appmgr[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

appmgr.dll
Size

448KB
MD5

b906244a334de3f8c13bd0b7bc87a224
SHA1

05d080204436dff111a819068d3dd4d72dfbe28a
SHA256

0390cad7420a5018ec1e00d5cec81e66d0cb979aa63ec69fe5a803557f2cd514
SHA512

20dd4861a4f7259576f7bb3dbf47a152305bfb4c8573d95a40da04646959cd09dfd854a9d953c19008fd6856fc86db2fed8416ff9967778b99500350ff6d7c3a
SSDEEP

6144:xnZSaz5smCDBcGgrdg23dKy2F1gTYCjhad+3p0mNL:xnZSa9stc1my2vL3T+

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
appmgr.dll

Files

appmgr.dll
.dll windows:6 windows x64 arch:x64

a97fa75fded309fafd656dcf57e0e9f0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

appmgr.pdb

Imports

mfc42u

ord6328
ord2311
ord6147
ord1264
ord2845
ord3437
ord621
ord6021
ord4436
ord1286
ord2781
ord4601
ord6705
ord6642
ord6641
ord4521
ord2783
ord2629
ord4523
ord2593
ord4747
ord3501
ord3806
ord912
ord4257
ord1262
ord4262
ord6395
ord6385
ord3396
ord6632
ord3740
ord2408
ord2427
ord1574
ord286
ord3830
ord3790
ord1441
ord1647
ord640
ord2849
ord6708
ord1566
ord1562
ord2665
ord1063
ord4214
ord2752
ord1426
ord3916
ord4983
ord3534
ord6053
ord5711
ord5730
ord5065
ord4368
ord5724
ord5722
ord3468
ord2412
ord5615
ord1388
ord4191
ord6071
ord2515
ord2559
ord4836
ord6813
ord3868
ord1082
ord288
ord812
ord1544
ord1586
ord1555
ord1583
ord1585
ord355
ord1477
ord1553
ord1416
ord1491
ord1577
ord1463
ord4860
ord2328
ord622
ord1124
ord287
ord6614
ord2846
ord4131
ord4548
ord5584
ord5585
ord5583
ord5304
ord5114
ord5382
ord5352
ord4722
ord6887
ord5246
ord5709
ord5227
ord4473
ord4699
ord6418
ord4582
ord2329
ord911
ord665
ord1067
ord3805
ord4770
ord3535
ord5712
ord4746
ord1778
ord6440
ord2592
ord4543
ord2024
ord2425
ord6801
ord1774
ord999
ord549
ord1906
ord5687
ord4721
ord5406
ord2517
ord6437
ord4365
ord1777
ord4752
ord5663
ord2399
ord5586
ord4694
ord5702
ord4017
ord5229
ord4789
ord2670
ord2060
ord6814
ord3933
ord5484
ord1736
ord5683
ord2457
ord2140
ord5699
ord3049
ord3243
ord3362
ord4815
ord3231
ord3366
ord3052
ord3166
ord3046
ord4082
ord4083
ord4077
ord3164
ord4371
ord4988
ord4771
ord3761
ord620
ord6886
ord6812
ord6767
ord1284
ord1287
ord624
ord4027
ord5245
ord6351
ord2906
ord2661
ord4519
ord2898
ord3177
ord5077
ord1122
ord4557
ord2384
ord2371
ord1126
ord1040
ord626
ord852
ord337
ord659

msvcrt

??0exception@@QEAA@XZ
_vsnwprintf
wcsncmp
swscanf
fwprintf
tmpfile
_setmode
_fileno
rewind
fclose
_purecall
memmove_s
wcsrchr
wcsncpy_s
malloc
free
memset
__C_specific_handler
__CxxFrameHandler3
??0exception@@QEAA@AEBQEBDH@Z
_callnewh
_CxxThrowException
_XcptFilter
_amsg_exit
_initterm
??1type_info@@UEAA@XZ
_lock
_unlock
__dllonexit
_onexit
_errno
realloc
memcpy
_wfopen
??0exception@@QEAA@AEBQEBD@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
memcpy_s
??0exception@@QEAA@AEBV0@@Z
_wcsnicmp
_wcsicmp
fgetws
wcscmp

