photon[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

photon.exe
Size

2.7MB
MD5

4fb0d03881be27682eb77f500a5b13c7
SHA1

ec4786fe27ad4d1c6cca5720251c64c0f67e66b5
SHA256

f50e9c77de8d3a3b27cc31903d7b181f98045794323d1cb76fc1eda15f20ec09
SHA512

eff04bd58d3f51c656d9a20e22a44c1dde32455818bc51d7b922e2f159a2ecf475d423be3c4efdf72ae5cee770ee77d194cdc797ec46cd5726a18c2b1124b918
SSDEEP

49152:T+hFJx2rD99YGcemClxYhHXxz50ErvggS+lF0/PeZBWjPeZBW:Tz9MM2HXB8WBMWB

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
photon.exe

Files

photon.exe
.exe windows:6 windows x64 arch:x64

c5c7643e1289480eb2cacf523f089442

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\ollea\OneDrive\Skrivbord\PHOTON_EXTERNAL_2\x64\Release\photon.pdb

Imports

kernel32

GetModuleHandleW
QueryFullProcessImageNameW
FormatMessageA
LocalFree
EnterCriticalSection
LeaveCriticalSection
SleepEx
GetSystemDirectoryA
VerifyVersionInfoA
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
GetFileSizeEx
InitializeCriticalSectionEx
Process32Next
CreateFileW
Process32First
GetExitCodeProcess
SetUnhandledExceptionFilter
CheckRemoteDebuggerPresent
GetTickCount
QueryPerformanceCounter
CreateProcessA
DebugActiveProcess
LoadLibraryW
QueryPerformanceFrequency
GetLastError
WaitForSingleObject
CreateMutexA
GetProcessHeap
CreateFileMappingA
GetLocaleInfoEx
GetCurrentDirectoryW
CreateDirectoryW
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
GetFileAttributesW
GetFileAttributesExW
GetFullPathNameW
HeapSize
GetTempPathW
AreFileApisANSI
GetModuleFileNameW
GetFileInformationByHandleEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
UnmapViewOfFile
HeapFree
HeapReAlloc
HeapAlloc
HeapDestroy
GlobalUnlock
OutputDebugStringA
GetCurrentProcess
SetLastError
LoadLibraryExA
VirtualAlloc
DeviceIoControl
VirtualFree
IsDebuggerPresent
OpenThread
DebugBreak
GetConsoleWindow
WideCharToMultiByte
GetCurrentProcessId
GetModuleFileNameA
ReadProcessMemory
GetProcAddress
GetThreadContext
CloseHandle
Process32FirstW
LoadLibraryA
GetCurrentThread
CreateFileA
Process32NextW
Sleep
MultiByteToWideChar
CreateToolhelp32Snapshot
OpenProcess
GetModuleHandleA
OpenFileMappingW
GetCurrentThreadId
VirtualProtect
GlobalLock
GlobalFree
GlobalAlloc
FreeLibrary
InitializeSListHead
GetSystemTimeAsFileTime
IsProcessorFeaturePresent
TerminateProcess
MapViewOfFile
CreateFileMappingW
CreateThread
DeleteCriticalSection
VerSetConditionMask
GetLocaleInfoA
SetFileInformationByHandle
lstrcmpiA
OutputDebugStringW

user32

MessageBoxA
ShowWindow
SendInput
ScreenToClient
GetClientRect
FindWindowW
GetAsyncKeyState
GetForegroundWindow
GetCursorPos
FindWindowA
LoadCursorA
GetKeyState
SetClipboardData
SetCursorPos
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
UpdateWindow
MonitorFromWindow
RegisterClassExA
GetCapture
ClientToScreen
SetWindowLongPtrA
PostQuitMessage
UnregisterClassA
GetWindowLongPtrA
GetMessageExtraInfo
TrackMouseEvent
GetKeyboardLayout
PeekMessageA
LoadIconA
TranslateMessage
ReleaseCapture
IsWindowUnicode
DispatchMessageA
SetProcessDPIAware
GetWindowRect
DestroyWindow
EqualRect
GetSystemMetrics
SetWindowLongA
SetWindowDisplayAffinity
GetMonitorInfoA
SetCursor
MoveWindow
SetCapture
DefWindowProcA
CreateWindowExA
SetLayeredWindowAttributes

gdi32

CreateSolidBrush

advapi32

GetTokenInformation
RegQueryValueExA
CryptEncrypt
CryptImportKey
CryptDestroyKey
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
ConvertSidToStringSidA
CopySid
SetSecurityInfo
GetUserNameA
IsValidSid
InitializeAcl
GetLengthSid
AddAccessAllowedAce
GetUserNameW
RegCreateKeyA
LookupPrivilegeValueW
AdjustTokenPrivileges
RegOpenKeyA
RegDeleteKeyA
RegSetValueExA
OpenProcessToken
RegCloseKey
RegOpenKeyExA

