d4bbe581cfdef25d9ec57107b1025689f4642eee190b0b29cfc52d3b92c2488d

Resubmissions

05/09/2024, 13:00

240905-p8ysvs1emk 3

05/09/2024, 12:54

240905-p5ntgssbkb 3

Sharing

Copy URL Twitter E-mail

General

Target

d4bbe581cfdef25d9ec57107b1025689f4642eee190b0b29cfc52d3b92c2488d
Size

4.5MB
MD5

514323521255bc3cb25bf2c01e620091
SHA1

e5806a685bf67d2449e8f1fd99ac9e529f73d063
SHA256

d4bbe581cfdef25d9ec57107b1025689f4642eee190b0b29cfc52d3b92c2488d
SHA512

e523b5e6e9150b2dd464adf6c3ad810f4f279a0531ac86b4896f74d89ecbd4295a6df9c81f4fdd5a46008302d25b8d4c986a1025522c02552f0b8b225a5ed150
SSDEEP

98304:4U7U0K4hUqW+SX+ATwan9MfPh/i1+NisBHWIXzbmPLhNgH/Ct7VV:1U0XhUqW+SX+AkiSh/i4Nis0qzbckH/U

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/webengine.dll

Files

d4bbe581cfdef25d9ec57107b1025689f4642eee190b0b29cfc52d3b92c2488d
.zip
.user.ini
ms_update.exe
.exe windows:5 windows x64 arch:x64

7844d97128a514140775bf591553dcd8

Code Sign

33:00:00:01:df:6b:f0:2e:92:a7:4a:b4:d0:00:00:00:00:01:df
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/12/2020, 21:31

Not After

02/12/2021, 21:31

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e5:9c:3f:43:b2:3c:ed:1c:82:09:da:f1:05:ba:3b:ea:d2:d4:2a:cc:8b:69:fe:65:ca:a6:68:62:15:89:34:f2
Signer

Actual PE Digest

e5:9c:3f:43:b2:3c:ed:1c:82:09:da:f1:05:ba:3b:ea:d2:d4:2a:cc:8b:69:fe:65:ca:a6:68:62:15:89:34:f2

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

aspnet_regiis.pdb

Imports

msvcr80

_decode_pointer
_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
__set_app_type
_encode_pointer
_fmode
_commode
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
_wcsicmp
__winitenv
exit
_cexit
_exit
_XcptFilter
__C_specific_handler
__wgetmainargs
_amsg_exit
wcstok
memcpy
_wtoi
_vsnwprintf_s
__crt_debugger_hook

advapi32

RegQueryValueExW
RegCloseKey
RegOpenKeyExW

kernel32

HeapSize
GetProcAddress
LoadLibraryW
GetSystemDirectoryW
GetVersionExW
RtlZeroMemory
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
HeapReAlloc
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
SetUnhandledExceptionFilter
GetStdHandle
GetConsoleScreenBufferInfo
LocalAlloc
HeapFree
HeapAlloc
IsDebuggerPresent
lstrlenW
ExitThread
Sleep
CreateThread
LocalFree
CloseHandle
WaitForSingleObject
FreeLibrary
FormatMessageW
GetLastError

ole32

CoUninitialize
CoInitializeEx

webengine

RunAspnetCA
LoadResourceString
RegisterScriptMapsOnVista
DetectErrorAndGetLogfileName
ListAspnetInstalledIISKeys
ListAspnetInstalledVersions
PrintResourceStringNoNewLine
ValidateIISPath
RunPkgmgr
GetExistingVersion
GrantAccessToUserAccount
RegisterAspNetEx
UnregisterAspNet
RemoveClientScriptFiles
CopyClientScriptFiles
PrintStringToStdOut
CallManagedProtectedConfigAction
IsVista
PrintResourceString
SetRemoteConfigDCOMRegKeys
AspnetLoadResourceDLL
CheckIISState
RunningOn64Bit
RemoveAspnetFromIISKey
IsMatchingBitness
GrantAccessToUserAccountOnVista
IsRegisteredInProc
GetXSPHeap

ntdll

RtlCopyMemory

Sections

.text
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
webengine.dll
.dll windows:4 windows x64 arch:x64

69c2b71daa2a0867460e8f56d8c5e85a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

