usermode[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

usermode.exe
Size

934KB
MD5

3cdef424be01c7f0ed9093f2c655d180
SHA1

0199518ffef1485d25f2f26f747d03bd47e94acb
SHA256

dbebd79227ff06281e9037e0996a879818bb9ff2a4136fa347d45c0e8275f6ba
SHA512

3aeccecba3ea8669d791e42fa94e162ab47e8656059944c1771bea6735850db2e04b15f6bbcbe537455972592dfbd04a8f8a28dd1d5d7ae30749375c2878c3a7
SSDEEP

12288:4EWorx21Ujzkn5WQd+HN3YPy3LmQHybCzSYw0m84qWIKxtF70q7nYdze:4r1wHt8yKQSuxw0m7qMxwq7nYhe

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
usermode.exe

Files

usermode.exe
.exe windows:6 windows x64 arch:x64

Password: 1

f6b65008c7a12fa0dae4b7f97d9a9938

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Corleone\Desktop\ORQURRR\build\usermode\usermode.pdb

Imports

d3d9

Direct3DCreate9Ex

kernel32

GetFileInformationByHandleEx
GetFileAttributesExW
OutputDebugStringW
FindFirstFileW
GetProcessHeap
GetCurrentProcessId
FindClose
CreateDirectoryW
GetCurrentDirectoryW
GetLocaleInfoEx
GetProcAddress
GetThreadContext
InitializeSListHead
HeapSetInformation
CreateThread
K32GetModuleBaseNameA
GetSystemTimeAsFileTime
CloseHandle
Process32Next
LoadLibraryA
GetCurrentThread
GetLastError
Sleep
CreateToolhelp32Snapshot
GetModuleHandleA
GetCurrentThreadId
CreateFileW
Thread32First
Thread32Next
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
AreFileApisANSI
CheckRemoteDebuggerPresent
IsDebuggerPresent
OpenThread
GetTickCount
K32EnumProcessModules
UnhandledExceptionFilter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WideCharToMultiByte
GetFileSizeEx
CreateFileA
WaitForMultipleObjects
PeekNamedPipe
ReadFile
GetFileType
GetStdHandle
GetEnvironmentVariableA
MultiByteToWideChar
WaitForSingleObjectEx
MoveFileExA
VerifyVersionInfoA
FreeLibrary
GetSystemDirectoryA
SleepEx
LeaveCriticalSection
EnterCriticalSection
LocalFree
FormatMessageA
QueryFullProcessImageNameW
HeapDestroy
HeapAlloc
HeapReAlloc
lstrcmpiA
VirtualAlloc
DeviceIoControl
OutputDebugStringA
GetCurrentProcess
VirtualFree
SetLastError
VirtualProtect
Process32First
QueryPerformanceCounter
QueryPerformanceFrequency
GlobalUnlock
GlobalLock
GlobalFree
GlobalAlloc
GetModuleFileNameW
GetModuleHandleW
HeapFree
HeapSize
InitializeCriticalSectionEx
DeleteCriticalSection
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetModuleFileNameA

user32

DestroyWindow
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
GetCursorPos
SetCursorPos
GetClientRect
SetCursor
ClientToScreen
GetActiveWindow
ScreenToClient
LoadCursorA
GetKeyState
SendInput
UpdateWindow
RegisterClassExA
MessageBoxA
FindWindowA
GetDesktopWindow
PeekMessageA
LoadIconA
mouse_event
TranslateMessage
SetLayeredWindowAttributes
CreateWindowExA
DefWindowProcA
GetForegroundWindow
BlockInput
SetWindowLongA
GetAsyncKeyState
ShowWindow
GetSystemMetrics
GetWindow
DispatchMessageA
GetWindowRect
SetWindowPos
SetClipboardData

advapi32

CopySid
GetLengthSid
InitializeAcl
IsValidSid
SetSecurityInfo
ConvertSidToStringSidA
CryptAcquireContextA
CryptReleaseContext
GetTokenInformation
OpenProcessToken
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptEncrypt
CryptImportKey
CryptDestroyKey
AddAccessAllowedAce

