VSSUI[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

VSSUI.dll
Size

150KB
MD5

9e30a882b94f009e03481d190cf154ee
SHA1

cc54ce43b87038aed26b4dbee2f2c8f93addbd3d
SHA256

4248f5d5ecb1085d46d23cc90714f6c2d1e9cfd7ee24a3c8a4f3d808fd0acb16
SHA512

a8fd2c927aef61892353709d9526cc6586230e8da9f6ba2253966e267ca220299e4c61e2264e6e6cac8cb10244ca6c851359558eabd5536f1cca6077f69db6e6
SSDEEP

3072:C/nFOzZ84LYoQfrEADfm4T4iYoLDCLoOPrsKiDN014j/:CRdxrXfvxyiu4j/

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
VSSUI.dll

Files

VSSUI.dll
.dll regsvr32 windows:10 windows x86 arch:x86

b508aafda4058e179a07e771ecea750c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

vssui.pdb

Imports

mfc42u

ord3714
ord6330
ord5949
ord4050
ord1771
ord3871
ord5276
ord4370
ord4847
ord324
ord3592
ord656
ord3605
ord4392
ord616
ord2403
ord2015
ord4213
ord2570
ord3312
ord5157
ord4229
ord2293
ord4677
ord2822
ord941
ord826
ord269
ord600
ord1240
ord1571
ord1250
ord1568
ord1570
ord342
ord1179
ord1248
ord1115
ord1194
ord1563
ord2371
ord2377
ord5237
ord4401
ord2362
ord4073
ord4621
ord6051
ord3397
ord4253
ord497
ord2520
ord1008
ord771
ord1560
ord1662
ord2644
ord1165
ord6466
ord540
ord4155
ord800
ord268
ord2385
ord4418
ord4616
ord4075
ord3074
ord3820
ord3826
ord3825
ord2971
ord3076
ord2980
ord3257
ord3131
ord4459
ord3254
ord3142
ord2977
ord2388
ord3733
ord561
ord5193
ord1089
ord3917
ord5727
ord2504
ord2546
ord4480
ord489
ord4352
ord4942
ord4848
ord4371
ord4970
ord4736
ord4899
ord5154
ord5156
ord5155
ord768
ord4829
ord5283
ord1196
ord1197
ord3635
ord3296
ord6898
ord2574
ord693
ord4396
ord3365
ord3716
ord795
ord3693
ord765
ord2294
ord3569
ord2567
ord609
ord4390
ord538
ord535
ord861
ord858
ord940
ord2809
ord2810
ord2820
ord2910
ord5568
ord1899
ord2506
ord4704
ord4992
ord641
ord4419
ord1767
ord6048
ord5261
ord567
ord2859
ord5273
ord2116
ord2438
ord5257
ord1720
ord3087
ord6195
ord6211
ord5059
ord2634
ord5977
ord793
ord3744
ord6372
ord2047
ord2640
ord4435
ord4831
ord3793
ord5286
ord4347
ord1768
ord6371
ord3948
ord5710
ord4692
ord5298
ord815
ord3396
ord5285
ord5303
ord4074
ord5296
ord3341
ord6370
ord3577

msvcrt

??1type_info@@UAE@XZ
_onexit
__dllonexit
_unlock
_lock
memcpy
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
wprintf
_vsnprintf
_except_handler4_common
_ftol2
__CxxFrameHandler3
_purecall
_CxxThrowException
malloc
_callnewh
iswalpha
iswspace
_wcsdup
_wtoi64
memmove_s
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@XZ
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
_wcsicmp
calloc
_vsnwprintf
free
memcpy_s
memset