SystemFunction036

bcrypt

BCryptGenRandom

kernel32

DeleteCriticalSection
EnterCriticalSection
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
QueryPerformanceCounter
RaiseException
RtlAddFunctionTable
RtlUnwindEx
SetUnhandledExceptionFilter
TerminateProcess
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
AcquireSRWLockExclusive
AcquireSRWLockShared
CloseHandle
CompareStringOrdinal
CreateFileMappingA
CreateFileW
CreateNamedPipeW
CreateProcessW
CreateThread
CreateToolhelp32Snapshot
CreateWaitableTimerExW
DeleteProcThreadAttributeList
DuplicateHandle
ExitProcess
FormatMessageW
FreeEnvironmentStringsW
FreeLibrary
GetCommandLineW
GetConsoleMode
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetEnvironmentStringsW
GetEnvironmentVariableW
GetFileAttributesW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetFinalPathNameByHandleW
GetFullPathNameW
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetStdHandle
GetSystemDirectoryW
GetWindowsDirectoryW
HeapAlloc
HeapFree
HeapReAlloc
InitOnceBeginInitialize
InitOnceComplete
InitializeProcThreadAttributeList
LoadLibraryW
MapViewOfFile
Module32FirstW
Module32NextW
MultiByteToWideChar
ReadFileEx
ReleaseSRWLockExclusive
ReleaseSRWLockShared
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetFileInformationByHandle
SetLastError
SetThreadStackGuarantee
SetWaitableTimer
Sleep
SleepEx
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryAcquireSRWLockExclusive
UnmapViewOfFile
UpdateProcThreadAttribute
WaitForSingleObject
WriteConsoleW
WriteFileEx

msvcrt

__iob_func
_amsg_exit
_initterm
_lock
_unlock
abort
calloc
free
fwrite
realloc
signal
strlen
strncmp
vfprintf

ntdll

NtReadFile
NtWriteFile
RtlNtStatusToDosError
memcmp
memcpy
memmove
memset

Exports

Exports

AspnetLoadResourceDLL
CallManagedProtectedConfigAction
CheckIISState
CopyClientScriptFiles
DetectErrorAndGetLogfileName
GetExistingVersion
GetXSPHeap
GrantAccessToUserAccount
GrantAccessToUserAccountOnVista
IsMatchingBitness
IsRegisteredInProc
IsVista
ListAspnetInstalledIISKeys
ListAspnetInstalledVersions
LoadResourceString
PrintResourceString
PrintResourceStringNoNewLine
PrintStringToStdOut
RegisterAspNetEx
RegisterScriptMapsOnVista
RemoveAspnetFromIISKey
RemoveClientScriptFiles
RunAspnetCA
RunPkgmgr
RunningOn64Bit
SetRemoteConfigDCOMRegKeys
UnregisterAspNet
ValidateIISPath

Sections

.text
Size: 310KB - Virtual size: 309KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 304B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 54KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1024B - Virtual size: 916B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

7844d97128a514140775bf591553dcd8

Code Sign

33:00:00:01:df:6b:f0:2e:92:a7:4a:b4:d0:00:00:00:00:01:dfCertificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

e5:9c:3f:43:b2:3c:ed:1c:82:09:da:f1:05:ba:3b:ea:d2:d4:2a:cc:8b:69:fe:65:ca:a6:68:62:15:89:34:f2Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcr80

advapi32

kernel32

ole32

webengine

ntdll

Sections

.text Size: 31KB - Virtual size: 30KB

.data Size: 2KB - Virtual size: 16KB

.pdata Size: 1KB - Virtual size: 1KB

.rsrc Size: 2KB - Virtual size: 1KB

69c2b71daa2a0867460e8f56d8c5e85a

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bcrypt

kernel32

msvcrt

ntdll

Exports

Exports

Sections

.text Size: 310KB - Virtual size: 309KB

.data Size: 512B - Virtual size: 304B

.rdata Size: 54KB - Virtual size: 54KB

.pdata Size: 6KB - Virtual size: 6KB

.xdata Size: 12KB - Virtual size: 12KB

.bss Size: - Virtual size: 2KB

.edata Size: 1024B - Virtual size: 916B

.idata Size: 5KB - Virtual size: 4KB

.CRT Size: 512B - Virtual size: 104B

.tls Size: 512B - Virtual size: 16B

.reloc Size: 1KB - Virtual size: 1KB

33:00:00:01:df:6b:f0:2e:92:a7:4a:b4:d0:00:00:00:00:01:df
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

e5:9c:3f:43:b2:3c:ed:1c:82:09:da:f1:05:ba:3b:ea:d2:d4:2a:cc:8b:69:fe:65:ca:a6:68:62:15:89:34:f2
Signer

.text
Size: 31KB - Virtual size: 30KB

.data
Size: 2KB - Virtual size: 16KB

.pdata
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 2KB - Virtual size: 1KB

.text
Size: 310KB - Virtual size: 309KB

.data
Size: 512B - Virtual size: 304B

.rdata
Size: 54KB - Virtual size: 54KB

.pdata
Size: 6KB - Virtual size: 6KB

.xdata
Size: 12KB - Virtual size: 12KB

.bss
Size: - Virtual size: 2KB

.edata
Size: 1024B - Virtual size: 916B

.idata
Size: 5KB - Virtual size: 4KB

.CRT
Size: 512B - Virtual size: 104B

.tls
Size: 512B - Virtual size: 16B

.reloc
Size: 1KB - Virtual size: 1KB