ff396aca321b8c6e228f83ebdd884f0299b7e48fd8a5f406fa911b0226bcb1d2

Sharing

Copy URL Twitter E-mail

General

Target

ff396aca321b8c6e228f83ebdd884f0299b7e48fd8a5f406fa911b0226bcb1d2
Size

2.1MB
MD5

6f199e9fa4087685023e69257a58911f
SHA1

35ed513ee086950919eebb5d1cd97cd4e932435d
SHA256

ff396aca321b8c6e228f83ebdd884f0299b7e48fd8a5f406fa911b0226bcb1d2
SHA512

2e3de6813b3a4039dd1855e49cccefc0e7a98ebb368480f36f4c0e4d392e86b84e603545d105623c314d434e6e4345994b107dd5682bd702ccfad1cf70a01438
SSDEEP

49152:zpJFwrPpGyqWo6cbT2TZ8maJO35NPHXogsS7Q78ZGAvL9vnF35LWoHNDmg27RnWm:IpC7b4+80GTkKD527BWG

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ff396aca321b8c6e228f83ebdd884f0299b7e48fd8a5f406fa911b0226bcb1d2

Files

ff396aca321b8c6e228f83ebdd884f0299b7e48fd8a5f406fa911b0226bcb1d2
.exe windows:10 windows x64 arch:x64

15a412f6e76b281fb2c2c163a4d641f8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

wbengine.pdb

Imports

advapi32

RegDeleteValueW
RegOpenKeyExW
RegSetValueExW
RegEnumKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegCloseKey
TraceMessage
DuplicateTokenEx
RegQueryValueExW
GetUserNameW
EventSetInformation
EventRegister
EventUnregister
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
SetServiceStatus
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetSecurityDescriptorControl
GetLengthSid
IsValidSid
CopySid
GetSidSubAuthority
InitializeSid
GetSidLengthRequired
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
MakeAbsoluteSD
SetSecurityDescriptorGroup
SetSecurityDescriptorDacl
AddAce
InitializeAcl
GetAclInformation
IsValidSecurityDescriptor
RegEnumValueW
LookupAccountNameW
RegisterServiceCtrlHandlerW
StartServiceCtrlDispatcherW
OpenSCManagerW
CreateServiceW
CloseServiceHandle
OpenServiceW
ControlService
DeleteService
InitiateShutdownW
RegGetValueW
TraceEvent
RegUnLoadKeyW
RegLoadKeyW
EventWriteTransfer
TreeSetNamedSecurityInfoW
CheckTokenMembership
LsaNtStatusToWinError
GetSecurityDescriptorLength
EventWrite
EventEnabled
SetThreadToken
OpenThreadToken
EnableTrace
StartTraceW
ControlTraceW
LookupPrivilegeValueW
AdjustTokenPrivileges
RevertToSelf
SetFileSecurityW
LsaFreeMemory
EqualSid
GetWindowsAccountDomainSid
LogonUserExExW
ImpersonateLoggedOnUser
OpenProcessToken
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
QueryServiceStatus
EnumDependentServicesW

