malware[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

malware.zip
Size

3.1MB
MD5

7bdd30d4c75bb2a80d31f197b4056d67
SHA1

083a32b09c978cd0b011b37bc4b0d3095528230d
SHA256

378860cd6fceb7ff0a1f143ca6225977896c4dbc053880549628204e87fae31f
SHA512

4d7d68c154893a2151611fdd46669142f8521c90cc856f294eb2d446150fc7480c6edfb50f962cf62859c25ceafb03321aa6267f983bcb763586a23ca43a164a
SSDEEP

98304:Tv8/wvWL6QFCshB2HnV3Zb10Dvtr91ymuwv:TvmaW/CshBIF4DvtZ4mxv

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/d9a24f5c62928dd9f5900b4a9d8ce9e09b73509bc75537c223532ebf8c22e76d

Files

malware.zip
.zip
__MACOSX/._d9a24f5c62928dd9f5900b4a9d8ce9e09b73509bc75537c223532ebf8c22e76d
__MACOSX/._idmtdi.sys
d9a24f5c62928dd9f5900b4a9d8ce9e09b73509bc75537c223532ebf8c22e76d
.exe windows:5 windows x64 arch:x64

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

"kR
Size: - Virtual size: 11.3MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

b>bbb
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

�bb�*
Size: 78KB - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
idmtdi.sys
.sys windows:10 windows x64 arch:x64

ce10082e1aa4c1c2bd953b4a7208e56a

Code Sign

21:d7:90:a5:7a:f2:44:f3:1a:6f:2e:e4:0e:dc:2b:c9
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

19-01-2015 00:00

Not After

19-01-2016 23:59

Subject

CN=上海易考达信息咨询有限公司,O=上海易考达信息咨询有限公司,L=上海,ST=上海,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:19:93:e4:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22-02-2011 19:25

Not After

22-02-2021 19:35

Subject

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

8d:04:65:65:6a:74:2c:fa:e0:ea:fa:c3:bf:30:1b:b5:5d:a9:e6:91
Signer

Actual PE Digest

8d:04:65:65:6a:74:2c:fa:e0:ea:fa:c3:bf:30:1b:b5:5d:a9:e6:91

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

KeInitializeEvent
ExAllocatePool
NtQuerySystemInformation
ExFreePoolWithTag
IoAllocateMdl
MmProbeAndLockPages
MmMapLockedPagesSpecifyCache
MmUnlockPages
IoFreeMdl
KeQueryActiveProcessors
KeSetSystemAffinityThread
KeRevertToUserAffinityThread
DbgPrint

hal

HalReturnToFirmware
KeQueryPerformanceCounter

Sections

.text
Size: - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 408B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.gYm
Size: - Virtual size: 1018KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.5)?
Size: 1024B - Virtual size: 640B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.TOP
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 900B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

File Characteristics

Sections

"kR Size: - Virtual size: 11.3MB

b>bbb Size: 1.3MB - Virtual size: 1.3MB

�b b�* Size: 78KB - Virtual size: 80KB

ce10082e1aa4c1c2bd953b4a7208e56a

Code Sign

21:d7:90:a5:7a:f2:44:f3:1a:6f:2e:e4:0e:dc:2b:c9Certificate

Extended Key Usages

Key Usages

61:19:93:e4:00:00:00:00:00:1cCertificate

Key Usages

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7Certificate

Extended Key Usages

Key Usages

8d:04:65:65:6a:74:2c:fa:e0:ea:fa:c3:bf:30:1b:b5:5d:a9:e6:91Signer

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

hal

Sections

.text Size: - Virtual size: 9KB

.rdata Size: - Virtual size: 1KB

.data Size: - Virtual size: 120B

.pdata Size: - Virtual size: 408B

INIT Size: - Virtual size: 1KB

.gYm Size: - Virtual size: 1018KB

.5)? Size: 1024B - Virtual size: 640B

.TOP Size: 2.0MB - Virtual size: 2.0MB

.reloc Size: 512B - Virtual size: 88B

.rsrc Size: 1024B - Virtual size: 900B

"kR
Size: - Virtual size: 11.3MB

b>bbb
Size: 1.3MB - Virtual size: 1.3MB

�bb�*
Size: 78KB - Virtual size: 80KB

21:d7:90:a5:7a:f2:44:f3:1a:6f:2e:e4:0e:dc:2b:c9
Certificate

61:19:93:e4:00:00:00:00:00:1c
Certificate

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

8d:04:65:65:6a:74:2c:fa:e0:ea:fa:c3:bf:30:1b:b5:5d:a9:e6:91
Signer

.text
Size: - Virtual size: 9KB

.rdata
Size: - Virtual size: 1KB

.data
Size: - Virtual size: 120B

.pdata
Size: - Virtual size: 408B

INIT
Size: - Virtual size: 1KB

.gYm
Size: - Virtual size: 1018KB

.5)?
Size: 1024B - Virtual size: 640B

.TOP
Size: 2.0MB - Virtual size: 2.0MB

.reloc
Size: 512B - Virtual size: 88B

.rsrc
Size: 1024B - Virtual size: 900B