LsaIso[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

LsaIso.exe
Size

348KB
MD5

47c04f9fb1af5e7af115cf71f2111d96
SHA1

4799dde09c52a990669e4a878b49fdf4c0b3cb49
SHA256

0cf5d244a21790235d3e6f0222d6181b651cf64cf92b9ba3fa2da421a2436646
SHA512

1bcb0bedc68224c08d7eae9f21f653ace902eefbc8fd81ceb438c072ec5b5caa1996e6d9635b7f581cc43d41a35ac909e4b03534ac67bdc58b747ee990f7f41e
SSDEEP

6144:KLDJYhoRc11IDkwgrzQXE8e9vEmXYxMeG0D6Mj:K3JYhGc11oaZd3oPxd

Score

1^/10

Malware Config

Signatures

Files

LsaIso.exe
.exe windows:10 windows x64 arch:x64

fef21769044f4c03e7700d815c371987

Code Sign

33:00:00:04:8e:16:55:47:b1:c3:02:85:03:00:00:00:00:04:8e
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/05/2024, 23:19

Not After

14/05/2025, 23:19

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

eb:20:14:c1:1d:61:a6:a9:7b:3b:56:6f:54:d2:2f:7e:63:4a:3c:79:f2:91:f2:7c:10:93:99:e6:89:61:49:d9
Signer

Actual PE Digest

eb:20:14:c1:1d:61:a6:a9:7b:3b:56:6f:54:d2:2f:7e:63:4a:3c:79:f2:91:f2:7c:10:93:99:e6:89:61:49:d9

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

LsaIso.pdb

Imports

msvcrt

_initterm
_fmode
_commode
_lock
_unlock
__dllonexit
_onexit
memset
__setusermatherr
_cexit
_exit
exit
__set_app_type
__CxxFrameHandler4
??3@YAXPEAX@Z
_purecall
??1exception@@UEAA@XZ
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBV0@@Z
malloc
_callnewh
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@AEBQEBDH@Z
?what@exception@@UEBAPEBDXZ
_CxxThrowException
__CxxFrameHandler3
memcpy
memmove
??1type_info@@UEAA@XZ
memcmp
?terminate@@YAXXZ
wcscmp
__wgetmainargs
_amsg_exit
_XcptFilter
_wcsicmp
__C_specific_handler

iumcrypt

iumCryptSignAndEncodeCertificate
iumCryptExportPublicKeyInfoFromBCryptKeyHandle
iumCryptMsgUpdate
iumCryptEncodeObjectEx
iumCryptMsgOpenToEncode
iumCryptMsgGetParam

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalReAlloc
LocalFree

api-ms-win-eventing-classicprovider-l1-1-0

UnregisterTraceGuids
TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventSetInformation
EventRegister
EventWriteTransfer

api-ms-win-eventing-obsolete-l1-1-0

RegisterTraceGuidsA

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
SetUnhandledExceptionFilter
SetLastError

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExA
GetModuleHandleW
GetModuleFileNameA
GetModuleHandleExW
GetProcAddress

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
SetThreadStackGuarantee
GetCurrentProcessId
CreateThread
TerminateProcess
GetCurrentProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
InitializeSRWLock
CreateSemaphoreExW
DeleteCriticalSection
AcquireSRWLockShared
CreateMutexExW
ReleaseSRWLockShared
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseMutex
InitializeCriticalSectionEx
LeaveCriticalSection
ReleaseSemaphore
EnterCriticalSection

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
Sleep

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetSystemTime
GetSystemInfo
GetTickCount

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

kerbclientshared

KerbClientBuildFastArmoredKdcRequest
KerbDHGetSharedSecretFromCapiKeyBuffer
KerbDHGetLittleEndianPublicKey
KerbClientTransformStoredCred
KerbClientBuildKeyList
KerbClientSharedInit
KerbPackKdcReplyWithEncryptedSessionKey
KerbClientPackAsn1Buffer
KerbClientDecryptApReply
KerbClientVerifyFastArmoredKerbError
KerbClientBuildEncryptedAuthData
KerbClientPackApReply
KerbClientBuildAsReqAuthenticator
KerbClientSharedCleanup
KerbClientAlloc
KerbClientVerifyFastArmoredTgsReply
KerbClientDecryptPacCredentials
KerbClientFreeStoredCred
KerbClientVerifyFastArmoredKdcReply
KerbClientVerifyEncryptedChallengePaData
KerbClientUnpackKdcReplyBody
KerbClientVerifyChecksum
KerbClientUpdateSharedConfiguration
KerbClientBuildTicketArmorKey
KerbClientFree
KerbClientUnpackAsn1BufferVoid
KerbGetFlagsForKdcReply
KerbClientBuildExplicitArmorKey
KerbClientComputeTgsChecksum
KerbDHCreateBCryptKey
KerbDHGetLegacyDHParameters

ntlmshared

MsvpPutClearOwfsInPrimaryCredential
MsvpLm20GetNtlm3ChallengeResponse
MsvpMakeSecretPasswordNT5
MsvpDecryptDpapiMasterKey
MsvpCompareCredentials
MsvpDeriveSecureCredKey
NtlmSharedInit
MsvpValidateSupplementalCredsBuffer
MsvpCredentialToCachePasswords
MsvpGMSACred
MsvpPasswordValidate
MsvpUpdateSharedConfiguration

