VSSUI[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

VSSUI.dll
Size

148KB
MD5

97e4d108ad5ecf92b99e4a6f2e0a3691
SHA1

6d3f0eaeaa667e4dbf3970680269bf43b1966fbd
SHA256

fe7bc32eb2b5ad167fb55dd2f33e7da0efacf69cd55e8c8999b20f580624a925
SHA512

d2796de62bf05ca970045ff297f4e4cfe7eb29d86cb4929eed94790705ed629784e84ee71c78492d96afcc08a0cf2f06c514a35d0b72f81edebbdeddb4a91e8c
SSDEEP

3072:aPrzrN0fdrPIq36OEtt5VCMI7D/LVZTIxrnboIRKJvE:TNPI8CfCNv/HTIxHRX

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
VSSUI.dll

Files

VSSUI.dll
.dll regsvr32 windows:6 windows x86 arch:x86

a4f6f190f520d12313b8198b446263a1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

vssui.pdb

Imports

mfc42u

ord4392
ord616
ord2403
ord2015
ord4213
ord2570
ord3312
ord3577
ord5276
ord4370
ord4847
ord324
ord3592
ord2362
ord6330
ord5949
ord4050
ord1771
ord3871
ord609
ord4677
ord2822
ord941
ord826
ord269
ord600
ord1240
ord1571
ord1250
ord1568
ord1570
ord342
ord1179
ord1248
ord1115
ord1194
ord1563
ord4390
ord538
ord535
ord861
ord858
ord940
ord4229
ord2810
ord2820
ord2910
ord5568
ord1899
ord497
ord2520
ord1008
ord771
ord1560
ord1165
ord6466
ord268
ord2385
ord540
ord4155
ord800
ord1662
ord2644
ord5285
ord5303
ord4074
ord5296
ord3341
ord2388
ord3733
ord561
ord5193
ord1089
ord3917
ord5727
ord2504
ord2546
ord4480
ord2977
ord6371
ord3948
ord5710
ord4692
ord5298
ord815
ord3396
ord4418
ord4616
ord3714
ord793
ord3605
ord656
ord567
ord2859
ord5273
ord2116
ord2438
ord5257
ord1720
ord3087
ord6195
ord6211
ord5059
ord2634
ord5977
ord3744
ord6372
ord2047
ord2640
ord4435
ord4831
ord3793
ord5286
ord4347
ord6370
ord5157
ord2371
ord2377
ord5237
ord4401
ord1768
ord4073
ord4621
ord6051
ord3397
ord489
ord4352
ord4942
ord4848
ord4371
ord4970
ord4736
ord4899
ord5154
ord5156
ord5155
ord768
ord4829
ord5283
ord3693
ord765
ord3716
ord795
ord2506
ord4704
ord4992
ord641
ord4419
ord1767
ord6048
ord5261
ord4253
ord1196
ord1197
ord2294
ord3635
ord3296
ord6898
ord2574
ord693
ord4396
ord3365
ord3569
ord2809
ord2567
ord4075
ord3074
ord3820
ord3826
ord3825
ord2971
ord3076
ord2980
ord3257
ord3131
ord4459
ord3254
ord3142
ord2293

msvcrt

_except_handler4_common
??1type_info@@UAE@XZ
_onexit
__dllonexit
_lock
?terminate@@YAXXZ
_initterm
_amsg_exit
wprintf
_vsnprintf
_unlock
memset
_ftol2
memcpy
_XcptFilter
__CxxFrameHandler3
_CxxThrowException
malloc
_callnewh
_wcsdup
iswspace
iswalpha
_wtoi64
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@XZ
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
_vsnwprintf
calloc
_wcsicmp
memmove_s
memcpy_s
free
_purecall

