StartDocked[.]dll

Sharing

Copy URL Twitter E-mail

General

Target

StartDocked.dll
Size

4.5MB
MD5

8997af5e8f0739352d69763af8ced997
SHA1

593b2439fbafb4744abf426c6ec2a140c2ffb141
SHA256

c52434f9b78047447a1bb86cba94becc2dd5dddfb08c3834c722f825ccea0fbd
SHA512

cc73a5272ea7a6aa4e7cb2d4921d87adeb96ac53dc862343c88a55a81afc63d930b63be7f3ce08dd33b8be1c333347096a872573d468adf3c0bae9d4f66194f3
SSDEEP

49152:TCD5tlSYDaopBT/oaX6SjV43HcDD5QWIzznHNkPSlHsudZBRPWYt8S+1hr:UflSJaF8

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
StartDocked.dll

Files

StartDocked.dll
.dll windows:10 windows x64 arch:x64

ddbf90648f936f9f62202443b01d5c98

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_APPCONTAINER
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

StartDocked.pdb

Imports

ntdll

RtlInitUnicodeString
NtQueryInformationToken
RtlFreeHeap
RtlVirtualUnwind
RtlGetDeviceFamilyInfoEnum
RtlNtStatusToDosErrorNoTeb
RtlCompareUnicodeString
RtlUnsubscribeWnfNotificationWaitForCompletion
NtQueryWnfStateData
RtlSubscribeWnfStateChangeNotification
RtlIsMultiSessionSku
RtlGetCurrentServiceSessionId
RtlCaptureContext
RtlPcToFileHeader
RtlIsMultiUsersInSessionSku
RtlAllocateHeap
RtlLookupFunctionEntry
RtlPublishWnfStateData

api-ms-win-downlevel-kernel32-l1-1-0

InterlockedPushEntrySList
InitOnceComplete
SwitchToThread
TrySubmitThreadpoolCallback
InitOnceBeginInitialize
IsDebuggerPresent
FormatMessageW
HeapAlloc
GetProcessHeap
GetLastError
GetProductInfo
SetLastError
HeapFree
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockShared
SetThreadpoolTimer
CreateThreadpoolTimer
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
WaitForSingleObjectEx
TerminateProcess
DebugBreak
GetModuleHandleW
GetProcAddress
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
SetEvent
CloseHandle
CreateEventExW
InitializeCriticalSection
OpenEventW
CloseThreadpoolWait
GetCurrentThreadId
CompareFileTime
ReadFile
GetFileSizeEx
ProcessIdToSessionId
GetCurrentThread
FreeLibrary
InitializeSListHead
DisableThreadLibraryCalls
CreateEventW
ResetEvent
InitializeCriticalSectionAndSpinCount
SetUnhandledExceptionFilter
UnhandledExceptionFilter
CompareStringEx
LCMapStringEx
EncodePointer
QueryPerformanceCounter
GetStringTypeW
MultiByteToWideChar
WideCharToMultiByte
TryAcquireSRWLockExclusive
InitializeSRWLock
SleepConditionVariableSRW
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
CreateThreadpoolWork
FreeLibraryWhenCallbackReturns
SubmitThreadpoolWork
CloseThreadpoolWork
IsProcessorFeaturePresent
InitOnceExecuteOnce
OutputDebugStringW
DecodePointer
WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
CreateThreadpoolWait
GetCurrentProcessId
CreateMutexExW
OpenSemaphoreW
GetTickCount
ReleaseMutex
WaitForSingleObject
InitializeCriticalSectionEx
GetModuleHandleExW
ReleaseSemaphore
CreateSemaphoreExW
GetModuleFileNameA
GetSystemTimeAsFileTime
CompareStringOrdinal
FindStringOrdinal
CreateFileW
CreateThreadpoolIo
TryAcquireSRWLockShared
StartThreadpoolIo
ReadDirectoryChangesW
CancelThreadpoolIo
CancelIoEx
WaitForThreadpoolIoCallbacks
CloseThreadpoolIo

shcore

SHTaskPoolQueueTask
ord232
IsOS
ord230
ord123
SHTaskPoolGetUniqueContext
ord122
ord190
ord233

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegCreateKeyExW
RegCloseKey
RegSetValueExW
RegNotifyChangeKeyValue
RegOpenKeyExW
RegDisablePredefinedCacheEx