atl

ord23
ord57
ord18
ord32
ord58
ord20
ord21
ord30
ord16
ord15

shlwapi

StrFormatByteSizeEx

netapi32

NetShareGetInfo
NetApiBufferFree
NetShareEnum
NetServerGetInfo

ntdll

NtQuerySystemInformation

kernel32

ExpandEnvironmentStringsA
GetWindowsDirectoryW
GetCommandLineW
LoadLibraryExW
DeactivateActCtx
ActivateActCtx
ReleaseActCtx
CreateActCtxW
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
LocalAlloc
GetDateFormatW
GetSystemTime
FreeLibrary
SystemTimeToFileTime
GetTimeFormatW
LocalFree
FileTimeToLocalFileTime
FileTimeToSystemTime
FormatMessageW
GetVolumeNameForVolumeMountPointW
GetSystemDirectoryW
GetVolumePathNameW
GetThreadLocale
GetTickCount64
Sleep
lstrcmpiW
GetComputerNameW
CreateThread
CloseHandle
TerminateThread
ResumeThread
WaitForSingleObject
lstrlenW
GetDriveTypeW
ExpandEnvironmentStringsW
CompareStringW
GetVolumeInformationW
GetModuleHandleW
GetProcAddress
LoadLibraryW
GlobalFree
GlobalAlloc
LoadLibraryA
GetLastError
GetModuleHandleA
GetModuleFileNameW
OutputDebugStringA
SetLastError
DeleteCriticalSection
DisableThreadLibraryCalls
InitializeCriticalSection
GetCurrentThread
GetVersionExW
LoadLibraryExA

user32

SetTimer
SetWindowLongW
SendMessageW
MessageBoxW
PostMessageW
GetWindowLongW
LoadIconW
GetSystemMetrics
GetWindowRect
RegisterClipboardFormatW
KillTimer
GetParent
InsertMenuW
EnableWindow
GetDlgItem
GetActiveWindow
LoadStringW

advapi32

ReportEventW
RegQueryValueExW
RegCreateKeyExW
RegCloseKey
RegSetValueExW
RegOpenKeyExW
CheckTokenMembership
FreeSid
AllocateAndInitializeSid
ConvertSidToStringSidW
DeregisterEventSource
RegOpenKeyExA
RegQueryValueExA
OpenThreadToken
RegisterEventSourceW
GetTokenInformation
OpenProcessToken

shell32

DragQueryFileW
ShellExecuteExW

ole32

CoTaskMemRealloc
CoTaskMemAlloc
StringFromGUID2
CoGetClassObject
CoCreateInstance
CoTaskMemFree
CoCreateInstanceEx
CoInitializeEx
ReleaseStgMedium
CoUninitialize
CreateStreamOnHGlobal

oleaut32

GetErrorInfo
SysFreeString

vssapi

ShouldBlockRevertInternal
VssFreeSnapshotPropertiesInternal

clusapi

GetClusterInformation
ClusterResourceControl
ClusterOpenEnum
ClusterGetEnumCount
ClusterEnum
OpenClusterResource
OpenCluster
ClusterResourceOpenEnum
ClusterResourceGetEnumCount
ClusterResourceEnum
ClusterResourceCloseEnum
OfflineClusterResource
OnlineClusterResource
GetClusterResourceState
GetNodeClusterState
CloseClusterResource
ClusterCloseEnum

vsstrace

ord8
ord1
ord9
ord7
ord6
ord3
ord5
ord2
ord11
ord10

api-ms-win-security-lsalookup-l1-1-0

LookupAccountSidLocalW

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
ShowDialog

Sections

.text
Size: 124KB - Virtual size: 123KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b508aafda4058e179a07e771ecea750c

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mfc42u

msvcrt

atl

shlwapi

netapi32

ntdll

kernel32

user32

advapi32

shell32

ole32

oleaut32

vssapi

clusapi

vsstrace

api-ms-win-security-lsalookup-l1-1-0

Exports

Exports

Sections

.text Size: 124KB - Virtual size: 123KB

.data Size: 2KB - Virtual size: 12KB

.idata Size: 7KB - Virtual size: 6KB

.rsrc Size: 5KB - Virtual size: 4KB

.reloc Size: 10KB - Virtual size: 10KB

.text
Size: 124KB - Virtual size: 123KB

.data
Size: 2KB - Virtual size: 12KB

.idata
Size: 7KB - Virtual size: 6KB

.rsrc
Size: 5KB - Virtual size: 4KB

.reloc
Size: 10KB - Virtual size: 10KB