pnputil[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

pnputil.exe
Size

253KB
MD5

f4c3bd7a47ace4bee4d864b299391dc1
SHA1

36f5f1475e0f24cb89a0c3363aefbc60d7427364
SHA256

8cabe68f5a1052b5e45d139ea645c7c66b0041ecb9938d918647ba18f4bc38d0
SHA512

ac5cf72a5c3c668ee8f4da4bade609c37a97efe8a325884782fcc0e80e1d907d350a351946e6f8cd5411016d4141fb687c7cecaf3bf0a9cb9d2e5d89b3e2f881
SSDEEP

3072:pf6RZcRCi523tTklfGBlkxGrDzRZCYw5PxI2TewSAu4leSTo7JYnawXMM/HI:pf6RZcX52JcimxcKYwsqPGp1Yy

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
pnputil.exe

Files

pnputil.exe
.exe windows:10 windows x64 arch:x64

33f8637c34de0f49b6e6dbd3cdf51434

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

pnputil.pdb

Imports

msvcrt

memcmp
_vsnwprintf
_ultow_s
wcstoul
swprintf_s
toupper
_vsnprintf
memset
?terminate@@YAXXZ
_commode
_fmode
_initterm
__setusermatherr
_cexit
_resetstkoflw
memmove
wcsrchr
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
wcschr
__C_specific_handler
_wcsnicmp
_wcsicmp
memcpy
wcscmp

api-ms-win-core-file-l1-1-0

FindNextFileW
FindFirstFileW
WriteFile
GetFileInformationByHandle
FindClose
GetFileAttributesW
CreateFileA
SetEndOfFile
GetFileSize
GetTempFileNameW
SetFileAttributesW
DeleteFileA
CreateFileW
DeleteFileW
RemoveDirectoryW
FileTimeToLocalFileTime
CreateDirectoryW
SetFilePointer
ReadFile
FlushFileBuffers
GetFullPathNameW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapReAlloc
HeapFree
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetErrorMode
SetUnhandledExceptionFilter
RaiseException
UnhandledExceptionFilter
SetLastError

api-ms-win-core-processenvironment-l1-1-0

GetStdHandle
ExpandEnvironmentStringsW
GetCommandLineA

api-ms-win-devices-config-l1-1-1

CM_Get_Device_ID_List_SizeW
CM_MapCrToWin32Err
CM_Open_Class_KeyW
CM_Get_Device_ID_ListW
CM_Get_Class_PropertyW
CM_Get_DevNode_PropertyW
CM_Locate_DevNodeW
CM_Get_Sibling
CM_Get_Device_IDW
CM_Get_Child
CM_Get_Device_Interface_List_SizeW
CM_Get_Device_Interface_PropertyW
CM_Get_Parent
CM_Get_Device_Interface_ListW

api-ms-win-core-console-l1-1-0

WriteConsoleW
GetConsoleMode

api-ms-win-core-localization-l1-2-0

SetThreadPreferredUILanguages
FormatMessageW
LCMapStringW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

api-ms-win-core-sysinfo-l1-2-0

GetNativeSystemInfo
GetSystemFirmwareTable

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
LoadLibraryExA
LoadStringW
GetProcAddress
GetModuleHandleW
FreeLibrary

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringW
WideCharToMultiByte

api-ms-win-core-sysinfo-l1-1-0

GetSystemTime
GetTickCount64
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemWindowsDirectoryW
GetLocalTime
GetTickCount

api-ms-win-core-registry-l1-1-0

RegUnLoadKeyW
RegFlushKey
RegQueryValueExW
RegQueryInfoKeyW
RegRestoreKeyW
RegOpenKeyExW
RegLoadAppKeyW
RegLoadKeyW
RegSaveKeyExW
RegDeleteKeyExW
RegSetValueExW
RegEnumKeyExW
RegCreateKeyExW
RegCloseKey

