shield[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

shield.exe
Size

7.6MB
MD5

6ab9eb39f5e378c4bdd754b478aae1b3
SHA1

eeb1e341b94ee8dbf2eee53ed8ac9c38fe849261
SHA256

b264377569cd9841103237ecdbfc0cfdb35e655acbc19fd72a9ab55f352b2bef
SHA512

8df65edc1748b4366208a9dbb0e98ef62933ff5146e2b638e03f2d6d7f44e10d0b709d0ce53ad739d72e62a2f6d9b27de882bcf266697479c776ea850bf638b1
SSDEEP

98304:eO2gghCAEIXq2P48ZCEalLs5s4nCDLhHt9QpAO6y0wQipq2SWC+FmqQjK3vXVPWR:eJhC5b2PPAe6tt9MRZwWCQm2PcsZ

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
shield.exe

Files

shield.exe
.exe windows:6 windows x64 arch:x64

58b5751b1ba7112e0a2d2a178167a7f7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Admin\Desktop\SRC\examples\example_win32_directx11\Release\example_win32_directx11.pdb

Imports

d3d11

D3D11CreateDeviceAndSwapChain

d3dcompiler_43

D3DCompile

kernel32

GetStdHandle
GetFileType
PeekNamedPipe
WaitForMultipleObjects
GetLocaleInfoEx
GetCurrentDirectoryW
CreateDirectoryW
FindClose
SleepEx
LeaveCriticalSection
EnterCriticalSection
LocalFree
FindFirstFileW
GetEnvironmentVariableA
FormatMessageA
SetLastError
QueryFullProcessImageNameW
GetModuleHandleW
Sleep
GetModuleFileNameW
GetModuleFileNameA
CreateFileMappingW
GetFileAttributesExW
VirtualProtect
AreFileApisANSI
GetFileInformationByHandleEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WaitForSingleObjectEx
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
CreateThread
GetCurrentProcess
DeleteCriticalSection
InitializeCriticalSectionEx
HeapSize
HeapDestroy
GetLastError
CreateFileW
CreateFileMappingA
UnmapViewOfFile
MapViewOfFile
GetProcessHeap
HeapFree
HeapReAlloc
HeapAlloc
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
OutputDebugStringW
DeleteFileW
GetLocaleInfoA
LoadLibraryA
GetProcAddress
GetModuleHandleA
FreeLibrary
QueryPerformanceFrequency
QueryPerformanceCounter
VerSetConditionMask
WideCharToMultiByte
MultiByteToWideChar
GlobalFree
GlobalLock
GlobalUnlock
MoveFileExA
GetTickCount
VerifyVersionInfoA
WakeAllConditionVariable
GetSystemDirectoryA
CloseHandle
GlobalAlloc
ReadFile
GetFileSizeEx
AllocConsole
CreateFileA

user32

RegisterClassExW
OpenClipboard
MessageBoxA
CloseClipboard
SetClipboardData
GetClipboardData
EmptyClipboard
GetKeyboardLayout
TrackMouseEvent
GetMessageExtraInfo
GetKeyState
GetCapture
SetCapture
ReleaseCapture
IsWindowUnicode
GetForegroundWindow
GetClientRect
LoadIconA
SetWindowLongA
GetWindowLongA
GetWindowRect
UpdateWindow
GetSystemMetrics
GetAsyncKeyState
SetCursorPos
SetLayeredWindowAttributes
ShowWindow
DestroyWindow
CreateWindowExW
MoveWindow
UnregisterClassW
PostQuitMessage
DefWindowProcW
PeekMessageA
DispatchMessageA
TranslateMessage
LoadCursorA
ScreenToClient
ClientToScreen
GetCursorPos
SetCursor

msvcp140

?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Xlength_error@std@@YAXPEBD@Z
??0_Lockit@std@@QEAA@H@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Xbad_function_call@std@@YAXXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??1_Lockit@std@@QEAA@XZ
?uncaught_exception@std@@YA_NXZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?good@ios_base@std@@QEBA_NXZ
?_Xout_of_range@std@@YAXPEBD@Z
??Bid@locale@std@@QEAA_KXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z

