usermode[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

usermode.exe
Size

10.5MB
MD5

671b17ad6b7a632b60c592723efa6b00
SHA1

07d7b37e4410db74e9f360cde6e8617fc40ef2a7
SHA256

41db990ee6005eff67a8164bef1a8299fa6270b3adf2191ee9dbc55a8041192a
SHA512

9c149b92eedee71971dbc9c6ec132d5bdd3e149dbde4e6de470c34a7947673dbac845106603864333cf8d0929341ac5d087d541b20085a148955f2dfba3f6671
SSDEEP

98304:ijf+m8s3dTwwaWy+6Rp2iFfcKi7vX+uTxcV9UJLCixo06YQUu6azhKplCA/VA/du:Y3dTwwatxRpvFfq59L/x6TU0zizqvaL

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
usermode.exe

Files

usermode.exe
.exe windows:6 windows x64 arch:x64

1467ae6d6c32a03c5767e51ef6a5ee22

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\gg\Desktop\clients\clix\usermode\usermode\x64\Release\usermode.pdb

Imports

kernel32

HeapAlloc
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
CloseHandle
SetLastError
GetLastError
GetLocaleInfoA
LoadLibraryA
GetProcAddress
FreeLibrary
QueryPerformanceFrequency
OutputDebugStringW
InitializeSListHead
GetSystemTimeAsFileTime
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SleepConditionVariableSRW
WakeAllConditionVariable
GetModuleHandleW
QueryPerformanceCounter
WideCharToMultiByte
MultiByteToWideChar
GlobalFree
GlobalLock
GlobalUnlock
GlobalAlloc
SetConsoleTitleA
HeapFree
DeviceIoControl
InitializeCriticalSectionEx
DeleteCriticalSection
WaitForSingleObject
GetExitCodeProcess
CreateProcessA
GetCurrentProcessId
GetCurrentThreadId
CreateFileA
GetFileSizeEx
ReadFile
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
Sleep

user32

GetAsyncKeyState
GetSystemMetrics
OpenClipboard
CloseClipboard
SetClipboardData
GetClipboardData
EmptyClipboard
GetKeyboardLayout
TrackMouseEvent
GetMessageExtraInfo
GetKeyState
GetCapture
SetCapture
DestroyWindow
PeekMessageA
DispatchMessageA
TranslateMessage
ReleaseCapture
IsWindowUnicode
GetForegroundWindow
GetClientRect
SetCursorPos
SetCursor
GetCursorPos
ClientToScreen
ScreenToClient
LoadCursorA
GetWindowThreadProcessId
EnumWindows
DefWindowProcW
PostQuitMessage
RegisterClassExA
CreateWindowExA
ShowWindow
SetWindowPos
SetFocus
SetWindowLongA
GetWindowLongA
GetWindowRect
UpdateWindow

advapi32

GetUserNameA

d3d11

D3D11CreateDeviceAndSwapChain

d3dcompiler_43

D3DCompile

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

msvcp140

?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?setf@ios_base@std@@QEAAHHH@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
??7ios_base@std@@QEBA_NXZ
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z
?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??Bid@locale@std@@QEAA_KXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Xout_of_range@std@@YAXPEBD@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
_Query_perf_counter
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?good@ios_base@std@@QEBA_NXZ
?_Syserror_map@std@@YAPEBDH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Cnd_do_broadcast_at_thread_exit
_Mtx_unlock
_Mtx_lock
_Thrd_detach
?_Xlength_error@std@@YAXPEBD@Z
?uncaught_exceptions@std@@YAHXZ
_Query_perf_frequency

imm32

ImmReleaseContext
ImmSetCandidateWindow
ImmSetCompositionWindow
ImmGetContext

dwmapi

DwmExtendFrameIntoClientArea

ntdll

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext
RtlInitUnicodeString
NtOpenFile

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcpy
memmove
memset
__C_specific_handler
__current_exception
strrchr
__current_exception_context
__intrinsic_setjmp
longjmp
__std_exception_copy
__std_exception_destroy
memchr
_CxxThrowException
strstr
memcmp

api-ms-win-crt-runtime-l1-1-0

_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
_set_app_type
_invalid_parameter_noinfo_noreturn
_register_thread_local_exe_atexit_callback
_initterm_e
_initterm
terminate
_beginthreadex
_c_exit
exit
_seh_filter_exe
__p___argv
__p___argc
_get_initial_narrow_environment
_exit

api-ms-win-crt-utility-l1-1-0

rand
qsort

api-ms-win-crt-math-l1-1-0

asin
atan2
_dclass
ceilf
sinf
tanf
sqrt
powf
fmodf
cosf
atan2f
acosf
log
logf
pow
__setusermatherr
sqrtf

api-ms-win-crt-heap-l1-1-0

malloc
free
_callnewh
_set_new_mode

api-ms-win-crt-convert-l1-1-0

strtol
atof

api-ms-win-crt-stdio-l1-1-0

fclose
fflush
fgetc
__stdio_common_vsprintf
_get_stream_buffer_pointers
ungetc
setvbuf
__p__commode
fwrite
fgetpos
fsetpos
fread
__acrt_iob_func
_set_fmode
fputc
__stdio_common_vsscanf
__stdio_common_vfprintf
ftell
fseek
_wfopen
_fseeki64

api-ms-win-crt-filesystem-l1-1-0

_unlock_file
_lock_file

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-string-l1-1-0

_wcsicmp
strncmp
strncpy
strcmp
strcpy_s

shell32

ShellExecuteExA

Sections

.text
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 354KB - Virtual size: 354KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8.8MB - Virtual size: 8.9MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

1467ae6d6c32a03c5767e51ef6a5ee22

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

d3d11

d3dcompiler_43

d3dx11_43

msvcp140

imm32

dwmapi

ntdll

vcruntime140_1

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-string-l1-1-0

shell32

Sections

.text Size: 1.3MB - Virtual size: 1.3MB

.rdata Size: 354KB - Virtual size: 354KB

.data Size: 8.8MB - Virtual size: 8.9MB

.pdata Size: 50KB - Virtual size: 49KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 1.3MB - Virtual size: 1.3MB

.rdata
Size: 354KB - Virtual size: 354KB

.data
Size: 8.8MB - Virtual size: 8.9MB

.pdata
Size: 50KB - Virtual size: 49KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 4KB - Virtual size: 3KB