authz[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

authz.dll
Size

278KB
MD5

8860f3417d3fd852ed1487362386f6d6
SHA1

666fc40fc1679250cb70a9a056c3225ccfcbde9a
SHA256

c9afc5824b7f5f68c5f62b1048dd69d4cd26447499728e1474a8546d39129173
SHA512

1a5eb87581fdabc69848e1b90bb316680bdab3a5ba9bf9128104d589d0fad7a75834d391fe0d2c83fe426ef36805cb1fc91b30630494884149579b38260dc8f7
SSDEEP

6144:ZH+JMom4r1sP2JnKXJ2Upd+TYGumsNWpzvALh:ZeJ9VupdyY5qvAh

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
authz.dll

Files

authz.dll
.dll windows:6 windows x64 arch:x64

e668f81bea2fe4b5b643e89ac3f83e5e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

authz.pdb

Imports

msvcrt

memset
memcpy
memcmp
__C_specific_handler
_initterm
malloc
free
_amsg_exit
_XcptFilter
wcsstr
wcstol
??2@YAPEAX_K@Z
??3@YAXPEAX@Z
_vsnwprintf
_wtoi64
_wtoi
_wcsicmp
wcsncmp
_wcsnicmp
wcscmp

api-ms-win-core-errorhandling-l1-1-1

SetLastError
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-synch-l1-2-0

WaitForSingleObject
Sleep
InitializeCriticalSection
EnterCriticalSection
CreateEventW
DeleteCriticalSection
SetEvent
LeaveCriticalSection
ResetEvent

api-ms-win-core-processthreads-l1-1-2

CreateThread
OpenProcessToken
GetCurrentProcess
OpenThreadToken
GetCurrentThread
SetThreadStackGuarantee
TerminateProcess
GetCurrentProcessId
GetCurrentThreadId
SetThreadPriority

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-registry-l1-1-0

RegQueryInfoKeyW
RegDeleteKeyExW
RegEnumValueW
RegQueryValueExW
RegEnumKeyExW
RegOpenKeyExA
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExA
RegDeleteValueW

api-ms-win-core-rtlsupport-l1-2-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCompareMemory
RtlCaptureContext

api-ms-win-security-base-l1-2-0

SetSecurityDescriptorDacl
GetLengthSid
AdjustTokenPrivileges
GetSecurityDescriptorSacl
GetSidSubAuthorityCount
IsValidSid
IsValidSecurityDescriptor
SetSecurityDescriptorSacl
GetSecurityDescriptorLength
InitializeSid
SetSecurityDescriptorGroup
GetSecurityDescriptorGroup
SetSecurityDescriptorOwner
GetSecurityDescriptorOwner
InitializeSecurityDescriptor
GetSecurityDescriptorControl
GetTokenInformation
EqualDomainSid
CreateWellKnownSid
IsWellKnownSid
AllocateAndInitializeSid
AddAccessAllowedAce
InitializeAcl
GetSecurityDescriptorDacl
GetSidSubAuthority

api-ms-win-core-sysinfo-l1-2-1

GetTickCount
GetSystemTimeAsFileTime
GetOsSafeBootMode
GetSystemInfo
GetComputerNameExW

api-ms-win-core-memory-l1-1-2

VirtualFree
VirtualQuery
VirtualProtect
VirtualAlloc

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree
LocalAlloc

ntdll

RtlInitUnicodeString
NtOpenKey
NtQueryValueKey
NtClose
RtlLengthRequiredSid
RtlIsPackageSid
RtlIsCapabilitySid
RtlCopySid
RtlCopyLuid
RtlCopyLuidAndAttributesArray
RtlSubAuthorityCountSid
RtlSubAuthoritySid
RtlInitString
NtAllocateLocallyUniqueId
RtlValidSid
RtlGetNtProductType
RtlInitializeSid
RtlInitializeResource
RtlDeleteResource
RtlAcquireResourceShared
RtlValidRelativeSecurityDescriptor
EtwTraceMessage
RtlNtStatusToDosErrorNoTeb
RtlEqualUnicodeString
RtlCopyUnicodeString
RtlIsNameInExpression
RtlCompareUnicodeString
RtlUpcaseUnicodeChar
RtlFreeHeap
RtlAllocateHeap
RtlImageNtHeader
RtlLengthSecurityDescriptor
RtlOwnerAcesPresent
RtlValidSecurityDescriptor
RtlEqualSid
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlDeleteCriticalSection
RtlInitializeCriticalSection
RtlLengthSid
RtlSidHashInitialize
NtQuerySecurityAttributesToken
RtlNtStatusToDosError
NtQueryInformationToken
RtlReleaseResource
RtlAcquireResourceExclusive
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
RtlMakeSelfRelativeSD

