CAUTION - MALICIOUS FILES TO REVIEW[.]zip

Resubmissions

10-06-2024 12:51

240610-p3xcvawbpc 3

10-06-2024 12:45

240610-py5teswenl 8

10-06-2024 12:41

240610-pwrh1svgrh 8

10-06-2024 12:23

240610-pklhmavcje 8

Sharing

Copy URL

Twitter E-mail

General

Target

CAUTION - MALICIOUS FILES TO REVIEW.zip
Size

2.4MB
MD5

04187078858ffc420e7c8cb82f006407
SHA1

cfdd305d9cf6e1522433d53d6367049dd52a8795
SHA256

947028d5cad78cfcbbbc48e62a5b5937cda7a3fefbf4beec9dd4f4b277122b00
SHA512

603133dce677e5970cc9fbf4f9581db3fccdb039a8b8efbcae409d7661cde05cd99568532d306e7b1ed74a838aa745566b4c8845626445e97acaa7730d4dea20
SSDEEP

49152:Y+PWrp91gs6twelxsm8oCP1lVnmaHaJn+ZC8JPm:Y+Od9ilOelxsm8NP1Hma6R+ZBPm

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
unpack001/JHvy.khXZ
unpack001/SAAE.exe

Files

CAUTION - MALICIOUS FILES TO REVIEW.zip
.zip
Deobfuscated Payload.ps1
.ps1
JHvy.khXZ
.dll windows:6 windows x86 arch:x86

1b5e77c58dce0e3a93fb3518fde72ee6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\Users\postman\Desktop\NZT\ProjectD_cpprest\CleanUp\Release\CleanUp.pdb

Imports

kernel32

WaitForMultipleObjects
TerminateThread
QueueUserAPC
SetEvent
SleepEx
GetSystemTimeAsFileTime
PostQueuedCompletionStatus
CreateIoCompletionPort
SetWaitableTimer
GetQueuedCompletionStatus
WaitForSingleObject
CreateWaitableTimerW
GetComputerNameW
GetModuleHandleW
GetProcAddress
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
CreateEventW
LocalFree
WideCharToMultiByte
FormatMessageW
FormatMessageA
GetLastError
CreateMutexW
GetModuleFileNameA
GetModuleHandleExA
ReadFile
GetStdHandle
WriteFile
ExitProcess
CreateProcessW
ExitThread
CloseHandle
TerminateProcess
OpenProcess
SetHandleInformation
CreatePipe
CreateThread
GetProcessHeap
HeapAlloc
WriteConsoleW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetLastError
Sleep
GetCommandLineA
GetOEMCP
IsValidCodePage
FindFirstFileExW
GetTimeZoneInformation
SetStdHandle
GetFullPathNameW
GetCurrentDirectoryW
HeapSize
HeapReAlloc
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
GetConsoleOutputCP
FlushFileBuffers
SetFilePointerEx
GetFileSizeEx
HeapFree
GetModuleFileNameW
SetConsoleCtrlHandler
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileInformationByHandle
GetDriveTypeW
CreateFileW
FreeLibraryAndExitThread
LoadLibraryExW
InterlockedFlushSList
RtlUnwind
InitializeSListHead
GetStartupInfoW
IsDebuggerPresent
GetCurrentProcessId
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
GetCurrentThreadId
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
VirtualFree
SwitchToFiber
DeleteFiber
CreateFiberEx
GetSystemTime
SystemTimeToFileTime
FindClose
FindFirstFileW
FindNextFileW
MultiByteToWideChar
GetModuleHandleExW
GetSystemDirectoryA
FreeLibrary
LoadLibraryA
InitializeCriticalSection
ReleaseSemaphore
GetExitCodeThread
CreateSemaphoreA
GetEnvironmentVariableW
GetACP
GetFileType
ConvertFiberToThread
ConvertThreadToFiberEx
LoadLibraryW
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
GetStringTypeW
RaiseException
QueryPerformanceCounter
QueryPerformanceFrequency
InitializeCriticalSectionEx
GetLocaleInfoEx
EncodePointer
DecodePointer
LCMapStringEx
CompareStringEx
GetCPInfo
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
IsProcessorFeaturePresent
SetEndOfFile

crypt32

CertOpenStore
CertCloseStore
CertOpenSystemStoreW
CertGetCertificateContextProperty
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore

advapi32

CryptAcquireContextW
DeregisterEventSource
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptDestroyKey
CryptGenRandom
CryptReleaseContext
RegisterEventSourceW
ReportEventW
GetUserNameW

netapi32

NetUserGetInfo
DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory
NetApiBufferFree

iphlpapi

GetAdaptersAddresses

user32

MessageBoxW
GetUserObjectInformationW
GetProcessWindowStation

shell32

ShellExecuteExW

ws2_32

htons
htonl
sendto
recvfrom
getsockname
getpeername
send
recv
inet_ntop
connect
WSACleanup
inet_ntoa
freeaddrinfo
getaddrinfo
WSASocketW
WSASend
WSARecv
select
ioctlsocket
closesocket
WSAGetLastError
setsockopt
getsockopt
WSASetLastError
ntohs
gethostbyaddr
inet_addr
gethostbyname
getservbyport
getservbyname
shutdown
socket
WSAStartup

