Norland[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Norland.exe
Size

81.0MB
MD5

05c364f43824209c06f73a6d9b2071b3
SHA1

4573a3a6ca04b586a524a798ad1316b67796aef7
SHA256

4f262a9eacb283ee3973751af71e404d3c58c97758c7c6b75c092a71bf234ddd
SHA512

53de1226c50f2b062f764e82d909e76ca18ccb0d1e69e3e7b2592b5bc31ea2870171e5bf557ea5fdc5861781e28808083544863512597961958b2e74238df2fb
SSDEEP

393216:Zozl8r1owgW/YTZfLSTTvLSZwGuY89HvQph24jiKxIebZxxQzWPhj8c8/lngBvwT:ZFE1j8Nr281jT+CrEnYH2k

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
Norland.exe

Files

Norland.exe
.exe windows:6 windows x64 arch:x64

eba36377e69b4b0dd00c5b019add545f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\GameMakerCache\Cache\GMS2CACHE\Strategy_594AEFAE\Strategy\SteamRelease\Scripts\llvm-win\Win32solution\x64\Release\Strategy.pdb

Imports

wininet

InternetCloseHandle
HttpOpenRequestA
InternetCrackUrlA
InternetReadFile
InternetConnectA
InternetOpenA
InternetCanonicalizeUrlA
HttpSendRequestA
HttpQueryInfoA
InternetGetConnectedState

d3d11

D3D11CreateDevice

dbghelp

MiniDumpWriteDump

winmm

timeGetDevCaps
timeEndPeriod
joyGetPosEx
joyGetPos
mciSendStringA
timeGetTime
timeBeginPeriod

ws2_32

setsockopt
sendto
send
select
recvfrom
recv
ntohs
inet_ntoa
inet_addr
getsockopt
ioctlsocket
connect
closesocket
bind
accept
htons
htonl
WSAStartup
WSAGetLastError
getaddrinfo
freeaddrinfo
getpeername
__WSAFDIsSet
listen
socket

gdiplus

GdiplusShutdown
GdiplusStartup

comctl32

InitCommonControlsEx

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

rpcrt4

UuidToStringW
UuidCreate

mf

MFCreateMediaSession
MFCreateTopology
MFCreateTopologyNode
MFGetService
MFCreateAudioRendererActivate
MFCreateSampleGrabberSinkActivate

mfplat

MFStartup
MFCreateMediaType
MFCreateSourceResolver

kernel32

GetConsoleOutputCP
FlushFileBuffers
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
WriteFile
GetStdHandle
PeekNamedPipe
GetFileType
GetFileInformationByHandle
GetDriveTypeW
MoveFileExW
SetFileAttributesW
GetFileAttributesExW
HeapWalk
HeapValidate
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
FindFirstFileExW
GetModuleHandleExW
RtlUnwind
LoadLibraryExW
RtlPcToFileHeader
RtlUnwindEx
GetStringTypeW
GetCPInfo
LCMapStringEx
DecodePointer
EncodePointer
GetFileSizeEx
SetFilePointerEx
SleepConditionVariableSRW
SleepConditionVariableCS
WakeAllConditionVariable
WakeConditionVariable
InitializeConditionVariable
TryEnterCriticalSection
InitializeCriticalSectionEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
OutputDebugStringA
GetCurrentProcess
K32GetProcessMemoryInfo
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
GetConsoleWindow
GetCommandLineW
ExpandEnvironmentStringsW
CreateDirectoryW
CreateFileW
GetFinalPathNameByHandleW
GetFullPathNameW
CloseHandle
SetUnhandledExceptionFilter
GetLastError
SetErrorMode
Sleep
GetCurrentProcessId
GetCurrentThreadId
HeapReAlloc
GetModuleHandleW
MoveFileA
MultiByteToWideChar
WideCharToMultiByte
SetCurrentDirectoryA
GetCurrentDirectoryA
GetFileAttributesW
GetFileSize
ReadFile
SetFilePointer
FreeLibrary
GetProcAddress
LoadLibraryW
LocalFree
FormatMessageA
QueryPerformanceCounter
QueryPerformanceFrequency
WaitForSingleObject
SetWaitableTimer
CreateWaitableTimerW
GetTickCount64
CreateThread
SetThreadPriority
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GlobalAlloc
GlobalUnlock
GlobalLock
GetEnvironmentVariableW
GetCurrentDirectoryW
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
RemoveDirectoryW
SetLastError
GetExitCodeThread
FormatMessageW
GetVersionExW
GetLocaleInfoW
VerSetConditionMask
VerifyVersionInfoW
ExitProcess
lstrlenA
GetVersion
GetFileAttributesA
LoadLibraryA
WaitForSingleObjectEx
CreateEventExW
DebugBreak
GetEnvironmentVariableA
InitializeSRWLock
GetNativeSystemInfo
GetProcessHeap
HeapFree
HeapAlloc
RaiseException
InitializeSListHead
GetSystemTimeAsFileTime
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
CreateEventW
ResetEvent
SetEvent
GetTimeZoneInformation
ReadConsoleW
SetStdHandle
IsValidCodePage
GetACP
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetEndOfFile
HeapSize
GetModuleFileNameW
WriteConsoleW