kernel32

GetTickCount
RemoveDirectoryW
HeapSetInformation
CreateWaitableTimerW
WaitForSingleObjectEx
GetCurrentThreadId
GetDriveTypeW
CopyFileW
DeviceIoControl
CreateThread
GetCommandLineW
TlsGetValue
OutputDebugStringW
GlobalLock
GlobalAlloc
GlobalUnlock
GlobalFree
SetErrorMode
CancelIoEx
GetFileAttributesExW
DeleteVolumeMountPointW
QueryDosDeviceW
SetVolumeMountPointW
SetWaitableTimer
GetLogicalDrives
GetFileSize
GetLongPathNameW
SetFileValidData
SetFilePointerEx
SetEndOfFile
RtlCompareMemory
SleepEx
GetOverlappedResult
GetCurrentThread
SetFilePointer
CancelIo
GetVolumeInformationW
CompareStringOrdinal
CopyFileExW
GetLocalTime
FormatMessageW
GetSystemDirectoryW
LocalAlloc
SetLastError
GetWindowsDirectoryW
GetUserGeoID
GetSystemInfo
GetComputerNameExW
GetVersionExW
GetTempPathW
GetProductInfo
ExpandEnvironmentStringsW
SetFileInformationByHandle
GetFileInformationByHandle
SetFileAttributesW
GetVolumeNameForVolumeMountPointW
FindNextFileW
FindFirstFileW
GetFileInformationByHandleEx
CreateDirectoryW
GetVolumePathNamesForVolumeNameW
GetDiskFreeSpaceExW
GetFileAttributesW
OutputDebugStringA
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetStartupInfoW
GetEnvironmentVariableW
HeapDestroy
GetProcessHeap
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetVolumePathNameW
SizeofResource
EnterCriticalSection
GetModuleFileNameW
LeaveCriticalSection
InitializeCriticalSection
MultiByteToWideChar
GetLastError
RaiseException
FindResourceExW
LoadResource
GetProcAddress
DeleteCriticalSection
FindVolumeClose
FindNextVolumeW
FindFirstVolumeW
GetTimeZoneInformation
SetThreadExecutionState
FileTimeToLocalFileTime
Sleep
SetVolumeLabelW
FileTimeToSystemTime
CompareFileTime
FindClose
MoveFileW
ReadFile
MoveFileExW
FlushFileBuffers
WriteFile
DeleteFileW
GetSystemTimeAsFileTime
SystemTimeToFileTime
GetSystemTime
LocalFree
GetFileSizeEx
CreateFileW
ResetEvent
WaitForSingleObject
SetEvent
CloseHandle
CreateEventW
InitializeCriticalSectionAndSpinCount
LoadLibraryExW
lstrcmpiW
FreeLibrary
GetModuleHandleW

user32

TranslateMessage
GetMessageW
PostThreadMessageW
LoadStringW
CharNextW
CharUpperBuffW
UnregisterClassA
DispatchMessageW
CharUpperW
MessageBoxW

msvcrt

wcsncmp
_wcsnicmp
calloc
memmove_s
_vsnwprintf
_wcsicmp
wcsncpy_s
malloc
free
_purecall
memcpy_s
__C_specific_handler
__CxxFrameHandler4
_initterm
swscanf_s
realloc
wcscpy_s
wcscat_s
memset
memmove
_scwprintf
_vsnprintf
wcsstr
wcsrchr
wcscspn
towlower
_wgetenv
_wtol
_wtoi
_wcstoi64
wcstok_s
wcschr
??_V@YAXPEAX@Z
_XcptFilter
_amsg_exit
_wcmdln
_fmode
_commode
_errno
?terminate@@YAXXZ
_lock
_unlock
__dllonexit
_onexit
??1type_info@@UEAA@XZ
wcstoul
memcmp
_callnewh
__wgetmainargs
__set_app_type
exit
_exit
_cexit
memcpy
__setusermatherr
_CxxThrowException
wcscmp

ntdll

RtlUnlockBootStatusData
WinSqmAddToStreamEx
NtCreateFile
RtlFreeHeap
RtlDosPathNameToNtPathName_U
RtlClearAllBits
RtlSetBits
RtlNumberOfSetBits
RtlInitializeBitMap
RtlFindNextForwardRunClear
RtlGetSetBootStatusData
RtlAreBitsSet
RtlAreBitsClear
RtlSetBit
EtwTraceMessage
RtlNumberOfClearBits
RtlSetAllBits
NtQueryVolumeInformationFile
NtSetInformationKey
NtQueryKey
NtQuerySystemInformation
NtQueryInformationFile
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlInitUnicodeString
RtlClearBits
RtlGetLastNtStatus
RtlNtStatusToDosError
RtlCreateSystemVolumeInformationFolder
WinSqmAddToStream

ole32

CoResumeClassObjects
CoRevokeClassObject
CoSuspendClassObjects
CoRegisterClassObject
CoUninitialize
CoInitializeEx
CoCreateInstance
StringFromGUID2
CoInitializeSecurity
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoImpersonateClient
CoCreateGuid
CreateStreamOnHGlobal
CreateClassMoniker
GetRunningObjectTable
CoDisconnectObject
CoRevertToSelf
CLSIDFromString

oleaut32

VariantClear
VariantCopy
SysFreeString
SysAllocString
SystemTimeToVariantTime
SysStringByteLen
SysAllocStringByteLen
VarUI4FromStr
VariantInit
VarBstrCmp
RegisterTypeLi
LoadTypeLi
UnRegisterTypeLi
SysAllocStringLen
VarBstrCat
SysStringLen

rpcrt4

UuidCreate
UuidFromStringW
UuidToStringW
RpcStringFreeW

vssapi

VssFreeSnapshotPropertiesInternal
CreateVssBackupComponentsInternal
CreateVssExamineWriterMetadataInternal