imm32

ImmGetContext
ImmReleaseContext
ImmSetCompositionWindow

msvcp140

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?fail@ios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??7ios_base@std@@QEBA_NXZ
?setf@ios_base@std@@QEAAHHH@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Random_device@std@@YAIXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
_Query_perf_counter
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z

ntdll

RtlCaptureContext
VerSetConditionMask
RtlLookupFunctionEntry
RtlVirtualUnwind

dwmapi

DwmExtendFrameIntoClientArea

normaliz

IdnToAscii

wldap32

ord50
ord45
ord32
ord33
ord41
ord211
ord46
ord217
ord143
ord35
ord60
ord79
ord30
ord27
ord26
ord22
ord200
ord301

crypt32

CertCreateCertificateChainEngine
CryptQueryObject
CertFreeCertificateChainEngine
CertGetCertificateChain
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CertOpenStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertFreeCertificateChain

ws2_32

accept
closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
ntohs
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
gethostname
htonl
listen
ioctlsocket
__WSAFDIsSet
select
ntohl
getaddrinfo
freeaddrinfo
sendto
recvfrom

shlwapi

PathFindFileNameW

rpcrt4

UuidCreate
RpcStringFreeA
UuidToStringA

psapi

GetModuleInformation

userenv

UnloadUserProfile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_terminate
strstr
strchr
__std_exception_destroy
__std_exception_copy
_CxxThrowException
memchr
memcmp
memcpy
memmove
memset
strrchr
__C_specific_handler
__current_exception_context
__current_exception

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsprintf_s
__stdio_common_vfprintf
__acrt_iob_func
fwrite
_read
_lseeki64
_wfopen
_write
__stdio_common_vsprintf
fread
fflush
feof
__p__commode
fopen
__stdio_common_vsscanf
_close
_open
fseek
fclose
fputc
fgetc
ftell
_popen
_pclose
fgets
_get_stream_buffer_pointers
fputs
_fseeki64
fsetpos
ungetc
_set_fmode
setvbuf
fgetpos

api-ms-win-crt-string-l1-1-0

_stricmp
_strdup
isupper
strspn
isprint
strncmp
strncpy
strpbrk
tolower
strcmp
strcspn

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-heap-l1-1-0

calloc
_set_new_mode
realloc
malloc
_callnewh
free

api-ms-win-crt-convert-l1-1-0

strtoull
atoi
strtod
strtoul
strtol
strtoll
atof

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo
_invalid_parameter_noinfo_noreturn
system
strerror
__sys_nerr
abort
exit
_resetstkoflw
_beginthreadex
_getpid
terminate
_register_thread_local_exe_atexit_callback
_c_exit
__p___argv
__p___argc
_configure_narrow_argv
_exit
_initterm_e
_initterm
_get_initial_narrow_environment
_set_app_type
_seh_filter_exe
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_errno

api-ms-win-crt-math-l1-1-0

_dsign
asin
atan2
_dclass
ceilf
tanf
cosf
floorf
fmodf
pow
powf
sinf
sqrt
sqrtf
__setusermatherr

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_stat64
_unlock_file
_fstat64
_unlink
_access
remove

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
_configthreadlocale
localeconv

api-ms-win-crt-environment-l1-1-0

getenv

api-ms-win-crt-time-l1-1-0

_time64
strftime
_localtime64
_gmtime64

shell32

ShellExecuteA

Sections

.text
Size: 740KB - Virtual size: 739KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 156KB - Virtual size: 156KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: 1

f6b65008c7a12fa0dae4b7f97d9a9938

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d9

kernel32

user32

advapi32

imm32

msvcp140

ntdll

dwmapi

normaliz

wldap32

crypt32

ws2_32

shlwapi

rpcrt4

psapi

userenv

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-environment-l1-1-0

api-ms-win-crt-time-l1-1-0

shell32

Sections

.text Size: 740KB - Virtual size: 739KB

.rdata Size: 156KB - Virtual size: 156KB

.data Size: 4KB - Virtual size: 8KB

.pdata Size: 29KB - Virtual size: 29KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 740KB - Virtual size: 739KB

.rdata
Size: 156KB - Virtual size: 156KB

.data
Size: 4KB - Virtual size: 8KB

.pdata
Size: 29KB - Virtual size: 29KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 2KB - Virtual size: 1KB