devinv[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

devinv.dll
Size

652KB
MD5

856d466fb053d12def1fd41bc47eb52a
SHA1

46ef91e820e6169379b396576e77eb775acc01e1
SHA256

e3293b3430dd59c471d1810a1e96093ac2c346ed9c2bd31bfa0cc1934063f11f
SHA512

67d31d99e26c8e4298f00c29660d6962e033e540430ed728e0c1bed557693cbedba92ada244a245dac23cad2728df1eedb45daeb1f04b95d2f1207a3c6423e8e
SSDEEP

12288:DW0DBQb+HsaeTtcYfWRSS7qXGDua0DSXn/PBvJOppLWyT:DzDBQb+78JfWRnMSX/gpKyT

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
devinv.dll

Files

devinv.dll
.dll windows:10 windows x64 arch:x64

46cb1bdd3a73be46c27150f4b0c946fb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

devinv.pdb

Imports

msvcrt

memcmp
_wsetlocale
__crtLCMapStringW
_wcsdup
_XcptFilter
_amsg_exit
abort
__uncaught_exception
calloc
_initterm
__pctype_func
_ismbblead
___lc_codepage_func
___lc_handle_func
___mb_cur_max_func
_unlock
_lock
setlocale
memmove
memcpy
_CxxThrowException
??0exception@@QEAA@AEBQEBDH@Z
_callnewh
wcschr
__C_specific_handler
wcscpy_s
realloc
wcsstr
wcsncmp
wcsrchr
wcstok_s
iswalnum
_wcsnicmp
malloc
_wcsicmp
tolower
iswprint
??0bad_cast@@QEAA@PEBD@Z
??1bad_cast@@UEAA@XZ
??0bad_cast@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBD@Z
?what@exception@@UEBAPEBDXZ
_beginthreadex
free
??_V@YAXPEAX@Z
swscanf_s
_vsnprintf
strchr
_set_errno
__dllonexit
_onexit
strtol
?terminate@@YAXXZ
??1type_info@@UEAA@XZ
??3@YAXPEAX@Z
strcmp
strnlen
_errno
strncpy_s
sprintf_s
_ui64tow_s
fprintf
_vsnprintf_s
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
_purecall
memcpy_s
_vsnwprintf
__CxxFrameHandler3
memset
iswalpha
_mktime64
__iob_func
towlower
_vsnwprintf_s
wcscat_s
_wsplitpath_s
wcstoul
strcpy_s
strncmp
_wcslwr
_wctime64
wcscmp

ntdll

RtlAllocateAndInitializeSid
RtlFreeSid
RtlNtStatusToDosError
NtQueryLicenseValue
RtlAdjustPrivilege
NtQueryKey
RtlRandomEx
RtlStringFromGUID
RtlAppendUnicodeToString
RtlAppendUnicodeStringToString
RtlFreeUnicodeString
RtlInitUnicodeStringEx
RtlDosPathNameToRelativeNtPathName_U
NtLoadKeyEx
RtlReleaseRelativeName
NtQuerySystemInformation
EtwTraceMessage
RtlDeleteCriticalSection
RtlEqualString
RtlReAllocateHeap
RtlEnterCriticalSection
RtlInitAnsiString
RtlMultiByteToUnicodeN
RtlInitializeCriticalSection
RtlLeaveCriticalSection
ZwClose
RtlDosPathNameToNtPathName_U_WithStatus
RtlInitUnicodeString
ZwOpenKey
ZwEnumerateKey
ZwQueryValueKey
ZwCreateFile
ZwQueryInformationFile
ZwCreateSection
RtlSecondsSince1970ToTime
EtwEventUnregister
EtwEventWrite
EtwEventRegister
RtlInitString
RtlxAnsiStringToUnicodeSize
RtlAnsiStringToUnicodeString
RtlUpcaseUnicodeChar
ZwUnmapViewOfSection
ZwMapViewOfSection
LdrResSearchResource
RtlVerifyVersionInfo
RtlImageDirectoryEntryToData
RtlGetNativeSystemInformation
ZwQuerySystemInformation
VerSetConditionMask
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlGetVersion
RtlTimeToTimeFields
NtQuerySystemTime
RtlFreeHeap
RtlAllocateHeap
WinSqmIsOptedInEx

wintrust

WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
CryptCATOpen
CryptCATCatalogInfoFromContext
CryptCATAdminCalcHashFromFileHandle
CryptCATEnumerateCatAttr
CryptCATClose
CryptCATAdminReleaseContext
CryptCATAdminEnumCatalogFromHash
CryptCATAdminAcquireContext
WinVerifyTrust
CryptCATAdminReleaseCatalogContext

dbghelp

ImageNtHeader
ImageDirectoryEntryToData

devobj

DevObjGetClassDevs
DevObjDestroyDeviceInfoList
DevObjGetClassProperty
DevObjClassNameFromGuid
DevObjGetDeviceInterfaceDetail
DevObjGetDeviceProperty
DevObjEnumDeviceInfo
DevObjEnumDeviceInterfaces
DevObjCreateDeviceInfoList