shell32

ShellExecuteA
SHGetFolderPathW

msvcp140

?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?good@ios_base@std@@QEBA_NXZ
?_Xbad_function_call@std@@YAXXZ
_Thrd_id
_Thrd_join
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??Bios_base@std@@QEBA_NXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
?_Xinvalid_argument@std@@YAXPEBD@Z
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z
?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ
_Strxfrm
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?id@?$ctype@D@std@@2V0locale@2@A
?id@?$collate@D@std@@2V0locale@2@A
_Strcoll
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?tolower@?$ctype@D@std@@QEBAPEBDPEADPEBD@Z
?tolower@?$ctype@D@std@@QEBADD@Z
??1facet@locale@std@@MEAA@XZ
??0facet@locale@std@@IEAA@_K@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
?_Incref@facet@locale@std@@UEAAXXZ
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
??1_Locinfo@std@@QEAA@XZ
??0_Locinfo@std@@QEAA@PEBD@Z
?setf@ios_base@std@@QEAAHHH@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
_Thrd_detach
_Query_perf_counter
_Cnd_do_broadcast_at_thread_exit
?_Syserror_map@std@@YAPEBDH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Winerror_map@std@@YAHH@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?uncaught_exceptions@std@@YAHXZ
?_Throw_Cpp_error@std@@YAXH@Z
_Query_perf_frequency
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ

d3d11

D3D11CreateDeviceAndSwapChain

winmm

PlaySoundA

ntdll

RtlCaptureContext
RtlInitAnsiString
RtlInitUnicodeString
NtQuerySystemInformation
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlAnsiStringToUnicodeString

dbghelp

ImageDirectoryEntryToData
ImageNtHeader
ImageRvaToVa

d3dcompiler_43

D3DCompile

dwmapi

DwmExtendFrameIntoClientArea

imm32

ImmSetCompositionWindow
ImmSetCandidateWindow
ImmReleaseContext
ImmGetContext

shlwapi

PathFindFileNameW

rpcrt4

UuidToStringA
UuidCreate
RpcStringFreeA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__current_exception
longjmp
memset
memmove
memcpy
memcmp
memchr
__intrinsic_setjmp
strstr
strchr
__std_terminate
__std_exception_copy
__std_exception_destroy
__C_specific_handler
__current_exception_context
_CxxThrowException
_local_unwind
strrchr

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn
exit
_beginthreadex
system
strerror
__sys_nerr
_invalid_parameter_noinfo
_resetstkoflw
terminate
_getpid
abort
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_errno

api-ms-win-crt-heap-l1-1-0

malloc
_set_new_mode
calloc
_callnewh
free
realloc

api-ms-win-crt-utility-l1-1-0

rand
srand
qsort

api-ms-win-crt-time-l1-1-0

strftime
_localtime64_s
_localtime64
_time64
_gmtime64

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-string-l1-1-0

tolower
_stricmp
strncpy
strncmp
strcmp
strcspn
strspn
isupper
_strdup
strncpy_s
strpbrk
_wcsicmp

api-ms-win-crt-convert-l1-1-0

strtoull
strtoll
strtol
strtoul
atof
atoi
strtod
mbstowcs

api-ms-win-crt-stdio-l1-1-0

fputc
fflush
fclose
__stdio_common_vsprintf
_lseeki64
fgetc
__p__commode
__acrt_iob_func
feof
fputs
fopen
_write
_close
_open
_read
__stdio_common_vfprintf
_popen
_pclose
fgets
fwrite
fgetpos
setvbuf
ungetc
fsetpos
__stdio_common_vsscanf
_wfopen
fread
_fseeki64
fseek
ftell
_get_stream_buffer_pointers
_set_fmode

api-ms-win-crt-filesystem-l1-1-0

_unlink
_lock_file
_stat64
_unlock_file
_fstat64
_access

api-ms-win-crt-math-l1-1-0

__setusermatherr
ceilf
atan2f
acosf
cosf
fmodf
sqrtf
roundf
sinf
_dsign
powf

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func
localeconv

ws2_32

getaddrinfo
accept
getsockopt
htons
sendto
select
__WSAFDIsSet
ioctlsocket
listen
gethostname
htonl
freeaddrinfo
ntohl
socket
setsockopt
closesocket
WSACleanup
ntohs
WSAStartup
recv
getsockname
send
getpeername
WSAIoctl
recvfrom
WSAGetLastError
connect
bind
WSASetLastError

normaliz

IdnToAscii

crypt32

CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore

wldap32

ord50
ord217
ord46
ord211
ord60
ord45
ord41
ord22
ord301
ord200
ord26
ord30
ord79
ord35
ord33
ord32
ord27
ord143

Sections

.text
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 830KB - Virtual size: 830KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 433KB - Virtual size: 439KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 62KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

c5c7643e1289480eb2cacf523f089442

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

gdi32

advapi32

shell32

msvcp140

d3d11

winmm

ntdll

dbghelp

d3dcompiler_43

dwmapi

imm32

shlwapi

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

ws2_32

normaliz

crypt32

wldap32

Sections

.text Size: 1.4MB - Virtual size: 1.4MB

.rdata Size: 830KB - Virtual size: 830KB

.data Size: 433KB - Virtual size: 439KB

.pdata Size: 62KB - Virtual size: 61KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 1.4MB - Virtual size: 1.4MB

.rdata
Size: 830KB - Virtual size: 830KB

.data
Size: 433KB - Virtual size: 439KB

.pdata
Size: 62KB - Virtual size: 61KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 5KB - Virtual size: 5KB