imm32

ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow
ImmSetCandidateWindow

dwmapi

DwmExtendFrameIntoClientArea

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

urlmon

URLDownloadToFileA

normaliz

IdnToAscii

wldap32

ord217
ord46
ord211
ord60
ord45
ord143
ord30
ord79
ord50
ord41
ord301
ord22
ord200
ord26
ord27
ord32
ord33
ord35

crypt32

CertGetCertificateChain
CertFreeCertificateChainEngine
CertOpenStore
CertCloseStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringA
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChain

ws2_32

getaddrinfo
sendto
recvfrom
select
WSAStartup
__WSAFDIsSet
closesocket
recv
send
WSAGetLastError
ioctlsocket
bind
ntohl
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
listen
WSACleanup
gethostname
accept
htonl
freeaddrinfo

shlwapi

PathFindFileNameW

rpcrt4

UuidCreate
UuidToStringA
RpcStringFreeA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140

__std_terminate
__intrinsic_setjmp
__current_exception_context
__current_exception
__C_specific_handler
strchr
longjmp
strrchr
memcmp
memset
memmove
memcpy
memchr
_CxxThrowException
__std_exception_destroy
__std_exception_copy
strstr

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-runtime-l1-1-0

_beginthreadex
abort
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_register_onexit_function
_crt_atexit
exit
system
_errno
strerror
_set_app_type
__sys_nerr
_cexit
terminate
_seh_filter_exe
_get_narrow_winmain_command_line
_initterm
_initterm_e
_exit
_c_exit
_register_thread_local_exe_atexit_callback
_getpid
_resetstkoflw
_wassert
_invalid_parameter_noinfo
_invalid_parameter_noinfo_noreturn

api-ms-win-crt-string-l1-1-0

strspn
strncmp
strpbrk
tolower
isupper
_strdup
strncpy
strcspn
strcmp

api-ms-win-crt-stdio-l1-1-0

_wfopen
__acrt_iob_func
_open
_close
_write
_read
fputs
__p__commode
fclose
fflush
_set_fmode
fread
fseek
ftell
fwrite
_get_stream_buffer_pointers
__stdio_common_vfprintf
__stdio_common_vsprintf
__stdio_common_vsscanf
_popen
_pclose
ungetc
setvbuf
_fseeki64
fgets
fsetpos
fputc
fgetpos
feof
fgetc
_lseeki64
fopen

api-ms-win-crt-heap-l1-1-0

malloc
_callnewh
free
calloc
_set_new_mode
realloc

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-math-l1-1-0

sinf
sqrtf
__setusermatherr
_dclass
fmodf
acosf
ceilf
powf
cosf

api-ms-win-crt-convert-l1-1-0

strtoul
atoi
strtol
strtoull
strtod
strtoll

api-ms-win-crt-filesystem-l1-1-0

_access
_lock_file
_unlink
_fstat64
_unlock_file
_stat64

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-time-l1-1-0

_gmtime64
_time64
strftime
_localtime64

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
localeconv
___lc_codepage_func

advapi32

CryptCreateHash
CryptDestroyHash
CryptDestroyKey
CryptImportKey
CryptEncrypt
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
ConvertSidToStringSidA
CopySid
SetSecurityInfo
IsValidSid
InitializeAcl
GetTokenInformation
GetLengthSid
AddAccessAllowedAce
OpenProcessToken
CryptHashData

shell32

ShellExecuteA

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 643KB - Virtual size: 643KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5.8MB - Virtual size: 5.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 53KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

58b5751b1ba7112e0a2d2a178167a7f7

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d11

d3dcompiler_43

kernel32

user32

msvcp140

imm32

dwmapi

d3dx11_43

urlmon

normaliz

wldap32

crypt32

ws2_32

shlwapi

rpcrt4

psapi

userenv

vcruntime140

vcruntime140_1

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-locale-l1-1-0

advapi32

shell32

Sections

.text Size: 1.1MB - Virtual size: 1.1MB

.rdata Size: 643KB - Virtual size: 643KB

.data Size: 5.8MB - Virtual size: 5.8MB

.pdata Size: 53KB - Virtual size: 52KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 1.1MB - Virtual size: 1.1MB

.rdata
Size: 643KB - Virtual size: 643KB

.data
Size: 5.8MB - Virtual size: 5.8MB

.pdata
Size: 53KB - Virtual size: 52KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 5KB - Virtual size: 4KB