LsaIso[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

LsaIso.exe
Size

332KB
MD5

2d6444edf408eabcdd257aeaa41cc16f
SHA1

ea1045da6b592971e5a4107b060ba8c9ebca5ab6
SHA256

166f56315dda1514569209687164cbf9405b3dab64f91d38ebdc7c5a480a7c3a
SHA512

b159e23ca91635fd2f546e4ff1bab03470601798cea87253b9c9e6fbeffb078fd7633f3d7f389e1626657463370d9c41b9f0d0ff23ac2bc3c995c6f7f233d098
SSDEEP

3072:fcD3THu7JXNZfUZWGN6le4Z53eWeuvsAfMpNFSA/7A7+jlmYMIQ+5TC+AZXkL4PH:fcD3THGJXNZVfR53vlABjlmY6lGCuwpP

Score

1^/10

Malware Config

Signatures

Files

LsaIso.exe
.exe windows:10 windows x64 arch:x64

caeff74376f7e5556530aaf541d64cc3

Code Sign

33:00:00:04:5b:f6:31:bc:00:f4:fc:37:45:00:00:00:00:04:5b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

14/09/2023, 18:20

Not After

04/09/2024, 18:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

46:fa:75:95:1c:58:ea:5b:cc:22:bf:3c:8a:60:37:ca:96:41:81:27:6d:a9:0d:9a:36:f5:9a:10:fc:1a:92:65
Signer

Actual PE Digest

46:fa:75:95:1c:58:ea:5b:cc:22:bf:3c:8a:60:37:ca:96:41:81:27:6d:a9:0d:9a:36:f5:9a:10:fc:1a:92:65

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

LsaIso.pdb

Imports

msvcrt

__setusermatherr
_initterm
_fmode
?terminate@@YAXXZ
_lock
_unlock
__dllonexit
_onexit
memset
_cexit
_exit
exit
__set_app_type
__wgetmainargs
__CxxFrameHandler3
??3@YAXPEAX@Z
_purecall
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBV0@@Z
toupper
malloc
_callnewh
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@AEBQEBDH@Z
?what@exception@@UEBAPEBDXZ
_CxxThrowException
memcpy
memmove
??1type_info@@UEAA@XZ
memcmp
wcscmp
_commode
_amsg_exit
_XcptFilter
_wcsicmp
__C_specific_handler

iumcrypt

iumCryptExportPublicKeyInfoFromBCryptKeyHandle
iumCryptSignAndEncodeCertificate
iumCryptEncodeObjectEx
iumCryptMsgUpdate
iumCryptMsgOpenToEncode
iumCryptMsgGetParam

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree
LocalReAlloc

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
UnregisterTraceGuids
TraceMessage
GetTraceLoggerHandle
GetTraceEnableFlags

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventProviderEnabled
EventUnregister
EventRegister
EventWriteTransfer

api-ms-win-eventing-obsolete-l1-1-0

RegisterTraceGuidsA

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
GetModuleHandleExW
GetModuleHandleW
GetModuleFileNameA

api-ms-win-core-processthreads-l1-1-0

CreateThread
GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess
TerminateProcess
SetThreadStackGuarantee

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
WaitForSingleObject
InitializeSRWLock
CreateSemaphoreExW
EnterCriticalSection
DeleteCriticalSection
AcquireSRWLockShared
CreateMutexExW
ReleaseSRWLockShared
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseMutex
InitializeCriticalSectionEx
ReleaseSemaphore

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
Sleep

api-ms-win-core-sysinfo-l1-1-0

GetSystemTime
GetSystemTimeAsFileTime
GetSystemInfo
GetTickCount

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

kerbclientshared

KerbClientSharedInit
KerbDHGetSharedSecretFromCapiKeyBuffer
KerbDHGetLittleEndianPublicKey
KerbClientTransformStoredCred
KerbClientBuildKeyList
KerbClientBuildFastArmoredKdcRequest
KerbPackKdcReplyWithEncryptedSessionKey
KerbClientPackAsn1Buffer
KerbClientDecryptApReply
KerbClientVerifyFastArmoredKerbError
KerbClientBuildEncryptedAuthData
KerbClientPackApReply
KerbClientBuildAsReqAuthenticator
KerbClientSharedCleanup
KerbClientAlloc
KerbClientVerifyFastArmoredTgsReply
KerbClientDecryptPacCredentials
KerbClientFreeStoredCred
KerbClientVerifyFastArmoredKdcReply
KerbClientVerifyEncryptedChallengePaData
KerbClientUnpackKdcReplyBody
KerbClientVerifyChecksum
KerbClientUpdateSharedConfiguration
KerbClientBuildTicketArmorKey
KerbClientFree
KerbClientUnpackAsn1BufferVoid
KerbGetFlagsForKdcReply
KerbClientBuildExplicitArmorKey
KerbClientComputeTgsChecksum
KerbDHCreateBCryptKey
KerbDHGetLegacyDHParameters

ntlmshared

MsvpPutClearOwfsInPrimaryCredential
MsvpLm20GetNtlm3ChallengeResponse
MsvpMakeSecretPasswordNT5
MsvpDecryptDpapiMasterKey
MsvpCompareCredentials
MsvpDeriveSecureCredKey
NtlmSharedInit
MsvpValidateSupplementalCredsBuffer
MsvpCredentialToCachePasswords
MsvpGMSACred
MsvpPasswordValidate
MsvpUpdateSharedConfiguration

