4f1117a980b9409249384533c60c444811b4032b4d2e355a04828ad0d13e28bb

Sharing

Copy URL Twitter E-mail

General

Target

4f1117a980b9409249384533c60c444811b4032b4d2e355a04828ad0d13e28bb
Size

85KB
MD5

5be1051393f66a812f66c0b79021e493
SHA1

06eca1c12ec2267caee6b4bd4ad7452adce23b42
SHA256

4f1117a980b9409249384533c60c444811b4032b4d2e355a04828ad0d13e28bb
SHA512

d6d299ddddd5b494b893575b6a21c092abe14a4d9382b540b76f4e21d21ba0a3b6fb8e7c242dd8f7b4456d4cf1a221316fa57166a170e61123cfbeb3e9cb2512
SSDEEP

1536:Vq8CTi8nGkS3b149Zoj0Lci7HQPElZtvpyU2n86gLZ0SXnCU6qF:0lTlSL14PW8ci7HQPEljvpE8dSS3CU6M

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4f1117a980b9409249384533c60c444811b4032b4d2e355a04828ad0d13e28bb

Files

4f1117a980b9409249384533c60c444811b4032b4d2e355a04828ad0d13e28bb
.exe windows:6 windows x64 arch:x64

a980ddbccf67577fa2a48b945092a589

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

E:\workdir\Patches\NX2212_9100_Delta\wntx64\pdb\tcin_clone___170113365364.pdb

Imports

libugmr

?UGMGR_ask_change_management_enabled@@YA_NW4UGMGR_application_type@@_N@Z
?PopulateChangeNoticeMaps@PdmCopyOrEditOperationBuilder@PDM@UGS@@QEAAX_N0@Z
?ExecuteDryRun@PdmCopyOrEditOperationBuilder@PDM@UGS@@QEAAHXZ
?CreatePdmCopyOrEditOperationObjects@PdmCopyOrEditOperationBuilder@PDM@UGS@@QEAAXPEAV?$vector@PEAVMethodicObject@OM@UGS@@V?$SMAlloc@PEAVMethodicObject@OM@UGS@@@Memory@3@@std@@@Z
?SetDefaultOwningGroup@PdmCopyOrEditOperationBuilder@PDM@UGS@@QEAAXAEBVUString@3@@Z
?SetDefaultOwningUser@PdmCopyOrEditOperationBuilder@PDM@UGS@@QEAAXAEBVUString@3@@Z
?SetOutputLogFile@PdmCopyOrEditOperationBuilder@PDM@UGS@@QEAAXAEBVUString@3@@Z
?SetRenumberStr@PdmCopyOrEditOperationBuilder@PDM@UGS@@QEAAXAEBVUString@3@@Z
?SetReplaceWithStr@PdmCopyOrEditOperationBuilder@PDM@UGS@@QEAAXAEBVUString@3@@Z
?SetStringToReplace@PdmCopyOrEditOperationBuilder@PDM@UGS@@QEAAXAEBVUString@3@@Z
?SetSuffixStr@PdmCopyOrEditOperationBuilder@PDM@UGS@@QEAAXAEBVUString@3@@Z
?SetPrefixStr@PdmCopyOrEditOperationBuilder@PDM@UGS@@QEAAXAEBVUString@3@@Z
?UGMGR_macro_ended@@YAXXZ
?UGMGR_macro_started@@YAXXZ
?UGMGR_end_collecting_stats@@YAXXZ
?UGMGR_start_collecting_stats@@YAXXZ
?Stop@UGMGRFunctionTimer@UGS@@QEAAXXZ
??1UGMGRFunctionTimer@UGS@@QEAA@XZ
??0UGMGRFunctionTimer@UGS@@QEAA@PEBD@Z
?IsItemTypeVisible@PartOperationBuilderUtils@PDM@UGS@@SA_NAEBVUString@3@W4Operation@ITcTypes@Session@DataManagement@3@_N2W4JA_FILE_NEW_template_type@@@Z
?SetDefaultDestinationFolder@PartOperationBuilder@PDM@UGS@@QEAAXAEBVUString@3@@Z
?GetOperationFailures@PartOperationBuilder@PDM@UGS@@QEAAPEAUERROR_LIST_s@@XZ
?GetWarningMessages@ErrorMessageHandler@PDM@UGS@@QEAA?AV?$vector@VUString@UGS@@V?$SMAlloc@VUString@UGS@@@Memory@2@@std@@XZ
?UGMGR__list_idcontexts@@YA_NPEBDPEAHAEAV?$vector@V?$SharedPtr@VIPropertyTitle@Core@Model@DataManagement@UGS@@@Memory@UGS@@V?$SMAlloc@V?$SharedPtr@VIPropertyTitle@Core@Model@DataManagement@UGS@@@Memory@UGS@@@23@@std@@@Z
?UGMGR_list_id_types@@YAHPEBD0PEAHPEAPEAPEAD@Z