aclui

ord1

advapi32

RegQueryValueExA
RegQueryInfoKeyW
RegOpenKeyW
RegQueryValueExW
RegCloseKey
MapGenericMask
IsValidSecurityDescriptor
GetSecurityDescriptorLength
OpenEventLogW
ReportEventW
CloseEventLog
RegOpenKeyExA
RegEnumKeyExW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW

gdi32

GetTextExtentPoint32W

gpedit

BrowseForGPO

appmgmts

CsSetOptions
CsServerGetClassStore
CsGetClassStorePath
CsGetClassStore
CsRegisterAppCategory
CsUnregisterAppCategory
CsGetAppCategories
ReleasePackageDetail
ReleasePackageInfo
CsCreateClassStore

kernel32

GetLocaleInfoW
GetLastError
GetCurrentProcessId
OutputDebugStringW
LocalAlloc
SetFilePointer
WriteFile
lstrlenW
CloseHandle
CreateFileW
LocalFree
SetLastError
DebugBreak
DeleteFileW
DeactivateActCtx
LoadLibraryW
GetProcAddress
ActivateActCtx
FindActCtxSectionStringW
CreateActCtxW
GetModuleFileNameW
GetModuleHandleExW
QueryActCtxW
OutputDebugStringA
GetPrivateProfileStringW
FormatMessageW
CompareStringW
FindFirstFileW
FindClose
GlobalAlloc
ExpandEnvironmentStringsW
GetSystemTime
SystemTimeToFileTime
CreateDirectoryW
MoveFileW
InitializeCriticalSection
GetTempPathW
GetTempFileNameW
CopyFileW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
lstrcmpiW
LeaveCriticalSection
RaiseException
EnterCriticalSection
MultiByteToWideChar
SizeofResource
LoadResource
FindResourceExW
Sleep
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
GlobalFree
ExpandEnvironmentStringsA
LoadLibraryExA
ReleaseActCtx
DeleteCriticalSection

mpr

WNetGetUniversalNameW

msi

ord19
ord165
ord116
ord228
ord158
ord118
ord160
ord159
ord32
ord92
ord8
ord150
ord78
ord141

netapi32

NetApiBufferFree
DsGetDcNameW

ole32

CoInitialize
CoUninitialize
CoTaskMemRealloc
CoTaskMemAlloc
CoTaskMemFree
CoSetProxyBlanket
CLSIDFromString
CreateStreamOnHGlobal
StringFromGUID2
CoCreateGuid
CoCreateInstance

oleaut32

VariantClear
SysFreeString
SysAllocString
VariantInit
SysAllocStringLen
SysStringLen
VarUI4FromStr

shell32

SHGetSpecialFolderLocation
ShellExecuteExW
DragQueryFileW
SHGetMalloc
SHGetPathFromIDListW
SHBrowseForFolderW

user32

RegisterClipboardFormatW
LoadStringW
GetParent
EnableWindow
GetFocus
ReleaseDC
GetDC
SendMessageW
LoadCursorW
UnhookWindowsHookEx
SetCursor
GetClientRect
LoadImageW
LoadBitmapW
MessageBoxW
GetActiveWindow
CharNextW
UnregisterClassA
SetWindowsHookExW
CallNextHookEx

framedynos

??4WBEMTime@@QEAAAEBV0@QEAG@Z
?GetFILETIME@WBEMTime@@QEBAHPEAU_FILETIME@@@Z

Exports

Exports

DllCanUnloadNow
DllGetClassObject
GenerateScript

Sections

.text
Size: 338KB - Virtual size: 338KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 79KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a97fa75fded309fafd656dcf57e0e9f0

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mfc42u

msvcrt

aclui

advapi32

gdi32

gpedit

appmgmts

kernel32

mpr

msi

netapi32

ole32

oleaut32

shell32

user32

framedynos

Exports

Exports

Sections

.text Size: 338KB - Virtual size: 338KB

.data Size: 5KB - Virtual size: 16KB

.pdata Size: 9KB - Virtual size: 8KB

.idata Size: 10KB - Virtual size: 10KB

.rsrc Size: 79KB - Virtual size: 78KB

.reloc Size: 5KB - Virtual size: 4KB

.text
Size: 338KB - Virtual size: 338KB

.data
Size: 5KB - Virtual size: 16KB

.pdata
Size: 9KB - Virtual size: 8KB

.idata
Size: 10KB - Virtual size: 10KB

.rsrc
Size: 79KB - Virtual size: 78KB

.reloc
Size: 5KB - Virtual size: 4KB