XpsPrint[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

XpsPrint.dll
Size

1.2MB
MD5

f87ba955bf1fa8212fccb90ed7c6358d
SHA1

5c7566f7ee37aa5408efed8eec8702c732fc4675
SHA256

c0473f9384204fa71874091615fe3ffa9e64a2bc5be70182c43a27fb0b359cd7
SHA512

cb67e0a5e504ce94f49b5ec29a5671f4fce19738de2a23d217cbfa4dc90e85765c9c2ecc250c307e1e61440ef2b39e1ce889cb018c87a480eb033bbd5e3652c4
SSDEEP

24576:XSjz4thuAD0olsGsDZHOlaY7bzqLv4bPXPD:XSj2uAIkqVHXY3zqDIPXPD

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
XpsPrint.dll

Files

XpsPrint.dll
.dll regsvr32 windows:6 windows x86 arch:x86

57409825fb9b95d0ce6accc8ef2676a5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

xpsprint.pdb

Imports

msvcrt

??1type_info@@UAE@XZ
__uncaught_exception
srand
_XcptFilter
_ftol2
_initterm
_amsg_exit
memcmp
memcpy
__crtLCMapStringA
time
rand
_except_handler4_common
isspace
strcspn
memchr
_lock
__dllonexit
__mb_cur_max
___lc_codepage_func
??0exception@@QAE@ABV0@@Z
sprintf_s
localeconv
??1bad_cast@@UAE@XZ
??0bad_cast@@QAE@ABV0@@Z
strncmp
malloc
wcscpy_s
free
_wcsicmp
ldiv
swprintf_s
_wtof
_purecall
_vsnwprintf
memmove_s
memcpy_s
_onexit
__crtLCMapStringW
_callnewh
_CxxThrowException
__crtGetStringTypeW
_unlock
__CxxFrameHandler3
setlocale
_errno
___mb_cur_max_func
abort
isupper
__pctype_func
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@XZ
??1exception@@UAE@XZ
wcsrchr
_vsnprintf
_strtoi64
_strtoui64
wcstod
_vsnwprintf_l
_finite
_isnan
wcsstr
tolower
islower
isalnum
isdigit
?what@exception@@UBEPBDXZ
___lc_handle_func
memset

kernel32

GetLastError
VerifyVersionInfoW
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
OutputDebugStringA
Sleep
WideCharToMultiByte
MultiByteToWideChar
SubmitThreadpoolWork
CreateThreadpoolWork
CloseThreadpoolWork
GetCurrentThreadId
InitOnceComplete
InitOnceBeginInitialize
LocalFree
ResumeThread
CreateThread
GetCurrentThread
GetModuleHandleExW
GetTempPathW
DuplicateHandle
CompareStringW
GetCurrentProcess
GetProcAddress
LoadLibraryW
DeleteFileW
FreeLibrary
DeleteTimerQueueEx
QueueUserWorkItem
RegisterWaitForSingleObject
CreateTimerQueue
CreateTimerQueueTimer
UnregisterWaitEx
DeleteTimerQueueTimer
GlobalFree
GlobalAlloc
FreeLibraryAndExitThread
GetModuleHandleW
GetTickCount
CloseHandle
WriteFile
CreateFileW
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
CreateEventW
SetEvent
WaitForSingleObject

user32

IsImmersiveProcess

gdi32

EndDoc
StartDocW
CreateDCW
ExtEscape
DeleteDC

prntvpt

ord4
ord7
ord6
ord8
ord10
ord3

ntdll

WinSqmIsOptedIn
WinSqmIncrementDWORD
RtlInitializeSRWLock
NtOpenThreadToken
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
NtOpenProcessToken
NtQueryInformationToken
NtClose

oleaut32

SysStringLen
SetErrorInfo
VariantClear
VariantInit
SysFreeString
SysAllocString

winspool.drv

GetPrinterW
GetPrintOutputInfo
GetPrinterDriverW
GetPrinterDataW
ReportJobProcessingProgress
SetJobW
EndDocPrinter
AbortPrinter
StartDocPrinterW
ClosePrinter
OpenPrinterW
WritePrinter
GetJobW

shlwapi

SHCreateStreamOnFileW

rpcrt4

UuidCreateSequential
RpcStringFreeW
NdrCStdStubBuffer_Release
NdrDllRegisterProxy
NdrDllCanUnloadNow
NdrCStdStubBuffer2_Release
NdrDllGetClassObject
NdrDllUnregisterProxy
CStdStubBuffer_Invoke
CStdStubBuffer_Connect
UuidToStringW
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_AddRef
IUnknown_QueryInterface_Proxy
NdrOleFree
NdrStubForwardingFunction
NdrOleAllocate
CStdStubBuffer_CountRefs
NdrStubCall2
IUnknown_Release_Proxy
CStdStubBuffer_DebugServerQueryInterface
CStdStubBuffer_QueryInterface
IUnknown_AddRef_Proxy
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect

xpsgdiconverter

ord1

xpsservices

ord6
ord8
ord9
ord5

combase

ord4
ord2
ord32
ord6
ord3
ord34
GetErrorInfo
ord35
ord33

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage
GetTraceEnableLevel
UnregisterTraceGuids
GetTraceLoggerHandle
GetTraceEnableFlags
RegisterTraceGuidsW

api-ms-win-eventing-provider-l1-1-0

EventWrite
EventRegister
EventUnregister
EventEnabled

api-ms-win-core-com-l1-1-1

CoUninitialize
CoCreateFreeThreadedMarshaler
CoCreateInstance
CreateStreamOnHGlobal
CoInitializeEx
CoTaskMemAlloc
CoCreateGuid
CoTaskMemFree

api-ms-win-core-processthreads-l1-1-2

ExitProcess
SetThreadToken
OpenThreadToken

api-ms-win-core-synch-l1-2-0

InitializeCriticalSectionAndSpinCount
ResetEvent

api-ms-win-core-sysinfo-l1-2-1

VerSetConditionMask
GetTickCount64
GetSystemDirectoryW

api-ms-win-core-file-l1-2-1

SetEndOfFile
FindClose
FindFirstFileW
FindNextFileW
SetFilePointer
ReadFile
SetFilePointerEx
FlushFileBuffers

api-ms-win-core-debug-l1-1-1

OutputDebugStringW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegQueryValueExW
RegOpenKeyExW

urlmon

CreateUri

xmllite

CreateXmlReader

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsGetStringRawBuffer

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer
StartXpsPrintJob
StartXpsPrintJob1

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.orpc
Size: 512B - Virtual size: 229B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 64KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

57409825fb9b95d0ce6accc8ef2676a5

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

kernel32

user32

gdi32

prntvpt

ntdll

oleaut32

winspool.drv

shlwapi

rpcrt4

xpsgdiconverter

xpsservices

combase

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-file-l1-2-1

api-ms-win-core-debug-l1-1-1

api-ms-win-core-registry-l1-1-0

urlmon

xmllite

api-ms-win-core-winrt-string-l1-1-0

Exports

Exports

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.orpc Size: 512B - Virtual size: 229B

.data Size: 5KB - Virtual size: 7KB

.idata Size: 7KB - Virtual size: 7KB

.rsrc Size: 1024B - Virtual size: 1016B

.reloc Size: 64KB - Virtual size: 64KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.orpc
Size: 512B - Virtual size: 229B

.data
Size: 5KB - Virtual size: 7KB

.idata
Size: 7KB - Virtual size: 7KB

.rsrc
Size: 1024B - Virtual size: 1016B

.reloc
Size: 64KB - Virtual size: 64KB