b16a09ff014c2810b574c5f7b5bd586505a0f2a7925fa3dd531871cbd10fe513N[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

b16a09ff014c2810b574c5f7b5bd586505a0f2a7925fa3dd531871cbd10fe513N.exe
Size

1.3MB
MD5

3cc3c2ba683308dd438e5866866bcb50
SHA1

f1966211e6b232f3217aaedebdf920ac6a90c35d
SHA256

b16a09ff014c2810b574c5f7b5bd586505a0f2a7925fa3dd531871cbd10fe513
SHA512

394677b29e0426822b72dc8fb1bd5156f98bbc10a41b7651c410c66fdc3d9ce109de7b16ed6b0d62fb52885d642eaf1c3cb7cd197aff9afeb07daebec28903c4
SSDEEP

24576:qtl9GREJlJFhP4C/wWr9vPFPHYZs1de67hX3s421/KIsqjnhMgeiCl7G0nehbGZd:qDcRElJFhP4C/wWr9vPFPHYZs1P8p/KP

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
b16a09ff014c2810b574c5f7b5bd586505a0f2a7925fa3dd531871cbd10fe513N.exe

Files

b16a09ff014c2810b574c5f7b5bd586505a0f2a7925fa3dd531871cbd10fe513N.exe
.exe windows:10 windows x64 arch:x64

3908f13e6362ff821a5a7a58c7c88a99

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

spoolsv.pdb

Imports

user32

UnregisterPowerSettingNotification
RegisterPowerSettingNotification
SendNotifyMessageW
RegisterDeviceNotificationW
UnregisterDeviceNotification
MsgWaitForMultipleObjects
TranslateMessage
PeekMessageW
DispatchMessageW

msvcrt

swprintf_s
exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter
_cexit
free
_callnewh
__setusermatherr
_initterm
_fmode
malloc
_lock
_unlock
__dllonexit
_onexit
?terminate@@YAXXZ
_wcsicmp
memset
__CxxFrameHandler3
_strnicmp
memcpy_s
_wcsnicmp
wcsstr
wcschr
towlower
towupper
__C_specific_handler
_stricmp
memmove
memcpy
_exit
_purecall
_commode
_vsnwprintf

ntdll

RtlIpv4AddressToStringW
NtOpenThreadToken
NtClose
NtSetInformationThread
NtQueryWnfStateData
NtOpenProcessToken
RtlFreeHeap
RtlInitUnicodeString
NtSetInformationToken
RtlAllocateHeap
RtlIpv4StringToAddressExW
RtlIpv6StringToAddressExW
EtwEventWrite
EtwEventEnabled
RtlReportException
TpAllocPool
TpReleaseAlpcCompletion
TpWaitForAlpcCompletion
TpReleaseIoCompletion
TpWaitForIoCompletion
TpReleaseTimer
TpWaitForTimer
TpReleaseWait
TpWaitForWait
TpReleaseWork
TpWaitForWork
TpAllocAlpcCompletion
WinSqmIsOptedIn
WinSqmSetDWORD
WinSqmAddToStreamEx
WinSqmIncrementDWORD
RtlIsThreadWithinLoaderCallout
TpStartAsyncIoOperation
TpAllocIoCompletion
TpSetTimer
TpAllocTimer
TpAllocWait
TpPostWork
TpAllocWork
RtlNtStatusToDosError
TpSimpleTryPost
TpCallbackMayRunLong
TpReleasePool
RtlIpv6AddressToStringW
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlValidRelativeSecurityDescriptor
EtwEventWriteTransfer
NtQuerySystemInformation
EtwEventRegister
EtwEventUnregister
EtwUnregisterTraceGuids
EtwEventSetInformation
EtwGetTraceEnableFlags
EtwTraceMessage
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwRegisterTraceGuidsW
TpSetWait

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSectionAndSpinCount
ReleaseSemaphore
EnterCriticalSection
LeaveCriticalSection
CreateMutexW
WaitForSingleObject
InitializeCriticalSection
CreateMutexExW
OpenEventW
CreateEventW
SetEvent
ReleaseMutex
CreateSemaphoreExW
OpenSemaphoreW

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
SetPriorityClass
ExitThread
SetThreadToken
TlsSetValue
TlsGetValue
GetCurrentThreadId
TlsAlloc
GetCurrentProcessId
CreateThread
ExitProcess
OpenProcessToken
GetCurrentThread
CreateProcessAsUserW
OpenThreadToken
TlsFree

api-ms-win-core-processthreads-l1-1-1

SetProcessMitigationPolicy
OpenProcess

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
GetLastError
SetLastError
GetErrorMode
RaiseException
UnhandledExceptionFilter
SetErrorMode

