dps[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

dps.dll
Size

170KB
MD5

b99cb575986789a93a683dcf292a43a1
SHA1

b782104b15f9e6b09f302ba013852862fbd2e0e3
SHA256

6acea31c723b74003e106fc8303542fcc6dbc4952b6b523f6590d006be57238d
SHA512

e4c2e9eb7985999ba31cab893045b5e80c9f5928595bab937853e451c2018843d2fa62046fcaae6c3bd1d04eb1c607a4843dc8dcca9eff62a0fa2e7c39380961
SSDEEP

3072:VpfuxINn0Up+sghZidTfGGbrGXLG6cdAeJBdkYeJel8ULnfoHXvfQpGN:7frt0oZg/GfGNJcdb76UEfQpG

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
dps.dll

Files

dps.dll
.dll windows:6 windows x64 arch:x64

ca853a0656046fffa5044ebeb20e379b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

dps.pdb

Imports

msvcrt

_vsnwprintf
memcpy
__C_specific_handler
_initterm
malloc
free
_amsg_exit
_XcptFilter
_wcsicmp
memset

ntdll

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
EtwEventUnregister
EtwEventRegister
RtlFirstEntrySList
EtwEventActivityIdControl
EtwEventWrite
EtwEventEnabled
WinSqmIncrementDWORD
WinSqmAddToStream
NtTraceControl
NtAlpcImpersonateClientOfPort
TpAllocAlpcCompletion
NtAlpcCreatePort
RtlInitUnicodeString
NtAlpcCancelMessage
AlpcInitializeMessageAttribute
NtAlpcSendWaitReceivePort
NtAlpcAcceptConnectPort
NtAlpcDeleteSecurityContext
AlpcGetMessageAttribute
TpWaitForAlpcCompletion
TpReleaseAlpcCompletion
AlpcMaxAllowedMessageLength
NtAlpcDisconnectPort
RtlNtStatusToDosError
NtAlpcQueryInformation

api-ms-win-service-core-l1-1-1

RegisterServiceCtrlHandlerExW
SetServiceStatus

api-ms-win-core-errorhandling-l1-1-1

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls

api-ms-win-core-heap-l1-2-0

GetProcessHeap
HeapFree
HeapAlloc
HeapReAlloc

api-ms-win-core-synch-l1-2-0

ReleaseSRWLockShared
InitializeSRWLock
AcquireSRWLockShared
ResetEvent
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSection
WaitForSingleObject
Sleep
SetEvent
WaitForMultipleObjectsEx
CreateEventW
ReleaseSRWLockExclusive
AcquireSRWLockExclusive

api-ms-win-eventing-consumer-l1-1-0

ProcessTrace
OpenTraceW
CloseTrace

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-2

GetCurrentProcess
TerminateProcess
OpenThreadToken
SetThreadToken
GetCurrentThread
GetCurrentThreadId
GetCurrentProcessId
CreateThread
CreateProcessAsUserW

api-ms-win-security-base-l1-2-0

CheckTokenMembership
FreeSid
EqualSid
RevertToSelf
SetSecurityDescriptorGroup
AccessCheck
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetTokenInformation
MakeAbsoluteSD
IsValidSecurityDescriptor
GetSecurityDescriptorOwner
CreateWellKnownSid
DuplicateTokenEx
IsValidSid
CopySid
GetLengthSid
SetSecurityDescriptorOwner
MapGenericMask
MakeSelfRelativeSD
AllocateAndInitializeSid

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegEnumKeyExW
RegDeleteValueW
RegSetValueExW
RegQueryInfoKeyW

api-ms-win-core-interlocked-l1-2-0

InterlockedFlushSList
InterlockedPushEntrySList
InitializeSListHead

api-ms-win-core-file-l1-2-1

ReadFile
WriteFile
SetFilePointer
RemoveDirectoryW
GetDiskFreeSpaceW
SetFilePointerEx
DeleteFileW
FindNextFileW
CompareFileTime
FindClose
FindFirstFileW
CreateFileW

api-ms-win-eventing-controller-l1-1-0

ControlTraceW

api-ms-win-service-management-l1-1-0

OpenSCManagerW
CloseServiceHandle
StartServiceW
OpenServiceW

api-ms-win-service-winsvc-l1-2-0

ControlService
QueryServiceStatus

api-ms-win-service-management-l2-1-0

QueryServiceStatusEx

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-core-debug-l1-1-1

OutputDebugStringW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree

api-ms-win-security-grouppolicy-l1-1-0

RegisterGPNotificationInternal
UnregisterGPNotificationInternal

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

Exports

Exports

ServiceMain

Sections

.text
Size: 135KB - Virtual size: 134KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ca853a0656046fffa5044ebeb20e379b

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-service-core-l1-1-1

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-eventing-consumer-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-security-base-l1-2-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-interlocked-l1-2-0

api-ms-win-core-file-l1-2-1

api-ms-win-eventing-controller-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-2-0

api-ms-win-service-management-l2-1-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-security-grouppolicy-l1-1-0

api-ms-win-core-delayload-l1-1-1

Exports

Exports

Sections

.text Size: 135KB - Virtual size: 134KB

.data Size: 5KB - Virtual size: 6KB

.pdata Size: 7KB - Virtual size: 6KB

.idata Size: 7KB - Virtual size: 6KB

.didat Size: 512B - Virtual size: 152B

.rsrc Size: 14KB - Virtual size: 13KB

.reloc Size: 512B - Virtual size: 88B

.text
Size: 135KB - Virtual size: 134KB

.data
Size: 5KB - Virtual size: 6KB

.pdata
Size: 7KB - Virtual size: 6KB

.idata
Size: 7KB - Virtual size: 6KB

.didat
Size: 512B - Virtual size: 152B

.rsrc
Size: 14KB - Virtual size: 13KB

.reloc
Size: 512B - Virtual size: 88B