usermode[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

usermode.exe
Size

841KB
MD5

f8b0de77396a65e55a6e3a3068d81ef7
SHA1

20e3d74dabc53283682362f5caa66427841c009d
SHA256

902c4af63b5c77e23636001eb59eabce31380d2e310e483f03b5f2d40f1bc5b5
SHA512

db8789a2f8702a722f2ffc91618960ef2783c6e18cfe779ddadbdeec77d30d40af1e82ded426414dc19fc63d652c1f98a7de51744e2a11ea845105a736dedff1
SSDEEP

6144:Xt4+19w1q16E2LHDpTP/20QhFOeuGfniPCUnyLc4MpHwKV+yjSbw/Wlk25WBqQU/:Xt4+8zz1z/QhFZfniPTMDOyfu2K

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
usermode.exe

Files

usermode.exe
.exe windows:6 windows x64 arch:x64

b5eca1c340e4770f5f7470b785cf16ba

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\andreu.cpp\Music\ioctl+base+updated+by+redshirtfan (5)\ioctl base updated by redshirtfan\build\usermode\usermode.pdb

Imports

d3d9

Direct3DCreate9Ex

kernel32

GlobalLock
GlobalUnlock
QueryPerformanceFrequency
QueryPerformanceCounter
Process32First
SetConsoleTitleA
DeviceIoControl
CreateFileW
CreateToolhelp32Snapshot
Process32Next
CloseHandle
CreateThread
lstrcmpiA
GlobalFree
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
GlobalAlloc
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetModuleHandleW
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
Sleep
ReleaseSRWLockExclusive
RtlLookupFunctionEntry

user32

GetWindow
DispatchMessageA
GetWindowRect
DestroyWindow
SetWindowPos
GetSystemMetrics
GetKeyState
GetAsyncKeyState
SetWindowLongA
GetForegroundWindow
DefWindowProcA
CreateWindowExA
SetLayeredWindowAttributes
TranslateMessage
SetClipboardData
ShowWindow
GetClipboardData
EmptyClipboard
CloseClipboard
UpdateWindow
RegisterClassExA
GetDesktopWindow
LoadCursorA
PeekMessageA
LoadIconA
SendInput
ScreenToClient
mouse_event
GetActiveWindow
OpenClipboard
GetCursorPos
SetCursorPos
GetClientRect
SetCursor
ClientToScreen

shell32

ShellExecuteA

imm32

ImmReleaseContext
ImmGetContext
ImmSetCompositionWindow

msvcp140

??7ios_base@std@@QEBA_NXZ
?good@ios_base@std@@QEBA_NXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?always_noconv@codecvt_base@std@@QEBA_NXZ
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
??Bid@locale@std@@QEAA_KXZ
_Query_perf_frequency
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Xlength_error@std@@YAXPEBD@Z
_Query_perf_counter
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ

dwmapi

DwmExtendFrameIntoClientArea

vcruntime140_1

__CxxFrameHandler4

vcruntime140

_CxxThrowException
memmove
memcpy
memcmp
memchr
memset
__C_specific_handler
__current_exception
__std_exception_copy
__std_exception_destroy
strstr
__std_terminate
__current_exception_context

api-ms-win-crt-stdio-l1-1-0

__acrt_iob_func
ftell
_get_stream_buffer_pointers
__p__commode
_fseeki64
fflush
ungetc
setvbuf
fgetpos
_set_fmode
fgetc
fputc
fsetpos
fclose
fseek
__stdio_common_vsprintf_s
__stdio_common_vsscanf
fread
__stdio_common_vsprintf
_wfopen
fwrite
__stdio_common_vfprintf

api-ms-win-crt-string-l1-1-0

strncpy
strcmp
isprint

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-heap-l1-1-0

_callnewh
malloc
free
_set_new_mode

api-ms-win-crt-runtime-l1-1-0

_exit
system
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_initterm
_get_initial_narrow_environment
_invalid_parameter_noinfo_noreturn
terminate
_configure_narrow_argv
_set_app_type
_seh_filter_exe
_initialize_narrow_environment
_cexit
_initterm_e
_crt_atexit
_register_onexit_function
_initialize_onexit_table
exit

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file
remove

api-ms-win-crt-math-l1-1-0

atan2
sinf
pow
tanf
sqrtf
powf
fmodf
floorf
asin
cosf
__setusermatherr
sqrt
ceilf

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 236KB - Virtual size: 236KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 50KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 542KB - Virtual size: 544KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b5eca1c340e4770f5f7470b785cf16ba

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d9

kernel32

user32

shell32

imm32

msvcp140

dwmapi

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 236KB - Virtual size: 236KB

.rdata Size: 50KB - Virtual size: 50KB

.data Size: 542KB - Virtual size: 544KB

.pdata Size: 10KB - Virtual size: 10KB

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 512B - Virtual size: 480B

.text
Size: 236KB - Virtual size: 236KB

.rdata
Size: 50KB - Virtual size: 50KB

.data
Size: 542KB - Virtual size: 544KB

.pdata
Size: 10KB - Virtual size: 10KB

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 512B - Virtual size: 480B