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls
GetModuleHandleW

api-ms-win-core-registry-l1-1-0

RegOpenCurrentUser
RegDisablePredefinedCacheEx
RegCloseKey
RegDeleteValueW
RegEnumKeyExW
RegQueryInfoKeyW
RegGetKeySecurity
RegEnumValueW
RegDeleteTreeW
RegCreateKeyExW
RegQueryValueExW
RegGetValueW
RegOpenKeyExW
RegDeleteKeyExW
RegSetValueExW
RegSetKeySecurity

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetSystemTimeAsFileTime
GetSystemTime
GetSystemWindowsDirectoryW
GetTickCount

api-ms-win-core-synch-l1-2-0

SleepConditionVariableSRW
Sleep
WakeAllConditionVariable

api-ms-win-core-heap-l1-1-0

HeapDestroy
HeapSetInformation
HeapCreate
GetProcessHeap

api-ms-win-service-core-l1-1-0

RegisterServiceCtrlHandlerExW
SetServiceStatus
StartServiceCtrlDispatcherW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

rpcrt4

RpcServerRegisterIf2
I_RpcSessionStrictContextHandle
I_RpcBindingIsClientLocal
RpcServerInqBindingHandle
RpcRaiseException
NdrServerCall2
Ndr64AsyncServerCallAll
NdrServerCallAll
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcSsContextLockExclusive
RpcAsyncAbortCall
RpcServerTestCancel
I_RpcExceptionFilter
RpcServerSubscribeForNotification
RpcServerUnsubscribeForNotification
NdrClientCall3
Ndr64AsyncClientCall
RpcBindingServerFromClient
RpcBindingFree
NdrAsyncServerCall
RpcSmDestroyClientContext
RpcImpersonateClient
RpcRevertToSelf
RpcRevertToSelfEx
RpcAsyncCompleteCall
I_RpcBindingInqTransportType
RpcServerRegisterIf
RpcServerInqBindings
RpcEpRegisterW
RpcBindingVectorFree
RpcObjectSetType
RpcStringBindingParseW
RpcBindingToStringBindingW
RpcServerInterfaceGroupDeactivate
RpcServerInterfaceGroupActivate
RpcServerInterfaceGroupCreateW
RpcServerRegisterAuthInfoW
RpcServerInqDefaultPrincNameW
RpcStringFreeW
RpcMgmtSetServerStackSize

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-security-base-l1-1-0

RevertToSelf
ImpersonateLoggedOnUser
CreateWellKnownSid
DuplicateTokenEx
DuplicateToken
SetTokenInformation
GetLengthSid
AddAccessAllowedAceEx
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
CopySid
GetAclInformation
InitializeAcl
GetAce
AddAccessDeniedAceEx
GetTokenInformation
GetSidSubAuthority
GetSidSubAuthorityCount
EqualSid
InitializeSecurityDescriptor
AddAce
IsWellKnownSid
FreeSid
CheckTokenMembership
AllocateAndInitializeSid

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

kernelbase

LocalAlloc
GetIsEdpEnabled
lstrcmpiW

kernel32

SetThreadpoolTimer
DeleteCriticalSection
HeapAlloc
HeapFree
FormatMessageW
GetModuleHandleExW
AddVectoredExceptionHandler
GetProcAddress
GetModuleFileNameA
FreeLibrary
LoadLibraryExW
ResetEvent
InitOnceComplete
GetComputerNameW
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
GetTickCount64
InitOnceBeginInitialize

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringW

api-ms-win-core-file-l1-1-0

GetTempFileNameW
CreateFileW
ReadFile
DeleteFileW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-console-l1-1-0

SetConsoleCtrlHandler

dnsapi

DnsQuery_W
DnsFree

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolWork
WaitForThreadpoolWorkCallbacks
SubmitThreadpoolWork
CloseThreadpoolWork

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW
RegSetKeyValueW

bcrypt

BCryptCreateHash
BCryptGetProperty
BCryptFinishHash
BCryptDestroyHash
BCryptHashData
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider

Exports

Exports

GetSpoolerTlsIndexes
PrvAbortPrinter
PrvAddFormW
PrvAddJobW
PrvAddMonitorW
PrvAddPerMachineConnectionW
PrvAddPortExW
PrvAddPortW
PrvAddPrintProcessorW
PrvAddPrintProvidorW
PrvAddPrinterConnectionW
PrvAddPrinterDriverExW
PrvAddPrinterDriverW
PrvAddPrinterExW
PrvAddPrinterW
PrvAdjustPointers
PrvAdjustPointersInStructuresArray
PrvAlignKMPtr
PrvAlignRpcPtr
PrvAllocSplStr
PrvAllowRemoteCalls
PrvAppendPrinterNotifyInfoData
PrvBuildOtherNamesFromMachineName
PrvCacheAddName
PrvCacheCreateAndAddNode
PrvCacheCreateAndAddNodeWithIPAddresses
PrvCacheDeleteNode
PrvCacheIsNameCluster
PrvCacheIsNameInNodeList
PrvCallDrvDevModeConversion
PrvCallRouterFindFirstPrinterChangeNotification
PrvCheckLocalCall
PrvClosePrinter
PrvConfigurePortW
PrvCreatePrinterIC
PrvDeleteFormW
PrvDeleteJobNamedProperty
PrvDeleteMonitorW
PrvDeletePerMachineConnectionW
PrvDeletePortW
PrvDeletePrintProcessorW
PrvDeletePrintProvidorW
PrvDeletePrinter
PrvDeletePrinterConnectionW
PrvDeletePrinterDataExW
PrvDeletePrinterDataW
PrvDeletePrinterDriverExW
PrvDeletePrinterDriverW
PrvDeletePrinterIC
PrvDeletePrinterKeyW
PrvDllAllocSplMem
PrvDllAllocSplStr
PrvDllFreeSplMem
PrvDllFreeSplStr
PrvDllReallocSplMem
PrvDllReallocSplStr
PrvEndDocPrinter
PrvEndPagePrinter
PrvEnumFormsW
PrvEnumJobsW
PrvEnumMonitorsW
PrvEnumPerMachineConnectionsW
PrvEnumPortsW
PrvEnumPrintProcessorDatatypesW
PrvEnumPrintProcessorsW
PrvEnumPrinterDataExW
PrvEnumPrinterDataW
PrvEnumPrinterDriversW
PrvEnumPrinterKeyW
PrvEnumPrintersW
PrvFindClosePrinterChangeNotification
PrvFlushPrinter
PrvFormatPrinterForRegistryKey
PrvFormatRegistryKeyForPrinter
PrvFreeOtherNames
PrvFreePrintPropertyValue
PrvGetFormW
PrvGetJobAttributes
PrvGetJobAttributesEx
PrvGetJobNamedPropertyValue
PrvGetJobW
PrvGetNetworkId
PrvGetPrintProcessorDirectoryW
PrvGetPrinterDataExW
PrvGetPrinterDataW
PrvGetPrinterDriverDirectoryW
PrvGetPrinterDriverExW
PrvGetPrinterDriverW
PrvGetPrinterW
PrvGetServerPolicy
PrvGetShrinkedSize
PrvGetSpoolerTlsIndexes
PrvImpersonatePrinterClient
PrvInitializeRouter
PrvIsNameTheLocalMachineOrAClusterSpooler
PrvIsNamedPipeRpcCall
PrvMIDL_user_allocate
PrvMIDL_user_allocate1
PrvMIDL_user_free
PrvMIDL_user_free1
PrvMarshallDownStructure
PrvMarshallDownStructuresArray
PrvMarshallUpStructure
PrvMarshallUpStructuresArray
PrvOldGetPrinterDriverW
PrvOpenPrinter2W
PrvOpenPrinterExW
PrvOpenPrinterPort2W
PrvOpenPrinterW
PrvPackStrings
PrvPartialReplyPrinterChangeNotification
PrvPlayGdiScriptOnPrinterIC
PrvPrinterHandleRundown
PrvPrinterMessageBoxW
PrvProvidorFindClosePrinterChangeNotification
PrvProvidorFindFirstPrinterChangeNotification
PrvReadPrinter
PrvReallocSplMem
PrvReallocSplStr
PrvRemoteFindFirstPrinterChangeNotification
PrvReplyClosePrinter
PrvReplyOpenPrinter
PrvReplyPrinterChangeNotification
PrvReplyPrinterChangeNotificationEx
PrvReportJobProcessingProgress
PrvResetPrinterW
PrvRevertToPrinterSelf
PrvRouterAddPrinterConnection2
PrvRouterAllocBidiMem
PrvRouterAllocBidiResponseContainer
PrvRouterAllocPrinterNotifyInfo
PrvRouterBroadcastMessage
PrvRouterCorePrinterDriverInstalled
PrvRouterCreatePrintAsyncNotificationChannel
PrvRouterDeletePrinterDriverPackage
PrvRouterFindCompatibleDriver
PrvRouterFindFirstPrinterChangeNotification
PrvRouterFindNextPrinterChangeNotification
PrvRouterFreeBidiMem
PrvRouterFreeBidiResponseContainer
PrvRouterFreePrinterNotifyInfo
PrvRouterGetCorePrinterDrivers
PrvRouterGetPrintClassObject
PrvRouterGetPrinterDriverPackagePath
PrvRouterInstallPrinterDriverFromPackage
PrvRouterInternalGetPrinterDriver
PrvRouterRefreshPrinterChangeNotification
PrvRouterRegisterForPrintAsyncNotifications
PrvRouterReplyPrinter
PrvRouterSpoolerSetPolicy
PrvRouterUnregisterForPrintAsyncNotifications
PrvRouterUploadPrinterDriverPackage
PrvScheduleJob
PrvSeekPrinter
PrvSendRecvBidiData
PrvSetFormW
PrvSetJobW
PrvSetPortW
PrvSetPrinterDataExW
PrvSetPrinterDataW
PrvSetPrinterW
PrvSplCloseSpoolFileHandle
PrvSplCommitSpoolData
PrvSplDriverUnloadComplete
PrvSplGetClientUserHandle
PrvSplGetSpoolFileInfo
PrvSplGetUserSidStringFromToken
PrvSplInitializeWinSpoolDrv
PrvSplIsSessionZero
PrvSplIsUpgrade
PrvSplProcessPnPEvent
PrvSplProcessSessionEvent
PrvSplPromptUIInUsersSession
PrvSplQueryUserInfo
PrvSplReadPrinter
PrvSplRegisterForDeviceEvents
PrvSplRegisterForSessionEvents
PrvSplShutDownRouter
PrvSplUnregisterForDeviceEvents
PrvSplUnregisterForSessionEvents
PrvSpoolerFindClosePrinterChangeNotification
PrvSpoolerFindFirstPrinterChangeNotification
PrvSpoolerFindNextPrinterChangeNotification
PrvSpoolerFreePrinterNotifyInfo
PrvSpoolerHasInitialized
PrvSpoolerInit
PrvSpoolerRefreshPrinterChangeNotification
PrvStartDocPrinterW
PrvStartPagePrinter
PrvUndoAlignKMPtr
PrvUndoAlignRpcPtr
PrvUpdateBufferSize
PrvUpdatePrinterRegAll
PrvUpdatePrinterRegAllEx
PrvUpdatePrinterRegUser
PrvWaitForPrinterChange
PrvWaitForSpoolerInitialization
PrvWritePrinter
PrvXcvDataW
PrvbGetDevModePerUser
PrvbSetDevModePerUser
RouterLogJobInfoForBranchOffice
ServerGetPrintClassObject
SplUalCollectData
YAbortPrinter
YAddJob
YDriverUnloadComplete
YEndDocPrinter
YEndPagePrinter
YFlushPrinter
YGetPrinter
YGetPrinterDriver2
YGetPrinterDriverDirectory
YReadPrinter
YSeekPrinter
YSetJob
YSetPort
YSetPrinter
YSplReadPrinter
YStartDocPrinter
YStartPagePrinter
YWritePrinter