libdman

?UNDO_UG_ask_mark_exist@@YAHHPEBD@Z
?UNDO_UG_delete_mark@@YAHHPEBD@Z
?UNDO_UG_set_mark@@YAHW4UNDO_UG_user_visibility_t@@PEBDPEAH@Z

libpart

?UPDATE_delete_objects_immediately@@YAXHPEAPEAVMethodicObject@OM@UGS@@@Z
?ERROR_INFO_get_error_object_tag@@YAIPEBUERROR_INFO_s@@@Z
?ERROR_INFO_get_error_code@@YAHPEBUERROR_INFO_s@@@Z
?ERROR_LIST_get_node_const@@YAPEBUERROR_INFO_s@@PEBUERROR_LIST_s@@H@Z
?ERROR_LIST_get_length@@YAHPEBUERROR_LIST_s@@@Z

libsyss

?ThisClassId@Object@OM@UGS@@2AEAHEA
?ThisClassId@MethodicObject@OM@UGS@@2AEAHEA
?ThisClassId@TaggedObject@OM@UGS@@2AEAHEA
?ThisClassId@Set@OM@UGS@@2AEAHEA
??RUStringFormatter@UGS@@QEAAAEAV01@PEBD@Z
?MACH__checking_level@@3HA
?ERROR_set_assertion_handler@@YAP6A?AW4ERROR_assertion_option_t@@PEBDH0@ZP6A?AW41@0H0@Z@Z
??RUStringFormatter@UGS@@QEAAAEAV01@H@Z
??1UStringFormatter@UGS@@QEAA@XZ
??BUStringFormatter@UGS@@QEBA?AVUString@1@XZ
??0UStringFormatter@UGS@@QEAA@PEBD@Z
?SYSS_fprintf@System@UGS@@YAHPEAU_iobuf@@PEBDZZ
??RUStringFormatter@UGS@@QEAAAEAV01@AEBVUString@1@@Z
?IsSet@EnvironmentVariable@System@UGS@@QEBA_NXZ
??1EnvironmentVariable@System@UGS@@QEAA@XZ
??0EnvironmentVariable@System@UGS@@QEAA@PEBD@Z
?ERROR_protect_main@@YAHP6AHHPEAPEAD@ZH0@Z
?nat110@@YAPEADPEBD@Z
?ARG_init_module@@YAXHPEAPEAD@Z
?ARG_get_switch@@YAPEBDPEBDHPEAH@Z
?ARG_get_argv@@YAXPEAHPEAPEAPEAD@Z
?allocate@CppMemory@Memory@UGS@@SAPEAX_K@Z
?free@CppMemory@Memory@UGS@@SAXPEAX@Z
?allocate@SharedPtrCountedBase@Memory@UGS@@CAPEAX_K@Z
?free@SharedPtrCountedBase@Memory@UGS@@CAXPEAX@Z
?askCode@Exception@Error@UGS@@QEBAHXZ
?ToUString@UStringBuilder@UGS@@QEBA?AVUString@2@XZ
?STR_strcpy@@YAPEADPEADPEBD_K@Z
?STR_strncpy@@YAPEADPEADPEBD_K@Z
?STR_make_lc@@YAXPEAD@Z
??ROmNoOpDeleter@Memory@UGS@@QEBAXPEBX@Z
?GetUString@Utf8String@OM@UGS@@QEBA?AVUString@3@XZ
?Localize@L10N@System@UGS@@YAPEBDPEBD000P6AX00000@Z@Z
?CFI_ask_file_exist@@YAHPEBD@Z
?CFI_create_unique_filename_nouser@@YAHPEAPEAD@Z
?GetChars@String@OM@UGS@@QEBAPEBDXZ
?TagToTypedPointer@OM@UGS@@YAPEAXIH@Z
?OM_assert_ptr_class@@YAXPEBXH@Z
?IsOfClass@Object@OM@UGS@@QEBA_NH@Z
?OM_ask_object_tag@@YAIPEBX@Z
?OM__delete_utf8_string@@YAXPEAVUtf8String@OM@UGS@@@Z
?OM_create_utf8_string@@YAPEAVUtf8String@OM@UGS@@PEBD@Z
?IsSubClass@OM@UGS@@YA_NHH@Z
?OM__log@OM@UGS@@YAHPEAVObject@12@@Z
?SM_free_string_array@@YAXPEAPEADH@Z
?SM_string_ncopy@@YAPEADPEBDH@Z
?SM_string_copy@@YAPEADPEBD@Z
?SM_alloc@@YAPEAX_K0@Z
?SM_free@@YAXPEAX@Z
?ERROR_raise@@YAXPEBDHH@Z
?ERROR_raise@@YAXPEBDHH0ZZ
?ERROR_decode@@YAPEADH@Z
??8UGS@@YA_NAEBVUString@0@0@Z
?split@UString@UGS@@QEBAXDAEAV?$vector@VUString@UGS@@V?$SMAlloc@VUString@UGS@@@Memory@2@@std@@@Z
?equal_i@UString@UGS@@QEBA_NPEBD@Z
?starts_with@UString@UGS@@QEBA_NAEBV12@@Z
??4UString@UGS@@QEAAAEAV01@$$QEAV01@@Z
?append@UString@UGS@@QEAAAEAV12@AEBV12@@Z
?append@UString@UGS@@QEAAAEAV12@PEBD@Z
?assign@UString@UGS@@QEAAAEAV12@AEBV12@@Z
?empty@UString@UGS@@QEBA_NXZ
?utf8_str@UString@UGS@@QEBAPEBDXZ
?format@UString@UGS@@SA?AVUStringFormatter@2@PEBD@Z
??1UString@UGS@@QEAA@XZ
??0UString@UGS@@QEAA@PEBUTEXT_s@@@Z
?from_locale@UString@UGS@@SA?AV12@PEBD@Z
??0UString@UGS@@QEAA@PEBD@Z
??0UString@UGS@@QEAA@$$QEAV01@@Z
??0UString@UGS@@QEAA@AEBV01@@Z
??0UString@UGS@@QEAA@XZ
??3UString@UGS@@SAXPEAX@Z
?ERROR_ask_last_failure_code@@YAHXZ
??1Severe@Error@UGS@@UEAA@XZ
?Convert@Severe@Error@UGS@@QEAAAEBVException@23@AEBVexception@std@@@Z
??0Severe@Error@UGS@@QEAA@XZ
?Rethrow@Exception@Error@UGS@@QEBAXXZ