user32

EndDialog
GetDlgItem
SetDlgItemTextW
GetDlgItemTextW
DrawTextW
GetAsyncKeyState
keybd_event
GetRawInputDeviceInfoA
GetRawInputDeviceList
SetDlgItemTextA
MessageBoxW
SetProcessDPIAware
EnumDisplaySettingsA
IsDialogMessageW
DialogBoxParamW
DispatchMessageW
TranslateMessage
wsprintfW
EnumDisplayDevicesW
EnumDisplaySettingsW
LoadImageW
LoadCursorW
CallNextHookEx
UnhookWindowsHookEx
SetWindowsHookExW
FindWindowExA
FindWindowA
SetParent
MoveWindow
CreateDialogParamW
ClientToScreen
PeekMessageW
ScreenToClient
SetCursor
AdjustWindowRectEx
GetClientRect
SetForegroundWindow
GetSystemMetrics
ReleaseCapture
SetCapture
GetKeyState
SetFocus
BringWindowToTop
SetWindowPos
ShowWindow
DestroyWindow
CreateWindowExW
RegisterClassExW
DefWindowProcW
PostMessageW
SendMessageW
SendMessageA
EnumWindows
GetWindowLongPtrW
IntersectRect
GetWindowRect
GetActiveWindow
IsWindowVisible
GetLayeredWindowAttributes
MessageBoxA
ReleaseDC
GetDC
GetMonitorInfoW
MonitorFromWindow
SetWindowLongPtrW
GetCursorPos
SetCursorPos
UpdateWindow
GetFocus
IsClipboardFormatAvailable
EmptyClipboard
GetClipboardData
SetClipboardData
SetWindowTextW
CloseClipboard
MapWindowPoints
OpenClipboard

gdi32

SelectObject
GetRgnBox
DeleteObject
CreateRectRgnIndirect
GetStockObject
GetDeviceCaps
CombineRgn

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

RegOpenKeyExW
CryptGenRandom
CryptReleaseContext
CryptAcquireContextA
RegQueryValueExW
RegCloseKey

shell32

SHGetFolderPathW
ShellExecuteW

ole32

CoInitialize
CoTaskMemFree
CoCreateInstance
CoCreateFreeThreadedMarshaler

dwmapi

DwmGetWindowAttribute
DwmGetCompositionTimingInfo

Exports

Exports

AmdPowerXpressRequestHighPerformance
NvOptimusEnablement

Sections

.text
Size: 59.4MB - Virtual size: 59.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 17.2MB - Virtual size: 17.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2.4MB - Virtual size: 5.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.mydata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 203KB - Virtual size: 202KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 409KB - Virtual size: 409KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

eba36377e69b4b0dd00c5b019add545f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

wininet

d3d11

dbghelp

winmm

ws2_32

gdiplus

comctl32

version

rpcrt4

mf

mfplat

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

dwmapi

Exports

Exports

Sections

.text Size: 59.4MB - Virtual size: 59.4MB

.rdata Size: 17.2MB - Virtual size: 17.2MB

.data Size: 2.4MB - Virtual size: 5.1MB

.pdata Size: 1.4MB - Virtual size: 1.4MB

.mydata Size: 512B - Virtual size: 24B

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 203KB - Virtual size: 202KB

.reloc Size: 409KB - Virtual size: 409KB

.text
Size: 59.4MB - Virtual size: 59.4MB

.rdata
Size: 17.2MB - Virtual size: 17.2MB

.data
Size: 2.4MB - Virtual size: 5.1MB

.pdata
Size: 1.4MB - Virtual size: 1.4MB

.mydata
Size: 512B - Virtual size: 24B

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 203KB - Virtual size: 202KB

.reloc
Size: 409KB - Virtual size: 409KB