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventActivityIdControl
EventRegister
EventSetInformation
EventUnregister

api-ms-win-core-com-l1-1-0

CoGetContextToken
PropVariantClear
CoCreateInstance
StringFromCLSID
CoGetObjectContext
CoGetApartmentType
CoCreateFreeThreadedMarshaler
CoTaskMemFree
CoTaskMemAlloc
CoCreateGuid
CoGetCallContext
CoTaskMemRealloc
StringFromGUID2

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
SetRestrictedErrorInfo
RoFailFastWithErrorContext

api-ms-win-ntuser-rectangle-l1-1-0

PtInRect
InflateRect
IntersectRect

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-appmodel-state-l1-2-0

CloseState
OpenStateExplicit
GetStateFolder

api-ms-win-core-path-l1-1-0

PathCchSkipRoot
PathAllocCombine

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsGetStringLen
WindowsCreateStringReference
WindowsIsStringEmpty
WindowsDeleteString
WindowsConcatString
WindowsCompareStringOrdinal
WindowsDuplicateString
WindowsCreateString

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-errorhandling-l1-1-0

RaiseException

api-ms-win-security-capability-l1-1-0

CapabilityCheck

api-ms-win-security-base-l1-1-0

ImpersonateLoggedOnUser
EqualSid
IsWellKnownSid
DuplicateTokenEx
GetTokenInformation

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetProcessId
OpenProcessToken
OpenThreadToken
SetThreadToken

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW
K32GetProcessMemoryInfo

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExA

wincorlib

?__abi_WinRTraiseFailureException@@YAXXZ
?__abi_WinRTraiseOperationCanceledException@@YAXXZ
?__abi_WinRTraiseNullReferenceException@@YAXXZ
?__abi_WinRTraiseInvalidCastException@@YAXXZ
?__abi_WinRTraiseNotImplementedException@@YAXXZ
??0Object@Platform@@QE$AAA@XZ
?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z
?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z
?__abi_WinRTraiseOutOfMemoryException@@YAXXZ
?__abi_WinRTraiseInvalidArgumentException@@YAXXZ
?__abi_WinRTraiseOutOfBoundsException@@YAXXZ
??0NotImplementedException@Platform@@QE$AAA@XZ
??0DisconnectedException@Platform@@QE$AAA@XZ
??0Delegate@Platform@@QE$AAA@XZ
?__abi_WinRTraiseChangedStateException@@YAXXZ
?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z
?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z
?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z
?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z
?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z
?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z
?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z
?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z
?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z
??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@PE$AAV01@@Z
?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z
?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ
?__abi_WinRTraiseWrongThreadException@@YAXXZ
?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z
?__abi_WinRTraiseDisconnectedException@@YAXXZ
?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z
?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z
?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z
?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z
??0Rect@Foundation@Windows@@QEAA@VPoint@12@VSize@12@@Z
?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ
?__abi_cast_Object_to_String@__abi_details@@YAPE$AAVString@Platform@@_NPE$AAVObject@3@@Z
??0OutOfMemoryException@Platform@@QE$AAA@XZ
??0FailureException@Platform@@QE$AAA@XZ
??0OutOfBoundsException@Platform@@QE$AAA@XZ
??0ChangedStateException@Platform@@QE$AAA@XZ
?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z
?InitializeData@Details@Platform@@YAJH@Z
?UninitializeData@Details@Platform@@YAXH@Z
?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z
?__abi_FailFast@@YAXXZ
?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z
?ReferenceEquals@Object@Platform@@SA_NPE$AAVString@2@0@Z
?Equals@ValueType@Platform@@QE$AAA_NPE$AAVObject@2@@Z
?ToString@Guid@Platform@@QEAAPE$AAVString@2@XZ
??0NullReferenceException@Platform@@QE$AAA@XZ
?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z
??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z
?CreateException@Exception@Platform@@SAPE$AAV12@H@Z
?GetType@Object@Platform@@QE$AAAPE$AAVType@2@XZ
?ReleaseInContextImpl@Details@Platform@@YAJPEAUIUnknown@@0@Z
?GetObjectContext@Details@Platform@@YAPEAUIUnknown@@XZ
?GetProxyImpl@Details@Platform@@YAJPEAUIUnknown@@AEBU_GUID@@0PEAPEAU3@@Z
?GetActivationFactory@Details@Platform@@YAJPEAVModuleBase@1WRL@Microsoft@@PEAUHSTRING__@@PEAPEAUIActivationFactory@@@Z
?TerminateModule@Details@Platform@@YA_NPEAVModuleBase@1WRL@Microsoft@@@Z
?ReCreateException@Exception@Platform@@SAPE$AAV12@H@Z
?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ
?__abi_WinRTraiseObjectDisposedException@@YAXXZ
?__abi_WinRTraiseCOMException@@YAXJ@Z
?CreateException@Exception@Platform@@SAPE$AAV12@HPE$AAVString@2@@Z
??0InvalidArgumentException@Platform@@QE$AAA@XZ
?Equals@Object@Platform@@QE$AAA_NPE$AAV12@@Z
??0InvalidArgumentException@Platform@@QE$AAA@PE$AAVString@1@@Z
?Free@Heap@Details@Platform@@SAXPEAX@Z
?__abi_WinRTraiseAccessDeniedException@@YAXXZ
?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ
?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z
?Allocate@Heap@Details@Platform@@SAPEAX_K@Z