libccov

CCOV_print_subprocess_cov
CCOV_reset_statistics

libufunx

?UFX_UGMGR_initialize@@YAHHPEAPEBD@Z
?UFX_is_ugmanager_active@@YAHPEA_N@Z
?UFX_initialize@@YAHXZ
?UFX_get_fail_message@@YAHHQEAD@Z
?UFX_UGMGR_terminate@@YAHXZ

libufun

UF_ASSEM_set_assem_options
UF_ASSEM_ask_assem_options
UF_UGMGR_set_config_rule
UF_print_syslog
UF_get_fail_message
UF_allocate_memory
UF_free
UF_CLONE_get_key
UF_CLONE_base_64_to_bytes
UF_CLONE_decode
UF_CLONE_load_crypt

libdmservices

?ThisClassId@LogicalObject@PreCreation@DataManagement@UGS@@2AEAHEA

libjam

?GetUnjournalledInterface@ClassInitializer@JAM@UGS@@SAPEAVIJAInterface@23@PEBD@Z
?GetJournalledInterface@ClassInitializer@JAM@UGS@@SAPEAVIJAInterface@23@PEBD@Z

libassy

?ThisClassId@PdmCopyOrEditOperationObject@Assy@UGS@@2AEAHEA
?PdmCopyOrEditOperationObjectClassId@Assy@UGS@@3HA

msvcp140

?_W_Getmonths@_Locinfo@std@@QEBAPEBGXZ
?_W_Getdays@_Locinfo@std@@QEBAPEBGXZ
?_Xbad_alloc@std@@YAXXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ
_Mbrtowc

vcruntime140

_purecall
strchr
__std_type_info_compare
_CxxThrowException
__std_type_info_destroy_list
__RTDynamicCast
memcpy
memmove
memset
__current_exception
__current_exception_context
__C_specific_handler
__std_terminate

vcruntime140_1

__CxxFrameHandler4

api-ms-win-crt-heap-l1-1-0

_set_new_mode
calloc
free

api-ms-win-crt-runtime-l1-1-0

terminate
_register_onexit_function
_execute_onexit_table
_crt_atexit
exit
_initialize_narrow_environment
_cexit
_seh_filter_exe
_set_app_type
_configure_narrow_argv
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
_crt_at_quick_exit
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_initialize_onexit_table
_seh_filter_dll

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vfprintf
__stdio_common_vsprintf
__acrt_iob_func
_set_fmode
__p__commode

api-ms-win-crt-string-l1-1-0

strcspn

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

kernel32

RtlLookupFunctionEntry
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
CloseHandle
RtlCaptureContext
GetProcAddress
GetModuleHandleW
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection

Exports

Exports

?NXSigningResource@@YAXXZ

Sections

.text
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a980ddbccf67577fa2a48b945092a589

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

libugmr

libdman

libpart

libsyss

libccov

libufunx

libufun

libdmservices

libjam

libassy

msvcp140

vcruntime140

vcruntime140_1

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

kernel32

Exports

Exports

Sections

.text Size: 46KB - Virtual size: 45KB

.rdata Size: 33KB - Virtual size: 32KB

.data Size: 2KB - Virtual size: 2KB

.pdata Size: 2KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 896B

.reloc Size: 512B - Virtual size: 252B

.text
Size: 46KB - Virtual size: 45KB

.rdata
Size: 33KB - Virtual size: 32KB

.data
Size: 2KB - Virtual size: 2KB

.pdata
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 896B

.reloc
Size: 512B - Virtual size: 252B