RTWorkQ[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

RTWorkQ.dll
Size

154KB
MD5

ce3d360eba7f7fee26167ff02ec66cb9
SHA1

046a34102f4b030715b76c3eb4d3fb3f68200783
SHA256

25165a0ac0249b853988f0f20668e691f7d9983b031de6adf89e87341638393e
SHA512

045b376ae3b339db1aeaea00b8479f1dd7a07b048f1717aaf0cfc5b7eeb8aeb0682718996ad46668b400295c39888d0c1b9f6a503eb313e32dae9a041d19effb
SSDEEP

3072:gcFMTqPCOQK51tgrcFJU+PDd9n8q6iYRE5vb0zJQ/1FQfPE8cJ3YixaNWvC5c36V:gcnPCOQK53gr+JU+PDdtJ69YD0zJQdFU

Score

1^/10

Malware Config

Signatures

Files

RTWorkQ.dll
.dll windows:10 windows x86 arch:x86

e12fde7d3612a4fd7cf75a24eaf64548

Code Sign

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/11/2023, 19:20

Not After

14/11/2024, 19:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4b:93:a3:8b:ef:86:c1:ab:97:99:76:5a:e8:09:43:ab:b6:71:45:96:b3:26:ff:41:8a:3e:96:f4:b0:35:c3:4a
Signer

Actual PE Digest

4b:93:a3:8b:ef:86:c1:ab:97:99:76:5a:e8:09:43:ab:b6:71:45:96:b3:26:ff:41:8a:3e:96:f4:b0:35:c3:4a

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

rtworkq.pdb

Imports

msvcrt

_initterm
_amsg_exit
_XcptFilter
_onexit
__dllonexit
_unlock
_lock
_except_handler4_common
_callnewh
malloc
free
srand
memmove
memcpy
_beginthreadex
memset
memcpy_s
memcmp
_vsnwprintf
wcsncmp
_wcsnicmp
_purecall

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
GetModuleHandleW
GetModuleHandleExW
GetModuleFileNameA

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventRegister
EventWriteTransfer

api-ms-win-core-synch-l1-1-0

ResetEvent
ReleaseSRWLockExclusive
EnterCriticalSection
SetWaitableTimer
AcquireSRWLockShared
ReleaseSRWLockShared
CreateEventW
DeleteCriticalSection
SetEvent
OpenSemaphoreW
WaitForSingleObject
WaitForSingleObjectEx
CreateWaitableTimerExW
InitializeCriticalSection
CreateMutexExW
CreateSemaphoreExW
InitializeSRWLock
ReleaseMutex
AcquireSRWLockExclusive
ReleaseSemaphore
LeaveCriticalSection
CancelWaitableTimer

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
TerminateProcess
GetCurrentThread
TlsSetValue
TlsFree
GetCurrentProcess
TlsAlloc
TlsGetValue
GetCurrentThreadId

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-com-l1-1-0

CoGetApartmentType
CoTaskMemFree
CoIncrementMTAUsage
CoDecrementMTAUsage
CoWaitForMultipleHandles
CoInitializeEx
CoUninitialize

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolWork
CloseThreadpoolWork
SubmitThreadpoolWork
CreateThreadpool
CloseThreadpoolWait
CreateThreadpoolTimer
SetThreadpoolWait
WaitForThreadpoolWaitCallbacks
CloseThreadpool
StartThreadpoolIo
CloseThreadpoolIo
CreateThreadpoolIo
CancelThreadpoolIo
CreateThreadpoolWait
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
SetThreadpoolThreadMaximum
SetThreadpoolThreadMinimum

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-featurestaging-l1-1-0

RecordFeatureUsage
GetFeatureEnabledState
UnsubscribeFeatureStateChangeNotification
SubscribeFeatureStateChangeNotification

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-sysinfo-l1-2-0

GetOsSafeBootMode

ntdll

TpSetPoolThreadBasePriority
TpSetPoolWorkerThreadIdleTimeout
TpTrimPools
NtSetInformationThread
RtlEqualWnfChangeStamps
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlQueryWnfStateData

api-ms-win-core-synch-l1-2-1

CreateWaitableTimerW

api-ms-win-core-fibers-l1-1-0

FlsSetValue
FlsFree
FlsAlloc

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-com-private-l1-1-0

CoRevokeInitializeSpy
CoRegisterInitializeSpy

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-io-l1-1-0

CreateIoCompletionPort

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

RtwqAddPeriodicCallback
RtwqAllocateSerialWorkQueue
RtwqAllocateWorkQueue
RtwqBeginRegisterWorkQueueWithMMCSS
RtwqBeginUnregisterWorkQueueWithMMCSS
RtwqCancelDeadline
RtwqCancelMultipleWaitingWorkItem
RtwqCancelWorkItem
RtwqCreateAsyncResult
RtwqEndRegisterWorkQueueWithMMCSS
RtwqEndUnregisterWorkQueueWithMMCSS
RtwqGetPlatform
RtwqGetWorkQueueMMCSSClass
RtwqGetWorkQueueMMCSSPriority
RtwqGetWorkQueueMMCSSTaskId
RtwqInvokeCallback
RtwqJoinWorkQueue
RtwqLockPlatform
RtwqLockSharedWorkQueue
RtwqLockWorkQueue
RtwqPutMultipleWaitingWorkItem
RtwqPutWaitingWorkItem
RtwqPutWorkItem
RtwqRegisterPlatformEvents
RtwqRegisterPlatformWithMMCSS
RtwqRemovePeriodicCallback
RtwqScheduleWorkItem
RtwqSetDeadline
RtwqSetDeadline2
RtwqSetLongRunning
RtwqShutdown
RtwqStartup
RtwqUnjoinWorkQueue
RtwqUnlockPlatform
RtwqUnlockWorkQueue
RtwqUnregisterPlatformEvents
RtwqUnregisterPlatformFromMMCSS

Sections

.text
Size: 98KB - Virtual size: 98KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e12fde7d3612a4fd7cf75a24eaf64548

Code Sign

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

4b:93:a3:8b:ef:86:c1:ab:97:99:76:5a:e8:09:43:ab:b6:71:45:96:b3:26:ff:41:8a:3e:96:f4:b0:35:c3:4aSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-featurestaging-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

ntdll

api-ms-win-core-synch-l1-2-1

api-ms-win-core-fibers-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-com-private-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 98KB - Virtual size: 98KB

.data Size: 512B - Virtual size: 10KB

.idata Size: 5KB - Virtual size: 5KB

.didat Size: 512B - Virtual size: 64B

.rsrc Size: 30KB - Virtual size: 30KB

.reloc Size: 7KB - Virtual size: 7KB

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

4b:93:a3:8b:ef:86:c1:ab:97:99:76:5a:e8:09:43:ab:b6:71:45:96:b3:26:ff:41:8a:3e:96:f4:b0:35:c3:4a
Signer

.text
Size: 98KB - Virtual size: 98KB

.data
Size: 512B - Virtual size: 10KB

.idata
Size: 5KB - Virtual size: 5KB

.didat
Size: 512B - Virtual size: 64B

.rsrc
Size: 30KB - Virtual size: 30KB

.reloc
Size: 7KB - Virtual size: 7KB