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

Exports

Exports

AuthzAccessCheck
AuthzAddSidsToContext
AuthzCachedAccessCheck
AuthzComputeEffectivePermission
AuthzEnumerateSecurityEventSources
AuthzEvaluateSacl
AuthzFreeAuditEvent
AuthzFreeCentralAccessPolicyCache
AuthzFreeContext
AuthzFreeHandle
AuthzFreeResourceManager
AuthzGetInformationFromContext
AuthzInitializeCompoundContext
AuthzInitializeContextFromAuthzContext
AuthzInitializeContextFromSid
AuthzInitializeContextFromToken
AuthzInitializeObjectAccessAuditEvent
AuthzInitializeObjectAccessAuditEvent2
AuthzInitializeRemoteAccessCheck
AuthzInitializeRemoteResourceManager
AuthzInitializeResourceManager
AuthzInitializeResourceManagerEx
AuthzInstallSecurityEventSource
AuthzModifyClaims
AuthzModifySecurityAttributes
AuthzModifySids
AuthzOpenObjectAudit
AuthzRegisterCapChangeNotification
AuthzRegisterSecurityEventSource
AuthzReportSecurityEvent
AuthzReportSecurityEventFromParams
AuthzSetAppContainerInformation
AuthzShutdownRemoteAccessCheck
AuthzUninstallSecurityEventSource
AuthzUnregisterCapChangeNotification
AuthzUnregisterSecurityEventSource
AuthziAccessCheckEx
AuthziAllocateAuditParams
AuthziCheckContextMembership
AuthziFreeAuditEventType
AuthziFreeAuditParams
AuthziFreeAuditQueue
AuthziGenerateAdminAlertAuditW
AuthziInitializeAuditEvent
AuthziInitializeAuditEventType
AuthziInitializeAuditParams
AuthziInitializeAuditParamsFromArray
AuthziInitializeAuditParamsWithRM
AuthziInitializeAuditQueue
AuthziInitializeContextFromSid
AuthziLogAuditEvent
AuthziModifyAuditEvent
AuthziModifyAuditEvent2
AuthziModifyAuditEventType
AuthziModifyAuditQueue
AuthziModifySecurityAttributes
AuthziQuerySecurityAttributes
AuthziSourceAudit
FreeClaimDefinitions
FreeClaimDictionary
GenerateNewCAPID
GetCentralAccessPoliciesByCapID
GetCentralAccessPoliciesByDN
GetClaimDefinitions
GetClaimDomainInfo
GetDefaultCAPESecurityDescriptor
InitializeClaimDictionary
RefreshClaimDictionary

Sections

.text
Size: 251KB - Virtual size: 251KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 760B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e668f81bea2fe4b5b643e89ac3f83e5e

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-handle-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-rtlsupport-l1-2-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-memory-l1-1-2

api-ms-win-core-profile-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

ntdll

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

Exports

Exports

Sections

.text Size: 251KB - Virtual size: 251KB

.data Size: 3KB - Virtual size: 3KB

.pdata Size: 8KB - Virtual size: 8KB

.idata Size: 7KB - Virtual size: 6KB

.didat Size: 1024B - Virtual size: 760B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 251KB - Virtual size: 251KB

.data
Size: 3KB - Virtual size: 3KB

.pdata
Size: 8KB - Virtual size: 8KB

.idata
Size: 7KB - Virtual size: 6KB

.didat
Size: 1024B - Virtual size: 760B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 5KB - Virtual size: 4KB