api-ms-win-crt-string-l1-1-0

memset
wcsnlen
wcslen

api-ms-win-crt-locale-l1-1-0

_unlock_locales
_lock_locales

api-ms-win-crt-private-l1-1-0

__CxxFrameHandler4
wcsstr
wcsrchr
strchr
wcschr
__CxxFrameHandler3
_CxxThrowException
__current_exception
__AdjustPointer
__GetPlatformExceptionInfo
__uncaught_exception
__C_specific_handler
_o_wcstol
__current_exception_context
memcmp
_o_wcstod
_o_towupper
_o_towlower
_o_terminate
_o_setlocale
memcpy
__std_terminate
_o_round
_o____lc_codepage_func
_o____lc_collate_cp_func
_o____lc_locale_name_func
_o____mb_cur_max_func
_o___pctype_func
_o___std_exception_copy
_o___std_exception_destroy
_o___std_type_info_destroy_list
_o___stdio_common_vsnprintf_s
_o___stdio_common_vswprintf
_o__callnewh
_o__calloc_base
_o__cexit
_o__configure_narrow_argv
_o__crt_atexit
_o__errno
_o__execute_onexit_table
_o__free_base
_o__get_errno
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__malloc_base
memmove
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
_o__set_errno
_o__wcsdup
_o_abort
_o_ceilf
_o_floor
_o_floorf
_o_free
_o_iswspace
_o_malloc
_o_pow
_o_realloc

api-ms-win-core-winrt-error-l1-1-1

RoReportUnhandledError

combase

SetErrorInfo
GetErrorInfo
ord157
ord90

starttiledata

TryMigrateTDLData
HasMigratedTDLData

api-ms-win-core-sysinfo-l1-2-0

GetSystemTimePreciseAsFileTime

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-appmodel-runtime-l1-1-0

GetCurrentPackageFullName

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e

oleaut32

SysAllocString
SysStringLen
SysFreeString

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory

Sections

.text
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 879KB - Virtual size: 879KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 188KB - Virtual size: 197KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 233KB - Virtual size: 232KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 344B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1000B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ddbf90648f936f9f62202443b01d5c98

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

api-ms-win-downlevel-kernel32-l1-1-0

shcore

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-ntuser-rectangle-l1-1-0

api-ms-win-core-largeinteger-l1-1-0

api-ms-win-core-registry-l1-1-1

api-ms-win-appmodel-state-l1-2-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-security-capability-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

wincorlib

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

combase

starttiledata

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-appmodel-runtime-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-crt-runtime-l1-1-0

oleaut32

api-ms-win-core-libraryloader-l1-2-1

Exports

Exports

Sections

.text Size: 3.2MB - Virtual size: 3.2MB

.rdata Size: 879KB - Virtual size: 879KB

.data Size: 188KB - Virtual size: 197KB

.pdata Size: 233KB - Virtual size: 232KB

.didat Size: 512B - Virtual size: 344B

.rsrc Size: 1024B - Virtual size: 1000B

.reloc Size: 49KB - Virtual size: 49KB

.text
Size: 3.2MB - Virtual size: 3.2MB

.rdata
Size: 879KB - Virtual size: 879KB

.data
Size: 188KB - Virtual size: 197KB

.pdata
Size: 233KB - Virtual size: 232KB

.didat
Size: 512B - Virtual size: 344B

.rsrc
Size: 1024B - Virtual size: 1000B

.reloc
Size: 49KB - Virtual size: 49KB