Exports

Exports

Test

Sections

.text
Size: 2.6MB - Virtual size: 2.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 651KB - Virtual size: 651KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 34KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 128KB - Virtual size: 127KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

code
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
SAAE.exe
.exe windows:10 windows x64 arch:x64

4db27267734d1576d75c991dc70f68ac

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

rundll32.pdb

Imports

msvcrt

_commode
__CxxFrameHandler3
_amsg_exit
_vsnwprintf
_unlock
__dllonexit
_onexit
?terminate@@YAXXZ
_fmode
__wgetmainargs
__set_app_type
exit
_wcmdln
_initterm
__setusermatherr
_cexit
_lock
_exit
_XcptFilter
free
_purecall
_wtoi
memcpy_s
__C_specific_handler
_callnewh
malloc
memset

api-ms-win-core-com-l1-1-0

CoRegisterClassObject
CoReleaseServerProcess
CoAddRefServerProcess
CoResumeClassObjects
CLSIDFromString
CoCreateInstance
CoInitializeEx
CoRevokeClassObject
CoUninitialize
CoWaitForMultipleHandles
CoInitializeSecurity

api-ms-win-core-file-l1-1-0

ReadFile
CreateFileW
SetFilePointer
GetFileAttributesW

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
GetProcAddress
GetModuleHandleExW
GetModuleHandleW
LoadStringW
LoadLibraryExW
GetModuleFileNameA

api-ms-win-core-wow64-l1-1-1

GetSystemWow64Directory2W
IsWow64Process2

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
Sleep

api-ms-win-core-synch-l1-1-0

AcquireSRWLockShared
CreateEventW
CreateMutexExW
ReleaseSemaphore
ReleaseSRWLockShared
WaitForSingleObject
OpenSemaphoreW
ReleaseSRWLockExclusive
WaitForSingleObjectEx
AcquireSRWLockExclusive
CreateSemaphoreExW
ReleaseMutex
SetEvent

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapSetInformation
HeapFree

api-ms-win-core-errorhandling-l1-1-0

SetErrorMode
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError
SetLastError

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
SearchPathW

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
ExitProcess
CreateProcessW
TerminateProcess
GetStartupInfoW

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-winrt-error-l1-1-0

RoOriginateErrorW
RoOriginateError

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-console-l1-2-0

FreeConsole
AttachConsole

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-path-l1-1-0

PathCchAppend

api-ms-win-core-console-l1-1-0

WriteConsoleW

api-ms-win-core-string-l1-1-0

CompareStringW
WideCharToMultiByte

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-kernel32-private-l1-1-0

Wow64EnableWow64FsRedirection

api-ms-win-core-sidebyside-l1-1-0

QueryActCtxW
ReleaseActCtx
ActivateActCtx
CreateActCtxW
DeactivateActCtx

api-ms-win-downlevel-shlwapi-l1-1-0

PathIsRelativeW

api-ms-win-downlevel-shlwapi-l2-1-0

SHSetThreadRef

imagehlp

ImageDirectoryEntryToData

ntdll

NtClose
NtOpenProcessToken
RtlNtStatusToDosError
NtQueryInformationToken
RtlSetSearchPathMode
RtlWow64IsWowGuestMachineSupported
RtlImageNtHeader
NtQuerySystemInformation
NtSetInformationToken

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Sections

.text
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 264B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

1b5e77c58dce0e3a93fb3518fde72ee6

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

crypt32

advapi32

netapi32

iphlpapi

user32

shell32

ws2_32

Exports

Exports

Sections

.text Size: 2.6MB - Virtual size: 2.6MB

.rdata Size: 651KB - Virtual size: 651KB

.data Size: 34KB - Virtual size: 57KB

.rsrc Size: 512B - Virtual size: 248B

.reloc Size: 128KB - Virtual size: 127KB

code Size: 1.4MB - Virtual size: 1.4MB

4db27267734d1576d75c991dc70f68ac

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-com-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-wow64-l1-1-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-console-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-kernel32-private-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

api-ms-win-downlevel-shlwapi-l1-1-0

api-ms-win-downlevel-shlwapi-l2-1-0

imagehlp

ntdll

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Sections

.text Size: 26KB - Virtual size: 26KB

.rdata Size: 13KB - Virtual size: 13KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 1KB - Virtual size: 1KB

.didat Size: 512B - Virtual size: 264B

.rsrc Size: 26KB - Virtual size: 25KB

.reloc Size: 512B - Virtual size: 256B

.text
Size: 2.6MB - Virtual size: 2.6MB

.rdata
Size: 651KB - Virtual size: 651KB

.data
Size: 34KB - Virtual size: 57KB

.rsrc
Size: 512B - Virtual size: 248B

.reloc
Size: 128KB - Virtual size: 127KB

code
Size: 1.4MB - Virtual size: 1.4MB

.text
Size: 26KB - Virtual size: 26KB

.rdata
Size: 13KB - Virtual size: 13KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 1KB - Virtual size: 1KB

.didat
Size: 512B - Virtual size: 264B

.rsrc
Size: 26KB - Virtual size: 25KB

.reloc
Size: 512B - Virtual size: 256B