6fb71463d4cd399c51db66f8fdb74a8573e4943486617eccef9c125b8550de2f

Sharing

Copy URL Twitter E-mail

General

Target

6fb71463d4cd399c51db66f8fdb74a8573e4943486617eccef9c125b8550de2f
Size

786KB
MD5

7f12f892187243740dfe81ee9a48dcd6
SHA1

10561d3d541eb95f907bba5b43d583932b3f841e
SHA256

6fb71463d4cd399c51db66f8fdb74a8573e4943486617eccef9c125b8550de2f
SHA512

74d6e712b3474051f2c52758003c4c287bf9b42cd87ca34154a24a3eb291e88e95eab4845c78de52b9a64d67e5dcf7411e8fbcef44ec2a6365f7a0a15ba30fe1
SSDEEP

24576:lw5KNrbONMzm+JiUBRZgyu1w1tasWT8ZI:i5KNrbO3mPaNTWI

Score

10^/10

Malware Config

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
6fb71463d4cd399c51db66f8fdb74a8573e4943486617eccef9c125b8550de2f

Files

6fb71463d4cd399c51db66f8fdb74a8573e4943486617eccef9c125b8550de2f
.exe windows:5 windows x64 arch:x64

d35dc78f97c5f9fd90f498e46664e9a0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

CreateToolhelp32Snapshot
lstrcatW
GlobalFree
lstrcpyW
GlobalAlloc
GetCurrentProcess
HeapFree
HeapAlloc
GetProcessHeap
GetLastError
OpenProcess
GetCurrentProcessId
lstrcmpW
GetSystemInfo
FreeLibrary
GetProcAddress
LoadLibraryW
GetModuleHandleW
ExitProcess
CreateProcessW
GetStartupInfoW
GetCommandLineW
GetModuleFileNameW
WideCharToMultiByte
CreateEventW
QueryPerformanceFrequency
SetEvent
QueryPerformanceCounter
ResetEvent
Process32FirstW
WriteFile
CreateFileW
ExpandEnvironmentStringsW
CopyFileW
GetFileAttributesW
CreateEventA
FormatMessageW
LoadLibraryA
GetNativeSystemInfo
SetLastError
VirtualProtect
IsBadReadPtr
GetThreadLocale
GetWindowsDirectoryW
ReadProcessMemory
GetTempPathW
CreateThread
GetCurrentThreadId
SetUnhandledExceptionFilter
DeleteFileA
GetModuleFileNameA
MoveFileExW
CreateFileA
LocalFree
SetEnvironmentVariableW
GetExitCodeProcess
SetEnvironmentVariableA
CompareStringW
IsValidLocale
Process32NextW
CloseHandle
Sleep
GetTickCount
MultiByteToWideChar
lstrlenW
GetLocalTime
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
VirtualFree
DeleteCriticalSection
WaitForSingleObject
InitializeCriticalSection
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
WriteConsoleW
SetStdHandle
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
FlushFileBuffers
SetFilePointer
ReadFile
GetFileType
SetHandleCount
SetConsoleCtrlHandler
FatalAppExitA
GetStringTypeW
IsValidCodePage
GetOEMCP
GetACP
HeapSize
GetLocaleInfoW
GetStdHandle
GetVersion
HeapSetInformation
GetConsoleMode
GetConsoleCP
FlsAlloc
GetCurrentThread
FlsFree
FlsSetValue
FlsGetValue
TerminateProcess
RtlCaptureContext
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
GetCPInfo
HeapReAlloc
ExitThread
EncodePointer
DecodePointer
SetEndOfFile
RtlPcToFileHeader
RtlUnwindEx
RtlLookupFunctionEntry
ReleaseSemaphore
CreateSemaphoreW
TryAcquireSRWLockExclusive
TryAcquireSRWLockShared
DeleteTimerQueueTimer
CreateTimerQueueTimer
ReleaseSRWLockShared
AcquireSRWLockShared
WaitForMultipleObjects
TryEnterCriticalSection
CancelWaitableTimer
SetWaitableTimer
lstrlenA
UnmapViewOfFile
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetTickCount64
SleepConditionVariableCS
WakeAllConditionVariable
WakeConditionVariable
SwitchToThread
CreateIoCompletionPort
CreateFileMappingW
MapViewOfFileEx
GetFileSize
GetExitCodeThread
TerminateThread
InitializeSRWLock
RaiseException
CreateTimerQueue
DeleteTimerQueueEx
InitializeCriticalSectionAndSpinCount
InitializeConditionVariable
GetQueuedCompletionStatus
HeapCreate
HeapDestroy
CreateWaitableTimerW
PostQueuedCompletionStatus

user32

PeekMessageW
MsgWaitForMultipleObjects
GetWindowTextW
GetForegroundWindow
GetLastInputInfo
SendMessageW
wsprintfW
PostThreadMessageA
DispatchMessageW
TranslateMessage

advapi32

RegCreateKeyW
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
OpenProcessToken
GetTokenInformation
LookupAccountSidW
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
GetCurrentHwProfileW
RegDeleteValueW

shell32

SHGetFolderPathW
ShellExecuteA

ole32

CoInitialize
CoGetObject
CoInitializeEx
CoCreateGuid
CoCreateInstance
CoUninitialize

oleaut32

VariantClear
VariantInit
SysStringLen
SysStringByteLen
SysAllocStringByteLen
SysAllocString
SysFreeString
CreateErrorInfo
SetErrorInfo
VariantChangeType
GetErrorInfo

ws2_32

closesocket
send
ioctlsocket
shutdown
setsockopt
WSAIoctl
htonl
ntohl
InetNtopW
InetPtonW
htons
ntohs
WSAGetLastError
gethostname
gethostbyname
inet_ntoa
WSARecv
WSAStringToAddressW
WSASetLastError
getpeername
getsockname
sendto
WSASendTo
WSARecvFrom
freeaddrinfo
getaddrinfo
WSAStartup
WSAResetEvent
WSAEventSelect
WSACleanup
bind
connect
recv
WSACloseEvent
WSACreateEvent
socket
WSAEnumNetworkEvents
WSAWaitForMultipleEvents
recvfrom
WSAGetOverlappedResult
listen
getsockopt
WSASend

shlwapi

PathFileExistsA
StrChrW
PathCombineW
PathFileExistsW
PathFindFileNameA

winmm

timeGetDevCaps
timeEndPeriod
timeBeginPeriod
timeGetTime

Sections

.text
Size: 572KB - Virtual size: 572KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 150KB - Virtual size: 149KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 17KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d35dc78f97c5f9fd90f498e46664e9a0

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

ws2_32

shlwapi

winmm

Sections

.text Size: 572KB - Virtual size: 572KB

.rdata Size: 150KB - Virtual size: 149KB

.data Size: 17KB - Virtual size: 35KB

.pdata Size: 38KB - Virtual size: 38KB

.reloc Size: 7KB - Virtual size: 7KB

.text
Size: 572KB - Virtual size: 572KB

.rdata
Size: 150KB - Virtual size: 149KB

.data
Size: 17KB - Virtual size: 35KB

.pdata
Size: 38KB - Virtual size: 38KB

.reloc
Size: 7KB - Virtual size: 7KB