virtdisk

OpenVirtualDisk
CompactVirtualDisk
GetVirtualDiskPhysicalPath
GetVirtualDiskInformation
AttachVirtualDisk
SetVirtualDiskInformation
CreateVirtualDisk
DetachVirtualDisk
GetVirtualDiskOperationProgress
GetStorageDependencyInformation

bcd

BcdOpenSystemStore
BcdForciblyUnloadStore
BcdCloseStore
BcdSetSystemStoreDevice
BcdImportStoreWithFlags

setupapi

SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsW
SetupEnumPublishedInfW
pSetupGetFileTitle
SetupDiGetDeviceRegistryPropertyW
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList
SetupGetInfDriverStoreLocationW

spp

SppFreeBadWritersArray

netapi32

NetShareGetInfo
NetApiBufferFree
NetShareDel
NetShareAdd

xmllite

CreateXmlReaderInputWithEncodingName
CreateXmlReader

bcrypt

BCryptHashData
BCryptGetProperty
BCryptDestroyHash
BCryptOpenAlgorithmProvider
BCryptFinishHash
BCryptCloseAlgorithmProvider
BCryptCreateHash

clusapi

GetNodeClusterState

wer

WerReportSubmit
WerReportCloseHandle
WerReportAddFile
WerReportSetParameter
WerReportCreate

Exports

Exports

??0CTraceFailureHelper@@QEAA@AEAVCTraceProvider@@JPEBGKPEBX@Z
??0CTraceFunction@@QEAA@AEAVCTraceProvider@@PEBGH1PEBX@Z
??0CTraceHelper@@QEAA@AEAVCTraceProvider@@PEBGKPEBX@Z
??0CTraceProvider@@QEAA@W4COMPONENT_CODE@@@Z
??1CTraceFunction@@QEAA@XZ
??1CTraceProvider@@QEAA@XZ
??4CTraceProvider@@QEAAAEAV0@AEBV0@@Z
?EtwEnabled@CTraceProvider@@QEAA_NW4TRACE_FLAG@@@Z
?EtwTrace@CTraceProvider@@QEAAXAEBUDLS_TRACE_EVENT@@@Z
?OdsEnabled@CTraceProvider@@QEAA_NW4TRACE_FLAG@@@Z
?OdsTrace@CTraceProvider@@QEAAXAEBUDLS_TRACE_EVENT@@@Z
?QueryTaskId@CTraceProvider@@SA?AU_GUID@@XZ
?SetTraceControlInfo@CTraceProvider@@QEAAX_N_KK@Z
?Trace@CTraceProvider@@QEAAXW4TRACE_FLAG@@PEBGKPEBX1PEAD@Z
?TraceMessage@CTraceFailureHelper@@QEAAXPEBGZZ
?TraceMessage@CTraceHelper@@QEAAXW4TRACE_FLAG@@PEBGZZ
?m_dwTraceCurrSize@CTraceProvider@@0KA
?m_dwTraceLevel@CTraceProvider@@0KA
?m_dwTraceMaxNum@CTraceProvider@@0KA
?m_dwTraceMaxSize@CTraceProvider@@0KA
?m_dwTraceNextNum@CTraceProvider@@0KA
?m_errLogCriticalSection@CTraceProvider@@0U_RTL_CRITICAL_SECTION@@A
?m_errorFile@CTraceProvider@@0PEAU_iobuf@@EA
?m_errorTracingInBadState@CTraceProvider@@0_NA
?m_isCriticalSectionIntialized@CTraceProvider@@0_NA

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 152KB - Virtual size: 150KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 32KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 572KB - Virtual size: 576KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

15a412f6e76b281fb2c2c163a4d641f8

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

user32

msvcrt

ntdll

ole32

oleaut32

rpcrt4

vssapi

virtdisk

bcd

setupapi

spp

netapi32

xmllite

bcrypt

clusapi

wer

Exports

Exports

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

.rdata Size: 152KB - Virtual size: 150KB

.data Size: 4KB - Virtual size: 9KB

.pdata Size: 32KB - Virtual size: 29KB

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 572KB - Virtual size: 576KB

.text
Size: 1.3MB - Virtual size: 1.3MB

.rdata
Size: 152KB - Virtual size: 150KB

.data
Size: 4KB - Virtual size: 9KB

.pdata
Size: 32KB - Virtual size: 29KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 572KB - Virtual size: 576KB