atl

ord20
ord18
ord57
ord16
ord23
ord30
ord32
ord15
ord58
ord21

shlwapi

StrFormatByteSizeEx

netapi32

NetApiBufferFree
NetShareEnum
NetServerGetInfo
NetShareGetInfo

ntdll

NtQuerySystemInformation

kernel32

ExpandEnvironmentStringsA
GetWindowsDirectoryW
GetCommandLineW
GetCurrentThread
LoadLibraryExW
DeactivateActCtx
ActivateActCtx
ReleaseActCtx
CreateActCtxW
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep
LocalAlloc
GetTickCount64
GetSystemTime
LocalFree
GetVolumeNameForVolumeMountPointW
FileTimeToLocalFileTime
GetThreadLocale
FileTimeToSystemTime
GetTimeFormatW
FormatMessageW
GetSystemDirectoryW
GetVolumePathNameW
SystemTimeToFileTime
FreeLibrary
GetDateFormatW
CreateThread
ResumeThread
CloseHandle
lstrcmpiW
lstrlenW
TerminateThread
GetComputerNameW
WaitForSingleObject
ExpandEnvironmentStringsW
GetVolumeInformationW
CompareStringW
GetDriveTypeW
OutputDebugStringA
GetModuleHandleA
LoadLibraryA
GlobalFree
GetProcAddress
SetLastError
GetLastError
GetModuleFileNameW
LoadLibraryW
GlobalAlloc
GetModuleHandleW
DeleteCriticalSection
DisableThreadLibraryCalls
InitializeCriticalSection
GetVersionExW
LoadLibraryExA

user32

KillTimer
GetParent
PostMessageW
SetWindowLongW
SetTimer
LoadIconW
GetSystemMetrics
GetWindowRect
GetWindowLongW
RegisterClipboardFormatW
MessageBoxW
SendMessageW
InsertMenuW
EnableWindow
GetActiveWindow
LoadStringW
GetDlgItem

advapi32

ConvertSidToStringSidW
RegCreateKeyExW
RegQueryValueExW
RegCloseKey
RegSetValueExW
AllocateAndInitializeSid
FreeSid
RegOpenKeyExW
CheckTokenMembership
ReportEventW
DeregisterEventSource
RegQueryValueExA
RegOpenKeyExA
RegisterEventSourceW
OpenThreadToken
OpenProcessToken
GetTokenInformation

shell32

DragQueryFileW
ShellExecuteExW

ole32

StringFromGUID2
CoTaskMemAlloc
CoInitializeEx
CoTaskMemFree
CoCreateInstanceEx
CoUninitialize
CoCreateInstance
ReleaseStgMedium
CreateStreamOnHGlobal
CoTaskMemRealloc

oleaut32

SysFreeString
GetErrorInfo

vssapi

ShouldBlockRevertInternal
VssFreeSnapshotPropertiesInternal

clusapi

OpenCluster
GetClusterInformation
ClusterResourceControl
ClusterOpenEnum
ClusterGetEnumCount
ClusterEnum
GetNodeClusterState
ClusterCloseEnum
CloseClusterResource
OpenClusterResource

vsstrace

ord1
ord2
ord7
ord11
ord10
ord6
ord9
ord8
ord5
ord3

api-ms-win-security-lsalookup-l1-1-1

LookupAccountSidLocalW

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
ShowDialog

Sections

.text
Size: 119KB - Virtual size: 119KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a4f6f190f520d12313b8198b446263a1

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mfc42u

msvcrt

atl

shlwapi

netapi32

ntdll

kernel32

user32

advapi32

shell32

ole32

oleaut32

vssapi

clusapi

vsstrace

api-ms-win-security-lsalookup-l1-1-1

Exports

Exports

Sections

.text Size: 119KB - Virtual size: 119KB

.data Size: 2KB - Virtual size: 12KB

.idata Size: 6KB - Virtual size: 6KB

.rsrc Size: 5KB - Virtual size: 4KB

.reloc Size: 13KB - Virtual size: 13KB

.text
Size: 119KB - Virtual size: 119KB

.data
Size: 2KB - Virtual size: 12KB

.idata
Size: 6KB - Virtual size: 6KB

.rsrc
Size: 5KB - Virtual size: 4KB

.reloc
Size: 13KB - Virtual size: 13KB