dc3dd3e403b25b6bbf

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bcrypt

kernel32

ole32

user32

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

Exports

Exports

Sections

.text Size: 455KB - Virtual size: 454KB

.managed Size: 740KB - Virtual size: 740KB

hydrated Size: - Virtual size: 318KB

.rdata Size: 497KB - Virtual size: 497KB

.data Size: 8KB - Virtual size: 55KB

.pdata Size: 76KB - Virtual size: 76KB

_RDATA Size: 512B - Virtual size: 500B

.rsrc Size: 240KB - Virtual size: 240KB

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 455KB - Virtual size: 454KB

.managed
Size: 740KB - Virtual size: 740KB

hydrated
Size: - Virtual size: 318KB

.rdata
Size: 497KB - Virtual size: 497KB

.data
Size: 8KB - Virtual size: 55KB

.pdata
Size: 76KB - Virtual size: 76KB

_RDATA
Size: 512B - Virtual size: 500B

.rsrc
Size: 240KB - Virtual size: 240KB

.reloc
Size: 2KB - Virtual size: 1KB