ntdll

NtSetInformationThread
RtlUnicodeToMultiByteSize
NtSetInformationFile
NtQueryInformationFile
RtlImageNtHeader
RtlRandomEx
RtlGUIDFromString
RtlFreeHeap
RtlAllocateHeap
RtlMultiByteToUnicodeN
RtlMultiByteToUnicodeSize
RtlRaiseStatus
DbgPrintEx
RtlGetSaclSecurityDescriptor
RtlFormatCurrentUserKeyPath
NtClose
NtDeleteKey
NtOpenKey
NtCreateKey
NtQueryValueKey
NtSetValueKey
NtEnumerateKey
RtlGetDaclSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlInitializeSRWLock
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockExclusive
RtlCreateUnicodeString
RtlEqualUnicodeString
RtlValidRelativeSecurityDescriptor
RtlLengthSecurityDescriptor
RtlInitUnicodeStringEx
RtlUnicodeStringToInteger
NtOpenThreadToken
NtOpenProcessToken
NtQuerySecurityObject
RtlUnicodeToMultiByteN
NtAdjustPrivilegesToken
RtlLengthSid
RtlCopySid
RtlCreateAcl
RtlAddAce
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
NtSetSecurityObject
NtEnumerateValueKey
NtDeleteValueKey
NtOpenThreadTokenEx
NtOpenProcessTokenEx
NtQueryInformationToken
RtlEqualSid
RtlConvertSidToUnicodeString
RtlAppendUnicodeStringToString
RtlAddAccessAllowedAceEx
RtlValidSecurityDescriptor
RtlAbsoluteToSelfRelativeSD
LdrGetDllHandle
RtlInitAnsiString
RtlPrefixUnicodeString
RtlTimeToTimeFields
RtlSetOwnerSecurityDescriptor
RtlValidSid
RtlSubAuthoritySid
RtlInitializeSid
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
LdrUnloadDll
LdrGetProcedureAddress
LdrLoadDll
NtDuplicateToken
NtUnloadKey2
RtlInitUnicodeString
NtQuerySystemInformation
NtQueryKey
RtlNtStatusToDosError
RtlDosPathNameToNtPathName_U
RtlIsStateSeparationEnabled
RtlFreeUnicodeString
RtlGetVersion

api-ms-win-core-registry-l2-1-0

RegSaveKeyW
RegDeleteKeyW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-file-l2-1-2

CopyFileW

cabinet

ord10
ord14
ord11
ord12
ord13

api-ms-win-core-processthreads-l1-1-0

OpenThreadToken
TerminateProcess
SetThreadToken
GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
GetCurrentThread
OpenProcessToken

api-ms-win-core-file-l1-2-2

GetTempFileNameA
GetTempPathA

api-ms-win-core-kernel32-legacy-l1-1-0

FileTimeToDosDateTime

api-ms-win-core-privateprofile-l1-1-0

WritePrivateProfileStringW

api-ms-win-core-shutdown-l1-1-0

InitiateSystemShutdownExW

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-security-base-l1-1-0

AdjustTokenPrivileges
GetKernelObjectSecurity
DuplicateTokenEx

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent

api-ms-win-core-rtlsupport-l1-1-0

RtlCompareMemory
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

drvstore

DriverStoreUpdateDevicesW
DriverStoreCopyW
DriverStoreDeleteW
DriverStoreGetObjectPropertyW
DriverStoreEnumW
DriverPackageOpenW
DriverPackageGetVersionInfoW
DriverStoreSetLogContext
DriverStoreEnumObjectsW
DriverStoreImportW
DriverStoreFindW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoSizeExW
VerQueryValueW
GetFileVersionInfoExW

api-ms-win-core-synch-l1-1-0

SleepEx
SetEvent
WaitForSingleObjectEx
CreateEventW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive

api-ms-win-service-management-l1-1-0

CloseServiceHandle

api-ms-win-core-memory-l1-1-0

MapViewOfFile
VirtualProtect
CreateFileMappingW
UnmapViewOfFile
VirtualQuery

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-security-sddl-l1-1-0

ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-file-l2-1-0

CreateHardLinkW
MoveFileExW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Sections

.text
Size: 177KB - Virtual size: 177KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

33f8637c34de0f49b6e6dbd3cdf51434

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-file-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-devices-config-l1-1-1

api-ms-win-core-console-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-registry-l1-1-0

ntdll

api-ms-win-core-registry-l2-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l2-1-2

cabinet

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-file-l1-2-2

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-privateprofile-l1-1-0

api-ms-win-core-shutdown-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

drvstore

api-ms-win-core-version-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-apiquery-l1-1-0

Sections

.text Size: 177KB - Virtual size: 177KB

.rdata Size: 64KB - Virtual size: 63KB

.data Size: 512B - Virtual size: 4KB

.pdata Size: 5KB - Virtual size: 5KB

.didat Size: 512B - Virtual size: 96B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 177KB - Virtual size: 177KB

.rdata
Size: 64KB - Virtual size: 63KB

.data
Size: 512B - Virtual size: 4KB

.pdata
Size: 5KB - Virtual size: 5KB

.didat
Size: 512B - Virtual size: 96B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 1KB - Virtual size: 1KB