kernel32

GetSystemFirmwareTable
GetTickCount
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
InitializeCriticalSectionEx
DecodePointer
EncodePointer
GetStringTypeW
WideCharToMultiByte
DeviceIoControl
LocalFree
LocalAlloc
GetFileTime
lstrcmpA
UnmapViewOfFile
GetModuleFileNameW
CreateFileMappingW
GetFileSize
CreateFileW
SetLastError
ReleaseSRWLockExclusive
GetNativeSystemInfo
FileTimeToSystemTime
SleepConditionVariableSRW
WakeAllConditionVariable
DelayLoadFailureHook
LoadLibraryExA
CreateMutexExW
OpenSemaphoreW
WaitForSingleObjectEx
CreateSemaphoreExW
SetDllDirectoryW
GetFileAttributesW
K32GetModuleFileNameExW
K32GetDeviceDriverFileNameW
K32EnumDeviceDrivers
GetWindowsDirectoryW
SetWaitableTimer
CreateWaitableTimerW
ExpandEnvironmentStringsW
ReleaseSemaphore
WaitForMultipleObjects
FindClose
FindNextFileW
FindFirstFileW
OpenWaitableTimerW
CreateSemaphoreW
OutputDebugStringW
IsDebuggerPresent
GetSystemWindowsDirectoryW
DeleteFileW
CreateMutexW
ReleaseMutex
GetTempPathW
GetTempFileNameW
GetModuleFileNameA
HeapFree
GetModuleHandleExW
GetCurrentThreadId
FormatMessageW
HeapAlloc
GetProcAddress
GetProcessHeap
GetModuleHandleW
DebugBreak
InitializeCriticalSection
DeleteCriticalSection
CreateEventW
GetLastError
CloseHandle
GetTickCount64
QueryThreadCycleTime
GetCurrentThread
GetCommandLineW
MoveFileExW
CreateActCtxW
QueryActCtxW
Sleep
FreeLibrary
ReleaseActCtx
GetVolumeInformationByHandleW
VerifyVersionInfoW
OutputDebugStringA
LoadLibraryExW
QueryFullProcessImageNameW
GetCurrentProcess
GetSystemDirectoryW
GlobalMemoryStatusEx
SetEvent
MultiByteToWideChar
FreeLibraryAndExitThread
GetVersionExW
WaitForSingleObject
WriteFile
GetModuleHandleExA
lstrcmpiW
FileTimeToLocalFileTime
MapViewOfFile
EnterCriticalSection
LeaveCriticalSection
AcquireSRWLockExclusive

ole32

CoCreateInstance
CoSetProxyBlanket
StringFromGUID2
PropVariantClear
IIDFromString
CoInitializeEx
CoUninitialize
CoInitializeSecurity

advapi32

CryptReleaseContext
RegSetKeyValueW
QueryServiceConfigW
OpenServiceW
RegEnumKeyExW
EnumServicesStatusExW
InitializeSecurityDescriptor
CloseServiceHandle
OpenSCManagerW
SetEntriesInAclW
SetSecurityDescriptorDacl
EventUnregister
RegCreateKeyExW
RegSetValueExW
RegQueryInfoKeyW
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
EventWriteTransfer
RegGetValueW
EventRegister
RegOpenKeyExW
RegQueryValueExW
SetSecurityDescriptorOwner
RegUnLoadKeyW
RegLoadKeyW
RegDeleteKeyW
RegFlushKey
RegCloseKey
RegLoadAppKeyW
RegDeleteKeyExW
RegDeleteKeyValueW
RegSaveKeyExW
RegSetKeySecurity
RegDeleteTreeW
RegDeleteValueW
RegOpenKeyW

oleaut32

SysAllocStringLen
SysFreeString
VariantInit
SysAllocString
VariantClear

shlwapi

PathFindFileNameW
PathCommonPrefixW

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

crypt32

CertGetNameStringW
CertDuplicateCertificateContext
CertFreeCertificateContext
CertCloseStore
CertGetCertificateContextProperty
CryptMsgClose
CryptDecodeObject
CryptQueryObject
CryptMsgGetParam

rpcrt4

UuidCreate

fltlib

FilterFindClose
FilterFindNext
FilterFindFirst

setupapi

SetupGetInfDriverStoreLocationW

Exports

Exports

CreateDeviceInventory
CreateDeviceInventoryTC
CreateDeviceInventoryTC2
GetDevInventory
ReportDeviceAdd
ReportDeviceRemove
RunDeviceInventoryW
SetDevInvDebugCorrelationVector

Sections

.text
Size: 456KB - Virtual size: 453KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 156KB - Virtual size: 155KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

46cb1bdd3a73be46c27150f4b0c946fb

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

wintrust

dbghelp

devobj

kernel32

ole32

advapi32

oleaut32

shlwapi

version

crypt32

rpcrt4

fltlib

setupapi

Exports

Exports

Sections

.text Size: 456KB - Virtual size: 453KB

.rdata Size: 156KB - Virtual size: 155KB

.data Size: 8KB - Virtual size: 16KB

.pdata Size: 16KB - Virtual size: 13KB

.didat Size: 4KB - Virtual size: 176B

.rsrc Size: 4KB - Virtual size: 1024B

.reloc Size: 4KB - Virtual size: 1KB

.text
Size: 456KB - Virtual size: 453KB

.rdata
Size: 156KB - Virtual size: 155KB

.data
Size: 8KB - Virtual size: 16KB

.pdata
Size: 16KB - Virtual size: 13KB

.didat
Size: 4KB - Virtual size: 176B

.rsrc
Size: 4KB - Virtual size: 1024B

.reloc
Size: 4KB - Virtual size: 1KB