msasn1

ASN1BERDecGeneralizedTime
ASN1DEREncGeneralizedTime
ASN1BEREncU32
ASN1DecSetError
ASN1octetstring_free
ASN1BERDecSXVal
ASN1BERDecOpenType2
ASN1_CloseDecoder
ASN1intx_free
ASN1_CreateDecoder
ASN1intx_setuint32
ASN1_Decode
ASN1_CreateEncoder
ASN1_FreeEncoded
ASN1_FreeDecoded
ASN1_Encode
ASN1_CloseEncoder
ASN1BERDecPeekTag
ASN1BERDecOctetString
ASN1BERDecNotEndOfContents
ASN1BEREncExplicitTag
ASN1BERDecEndOfContents
ASN1BERDecBool
ASN1objectidentifier_free
ASN1EncSetError
ASN1BEREncS32
ASN1DEREncCharString
ASN1BEREncEndOfContents
ASN1BEREncBool
ASN1BERDecSkip
ASN1Free
ASN1DecAlloc
ASN1BEREncSX
ASN1BEREncOpenType
ASN1BERDecS32Val
ASN1DEREncOctetString
ASN1charstring_free
ASN1BERDecBitString
ASN1BEREncObjectIdentifier
ASN1BERDecZeroCharString
ASN1DEREncBitString
ASN1BERDecObjectIdentifier
ASN1BERDecU32Val
ASN1_CreateModule
ASN1BERDecCharString
ASN1bitstring_free
ASN1ztcharstring_free
ASN1BERDecExplicitTag

iumbase

GetSecureIdentitySigningKey
GetTaggedData
GetSignedReport
GetTaggedDataSize
IsSecureProcess
EncryptData
DecryptData

ntdll

RtlImageNtHeader
RtlLengthSid
RtlTimeToTimeFields
RtlTimeFieldsToTime
NtSetEvent
RtlAvlRemoveNode
RtlEqualUnicodeString
RtlAvlInsertNodeEx
memmove_s
RtlNtStatusToDosError
RtlLeaveCriticalSection
RtlInitializeCriticalSection
_vsnprintf_s
RtlEnterCriticalSection
memcpy_s
RtlDeleteCriticalSection
_vsnwprintf
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlFreeHeap
NtCreateEvent
RtlSetProcessIsCritical
NtClose
RtlInitUnicodeString
NtOpenEvent
NtQuerySystemInformation
RtlAllocateHeap

rpcrt4

RpcServerUseProtseqEpW
NdrMesTypeAlignSize3
MesEncodeDynBufferHandleCreate
NdrMesTypeEncode3
MesHandleFree
MesDecodeBufferHandleCreate
RpcServerRegisterIf
RpcServerUnregisterIf
RpcMgmtWaitServerListen
NdrMesTypeDecode3
RpcExceptionFilter
NdrServerCallAll
MesIncrementalHandleReset
MesDecodeIncrementalHandleCreate
MesEncodeIncrementalHandleCreate
RpcServerListen
I_RpcMapWin32Status
NdrServerCall2

bcrypt

BCryptSecretAgreement
BCryptSetProperty
BCryptSignHash
BCryptDestroySecret
BCryptDeriveKey
BCryptImportKey
BCryptDecrypt
BCryptDuplicateKey
BCryptVerifySignature
BCryptGetProperty
BCryptKeyDerivation
BCryptCreateHash
BCryptEncrypt
BCryptHashData
BCryptDestroyHash
BCryptFinishHash
BCryptHash
BCryptDestroyKey
BCryptFinalizeKeyPair
BCryptGenerateKeyPair
BCryptOpenAlgorithmProvider
BCryptExportKey
BCryptCloseAlgorithmProvider
BCryptImportKeyPair
BCryptGenRandom
BCryptGenerateSymmetricKey

cryptdll

CDLocateCheckSum
CDLocateCSystem
CDGenerateRandomBits

cryptsp

SystemFunction011
SystemFunction009
SystemFunction007

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-memory-l1-1-0

VirtualProtect
VirtualAlloc
VirtualQuery

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
CloseThreadpoolTimer

Exports

Exports

__ImagePolicyMetadata

Sections

.text
Size: 219KB - Virtual size: 218KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 84KB - Virtual size: 83KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tPolicy
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

caeff74376f7e5556530aaf541d64cc3

Code Sign

33:00:00:04:5b:f6:31:bc:00:f4:fc:37:45:00:00:00:00:04:5bCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

46:fa:75:95:1c:58:ea:5b:cc:22:bf:3c:8a:60:37:ca:96:41:81:27:6d:a9:0d:9a:36:f5:9a:10:fc:1a:92:65Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

iumcrypt

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-eventing-obsolete-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-timezone-l1-1-0

kerbclientshared

ntlmshared

msasn1

iumbase

ntdll

rpcrt4

bcrypt

cryptdll

cryptsp

api-ms-win-core-debug-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-threadpool-l1-2-0

Exports

Exports

Sections

.text Size: 219KB - Virtual size: 218KB

.rdata Size: 84KB - Virtual size: 83KB

.data Size: 1KB - Virtual size: 5KB

.pdata Size: 8KB - Virtual size: 7KB

.tPolicy Size: 1KB - Virtual size: 1KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 3KB

33:00:00:04:5b:f6:31:bc:00:f4:fc:37:45:00:00:00:00:04:5b
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

46:fa:75:95:1c:58:ea:5b:cc:22:bf:3c:8a:60:37:ca:96:41:81:27:6d:a9:0d:9a:36:f5:9a:10:fc:1a:92:65
Signer

.text
Size: 219KB - Virtual size: 218KB

.rdata
Size: 84KB - Virtual size: 83KB

.data
Size: 1KB - Virtual size: 5KB

.pdata
Size: 8KB - Virtual size: 7KB

.tPolicy
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 3KB