msasn1

ASN1BERDecGeneralizedTime
ASN1DEREncGeneralizedTime
ASN1BEREncU32
ASN1DecSetError
ASN1octetstring_free
ASN1BERDecSXVal
ASN1BERDecOpenType2
ASN1_CloseDecoder
ASN1intx_free
ASN1_CreateDecoder
ASN1intx_setuint32
ASN1_Decode
ASN1_CreateEncoder
ASN1_FreeEncoded
ASN1_FreeDecoded
ASN1_Encode
ASN1_CloseEncoder
ASN1BERDecPeekTag
ASN1BERDecOctetString
ASN1BERDecNotEndOfContents
ASN1BEREncExplicitTag
ASN1BERDecEndOfContents
ASN1BERDecBool
ASN1objectidentifier_free
ASN1EncSetError
ASN1BEREncS32
ASN1DEREncCharString
ASN1BEREncEndOfContents
ASN1BEREncBool
ASN1BERDecSkip
ASN1Free
ASN1DecAlloc
ASN1BEREncSX
ASN1BEREncOpenType
ASN1BERDecS32Val
ASN1DEREncOctetString
ASN1charstring_free
ASN1BERDecBitString
ASN1BEREncObjectIdentifier
ASN1BERDecZeroCharString
ASN1DEREncBitString
ASN1BERDecU32Val
ASN1BERDecObjectIdentifier
ASN1_CreateModule
ASN1BERDecCharString
ASN1bitstring_free
ASN1ztcharstring_free
ASN1BERDecExplicitTag

iumbase

GetSignedReport
GetTaggedData
GetTaggedDataSize
IsSecureProcess
GetSecureIdentitySigningKey
EncryptData
DecryptData

ntdll

RtlImageNtHeader
RtlLengthSid
RtlTimeToTimeFields
RtlTimeFieldsToTime
RtlFreeHeap
RtlAvlRemoveNode
RtlEqualUnicodeString
RtlAvlInsertNodeEx
memmove_s
RtlNtStatusToDosError
RtlLeaveCriticalSection
RtlInitializeCriticalSection
_vsnprintf_s
RtlEnterCriticalSection
memcpy_s
RtlDeleteCriticalSection
_vsnwprintf
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtSetEvent
NtCreateEvent
RtlSetProcessIsCritical
NtClose
RtlInitUnicodeString
NtOpenEvent
NtQuerySystemInformation
RtlAllocateHeap

rpcrt4

NdrMesTypeAlignSize3
MesEncodeDynBufferHandleCreate
NdrMesTypeEncode3
MesHandleFree
RpcMgmtWaitServerListen
MesDecodeBufferHandleCreate
NdrMesTypeDecode3
RpcExceptionFilter
I_RpcMapWin32Status
NdrServerCallAll
MesIncrementalHandleReset
MesDecodeIncrementalHandleCreate
MesEncodeIncrementalHandleCreate
RpcServerUseProtseqEpW
RpcServerListen
RpcServerUnregisterIf
NdrServerCall2
RpcServerRegisterIf

bcrypt

BCryptGenerateSymmetricKey
BCryptHash
BCryptSecretAgreement
BCryptSetProperty
BCryptSignHash
BCryptDestroySecret
BCryptDeriveKey
BCryptImportKey
BCryptDecrypt
BCryptDuplicateKey
BCryptVerifySignature
BCryptGetProperty
BCryptCreateHash
BCryptHashData
BCryptDestroyHash
BCryptFinishHash
BCryptDestroyKey
BCryptFinalizeKeyPair
BCryptGenerateKeyPair
BCryptOpenAlgorithmProvider
BCryptExportKey
BCryptCloseAlgorithmProvider
BCryptImportKeyPair
BCryptGenRandom
BCryptEncrypt
BCryptKeyDerivation

cryptdll

CDLocateCheckSum
CDLocateCSystem
CDGenerateRandomBits

cryptsp

SystemFunction009
SystemFunction007
SystemFunction011

api-ms-win-core-string-obsolete-l1-1-0

lstrlenA

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-memory-l1-1-0

VirtualQuery
VirtualProtect
VirtualAlloc

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks

Exports

Exports

__ImagePolicyMetadata

Sections

.text
Size: 216KB - Virtual size: 213KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 88KB - Virtual size: 85KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tPolicy
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

fef21769044f4c03e7700d815c371987

Code Sign

33:00:00:04:8e:16:55:47:b1:c3:02:85:03:00:00:00:00:04:8eCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

eb:20:14:c1:1d:61:a6:a9:7b:3b:56:6f:54:d2:2f:7e:63:4a:3c:79:f2:91:f2:7c:10:93:99:e6:89:61:49:d9Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

iumcrypt

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-eventing-obsolete-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-timezone-l1-1-0

kerbclientshared

ntlmshared

msasn1

iumbase

ntdll

rpcrt4

bcrypt

cryptdll

cryptsp

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-threadpool-l1-2-0

Exports

Exports

Sections

.text Size: 216KB - Virtual size: 213KB

.rdata Size: 88KB - Virtual size: 85KB

.data Size: 4KB - Virtual size: 5KB

.pdata Size: 12KB - Virtual size: 9KB

.tPolicy Size: 4KB - Virtual size: 1KB

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 3KB

33:00:00:04:8e:16:55:47:b1:c3:02:85:03:00:00:00:00:04:8e
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

eb:20:14:c1:1d:61:a6:a9:7b:3b:56:6f:54:d2:2f:7e:63:4a:3c:79:f2:91:f2:7c:10:93:99:e6:89:61:49:d9
Signer

.text
Size: 216KB - Virtual size: 213KB

.rdata
Size: 88KB - Virtual size: 85KB

.data
Size: 4KB - Virtual size: 5KB

.pdata
Size: 12KB - Virtual size: 9KB

.tPolicy
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 3KB