rozelin[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

rozelin.dll
Size

1.5MB
MD5

f9bb8819674b780198ec05761a3ed0d6
SHA1

4c61542d76a0107eb80a950c33cd9bd5029a9b32
SHA256

3af3c1b6c72f09371c9975eb0914c5b187ba363c0cddf8164d14a0b7c1fcb5dc
SHA512

7b636446567b453c37a28b904d9f716a2aaff54676270760702995efdb521a10ae5f1a9254529eadc092b678a3b99e59efaec444f7f923d8e213298ae48f4fdc
SSDEEP

24576:aoAIjF2weVvd7+StIkabYLhRCuNHd56L4ZzFYMczX5UHuMH:cIjQwYvd7+StIkss/CY304NFYMypUH

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
rozelin.dll

Files

rozelin.dll
.dll windows:6 windows x64 arch:x64

5e571c8c16d6b90cd433615e84bbaba6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\dvs\p4\build\sw\rel\gpu_drv\installer_core\installer_core_vs2017\Build\Core\Out\x64\Release\NVPrxy64.pdb

Imports

kernel32

OutputDebugStringW
LocalFree
FormatMessageW
FormatMessageA
CreateEventA
SetEvent
WaitForSingleObjectEx
GetCurrentThreadId
CreateMutexW
CreateFileW
RemoveDirectoryW
GetFileAttributesW
GetModuleFileNameW
GetProcessTimes
WriteFile
GetFileSizeEx
ReleaseMutex
GetCurrentProcessId
GetTempPathW
VerifyVersionInfoW
VerSetConditionMask
InitializeCriticalSectionAndSpinCount
ResumeThread
RaiseException
DecodePointer
OpenEventA
GetSystemTimeAsFileTime
QueryPerformanceFrequency
QueryPerformanceCounter
SetLastError
DeleteCriticalSection
WaitForSingleObject
GetExitCodeThread
GetLastError
CloseHandle
EnterCriticalSection
WideCharToMultiByte
GetProcessHeap
GetCurrentProcess
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
HeapDestroy
FindResourceExW
FindResourceW
LoadResource
LockResource
SizeofResource
LeaveCriticalSection
ExpandEnvironmentStringsW
ExitProcess
WriteConsoleW
ReadConsoleW
SetStdHandle
SetEnvironmentVariableA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExA
ReadFile
GetConsoleMode
GetConsoleCP
GetFileType
GetStdHandle
GetACP
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetTimeFormatW
GetDateFormatW
GetTimeZoneInformation
ExitThread
RtlPcToFileHeader
RtlUnwindEx
CreateTimerQueue
UnregisterWaitEx
QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
ReleaseSemaphore
VirtualFree
VirtualProtect
VirtualAlloc
GetModuleHandleA
FreeLibraryAndExitThread
GetThreadTimes
UnregisterWait
RegisterWaitForSingleObject
SetThreadAffinityMask
GetProcessAffinityMask
GetNumaHighestNodeNumber
DeleteTimerQueueTimer
ChangeTimerQueueTimer
CreateTimerQueueTimer
GetLogicalProcessorInformation
GetThreadPriority
SetThreadPriority
CreateThread
SwitchToThread
SignalObjectAndWait
GetStartupInfoW
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
ResetEvent
IsDebuggerPresent
AreFileApisANSI
SetFilePointerEx
GetFileInformationByHandle
FlushFileBuffers
GetCPInfo
GetLocaleInfoW
GetSystemInfo
GetVersionExW
SetCurrentDirectoryW
GetCurrentDirectoryW
CreateDirectoryW
DeleteFileW
FindClose
FindFirstFileW
FindNextFileW
QueryDosDeviceW
SetFileAttributesW
DeviceIoControl
GetCurrentThread
GetTickCount
GetSystemDirectoryW
GetSystemWindowsDirectoryW
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
lstrcmpW
MoveFileExW
MultiByteToWideChar
FreeLibrary
GetModuleHandleExW
GetProcAddress
LoadLibraryW
DuplicateHandle
TerminateProcess
CreateProcessW
GetProcessId
OpenProcess
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
LocalAlloc
GetFullPathNameW
GetModuleFileNameA
GetModuleHandleW
LoadLibraryExW
GetStringTypeW
TryEnterCriticalSection
CreateEventW
Sleep
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
EncodePointer
CompareStringW
LCMapStringW

user32

SetTimer
GetMessageW
PostQuitMessage

advapi32

RegOpenCurrentUser
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
GetTokenInformation
RegEnumValueW
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
RegQueryInfoKeyW
LsaNtStatusToWinError

shell32

ShellExecuteExW
SHGetFolderPathW

ole32

PropVariantClear
CoUninitialize
CoInitializeEx
CoInitialize
CoCreateInstance

oleaut32

SysAllocString
SafeArrayUnlock
SafeArrayLock
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayDestroy
SafeArrayCreate
VariantClear
VariantInit
SysStringLen
VariantChangeType
SysAllocStringLen
SysFreeString

psapi

GetProcessImageFileNameW

shlwapi

PathFindFileNameW
SHStrDupW

rpcrt4

RpcServerUseProtseqEpW
RpcServerRegisterIfEx
RpcServerListen
RpcMgmtStopServerListening
RpcMgmtWaitServerListen
RpcServerUnregisterIf
NdrServerCallAll
NdrServerCall2

setupapi

CM_Get_DevNode_Status
SetupDiGetClassDevsW
CM_Get_Device_IDW
SetupDiOpenDeviceInfoW
SetupDiCreateDeviceInfoList
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceInstallParamsW
SetupDiGetClassInstallParamsW
SetupDiSetDeviceInstallParamsW
SetupGetFieldCount
SetupGetStringFieldW
SetupCopyOEMInfW
SetupUninstallOEMInfW
SetupDiCreateDeviceInfoW
SetupDiGetDeviceInstanceIdW
SetupDiDeleteDeviceInfo
SetupDiEnumDeviceInfo
SetupDiBuildDriverInfoList
SetupDiEnumDriverInfoW
SetupDiGetSelectedDriverW
SetupDiSetClassInstallParamsW
SetupDiSetDeviceRegistryPropertyW
SetupDiGetDeviceRegistryPropertyW
SetupDiOpenDevRegKey
SetupDiSetSelectedDriverW
SetupDiGetDriverInfoDetailW
SetupDiSetSelectedDevice
SetupDiInstallDevice
SetupDiCallClassInstaller

Exports

Exports

Host

Sections

.text
Size: 994KB - Virtual size: 994KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 408KB - Virtual size: 408KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 35KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 50KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 72KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5e571c8c16d6b90cd433615e84bbaba6

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

psapi

shlwapi

rpcrt4

setupapi

Exports

Exports

Sections

.text Size: 994KB - Virtual size: 994KB

.rdata Size: 408KB - Virtual size: 408KB

.data Size: 35KB - Virtual size: 44KB

.pdata Size: 50KB - Virtual size: 49KB

.rsrc Size: 72KB - Virtual size: 72KB

.reloc Size: 9KB - Virtual size: 8KB

.text
Size: 994KB - Virtual size: 994KB

.rdata
Size: 408KB - Virtual size: 408KB

.data
Size: 35KB - Virtual size: 44KB

.pdata
Size: 50KB - Virtual size: 49KB

.rsrc
Size: 72KB - Virtual size: 72KB

.reloc
Size: 9KB - Virtual size: 8KB