Sections

.text
Size: 432KB - Virtual size: 432KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 220KB - Virtual size: 219KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 384B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 57KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 576KB - Virtual size: 580KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

3908f13e6362ff821a5a7a58c7c88a99

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

user32

msvcrt

ntdll

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-core-debug-l1-1-0

rpcrt4

api-ms-win-core-heap-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-profile-l1-1-0

kernelbase

kernel32

api-ms-win-core-string-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-console-l1-1-0

dnsapi

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-registry-l1-1-1

bcrypt

Exports

Exports

Sections

.text Size: 432KB - Virtual size: 432KB

.rdata Size: 220KB - Virtual size: 219KB

.data Size: 3KB - Virtual size: 9KB

.pdata Size: 23KB - Virtual size: 22KB

.didat Size: 512B - Virtual size: 384B

.rsrc Size: 57KB - Virtual size: 56KB

.reloc Size: 576KB - Virtual size: 580KB

.text
Size: 432KB - Virtual size: 432KB

.rdata
Size: 220KB - Virtual size: 219KB

.data
Size: 3KB - Virtual size: 9KB

.pdata
Size: 23KB - Virtual size: 22KB

.didat
Size: 512B - Virtual size: 384B

.rsrc
Size: 57KB - Virtual size: 56KB

.reloc
Size: 576KB - Virtual size: 580KB