calc[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

calc.exe
Size

4.0MB
MD5

5b910527a13cd54d7ec29781ddd49679
SHA1

027bf3c58b2b154a7cecbe3403de68348a68e82b
SHA256

f8722b22552c1984b91c305826914c3babf3552becd4f87677ed1dc3003106d7
SHA512

55815cab49ac5dda1baa2ec6c9d256e017efbc507bfd3481a85864832471f1f2473001f89730fe9f32be763a1f799a0cd5207e142f37b4f71e6ce3e6d68d1769
SSDEEP

98304:hPGtKMBX+yd+h6CVKdgQynoB9YOyIJXVtrCxVAX4mHJ+2/7:ZgaJVVKvh7YOy+l9D1HAs

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
calc.exe

Files

calc.exe
.exe windows:6 windows x64 arch:x64

940e8146ef7dbfb749f6842f9e010a1e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

FormatMessageW
MoveFileExA
WaitForSingleObjectEx
GetEnvironmentVariableA
GetStdHandle
GetFileType
ReadFile
PeekNamedPipe
WaitForMultipleObjects
VerifyVersionInfoW
GetFileSizeEx
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
IsDebuggerPresent
GetModuleHandleW
GetSystemTimeAsFileTime
InitializeSListHead
DeleteFileA
FormatMessageA
GetLocaleInfoEx
FindClose
SetLastError
LeaveCriticalSection
SetUnhandledExceptionFilter
GetConsoleWindow
GetTickCount
GetSystemDirectoryA
CopyFileA
CreateToolhelp32Snapshot
OpenProcess
lstrcatA
GetCurrentDirectoryA
LoadLibraryExA
WriteFile
Process32First
GetModuleFileNameA
GetTempPathW
GetCurrentProcessId
GetCurrentThreadId
CreateFileW
VirtualAlloc
VirtualFree
GetExitCodeProcess
VirtualFreeEx
CreateRemoteThread
ReadProcessMemory
VirtualAllocEx
VirtualProtectEx
CloseHandle
GetFileAttributesExW
SleepEx
GetLastError
DeleteCriticalSection
FindFirstFileW
InitializeCriticalSectionEx
CreateThread
lstrcpyA
Sleep
RtlAddFunctionTable
WriteProcessMemory
QueryPerformanceCounter
AreFileApisANSI
Process32Next
FreeLibrary
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
GetLocaleInfoA
GetModuleHandleA
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
MultiByteToWideChar
CreateFileA
LocalFree
DeviceIoControl
GetFileInformationByHandleEx
EnterCriticalSection
LocalAlloc
LocalFree
GetModuleFileNameW
ExitProcess
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

SetCursorPos
ReleaseCapture
IsWindowUnicode
GetClientRect
SetCursor
SetCapture
GetForegroundWindow
GetKeyboardLayout
TrackMouseEvent
ClientToScreen
GetCapture
ScreenToClient
LoadCursorA
GetMessageExtraInfo
UpdateWindow
RegisterClassExA
SetWindowLongPtrA
GetClipboardData
PeekMessageA
TranslateMessage
CreateWindowExA
DefWindowProcA
GetAsyncKeyState
ShowWindow
wsprintfA
GetSystemMetrics
SetWindowPos
DestroyWindow
GetWindowRect
DispatchMessageA
SetClipboardData
GetCursorPos
OpenClipboard
CloseClipboard
GetKeyState
EmptyClipboard
PostQuitMessage

advapi32

CryptAcquireContextA
RegCreateKeyW
RegDeleteTreeW
RegCloseKey
RegSetKeyValueW
CryptReleaseContext
OpenServiceA
QueryServiceStatusEx
CryptGetHashParam
RegOpenKeyExA
CryptDestroyHash
RegSetValueExA
CryptHashData
CryptCreateHash
StartServiceA
CryptGenRandom
CryptDestroyKey
CryptImportKey
CryptEncrypt
ControlService
CreateServiceA
RegOpenKeyW
RegGetValueA
CloseServiceHandle
OpenSCManagerA
DeleteService

shell32

ShellExecuteA

imm32

ImmSetCompositionWindow
ImmSetCandidateWindow
ImmReleaseContext
ImmGetContext

d3dcompiler_43

D3DCompile

dwmapi

DwmExtendFrameIntoClientArea

msvcp140

?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z
?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z
??7ios_base@std@@QEBA_NXZ
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?widen@?$ctype@_W@std@@QEBA_WD@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?_Random_device@std@@YAIXZ
?_Syserror_map@std@@YAPEBDH@Z
_Xtime_get_ticks
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?uncaught_exception@std@@YA_NXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z
?width@ios_base@std@@QEAA_J_J@Z
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?good@ios_base@std@@QEBA_NXZ
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A
?id@?$ctype@_W@std@@2V0locale@2@A
?_Xout_of_range@std@@YAXPEBD@Z
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z
?_Xlength_error@std@@YAXPEBD@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ

normaliz

IdnToAscii

ws2_32

WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
socket
setsockopt
ntohs
htons
getsockopt
getsockname
getpeername
connect
bind
recv
WSAGetLastError
closesocket
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
send
__WSAFDIsSet
gethostname
ioctlsocket
sendto
recvfrom
freeaddrinfo
select
listen
htonl
accept
getaddrinfo

wldap32

ord211
ord143
ord45
ord50
ord41
ord46
ord217
ord60
ord22
ord26
ord27
ord32
ord33
ord35
ord79
ord30
ord200
ord301

crypt32

CertFreeCertificateChain
CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertOpenStore
CertCloseStore

ntdll

RtlInitUnicodeString
RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry
NtQuerySystemInformation

shlwapi

PathFileExistsA

d3d11

D3D11CreateDeviceAndSwapChain

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

vcruntime140_1

__CxxFrameHandler4

vcruntime140

memcmp
__current_exception
_CxxThrowException
memmove
__C_specific_handler
memchr
__current_exception_context
memset
__std_terminate
strstr
strchr
__std_exception_destroy
__std_exception_copy
wcsstr
strrchr
memcpy

api-ms-win-crt-stdio-l1-1-0

_set_fmode
_popen
fgets
getchar
_pclose
feof
fputs
ftell
__acrt_iob_func
_lseeki64
fflush
_get_stream_buffer_pointers
_close
_fseeki64
fsetpos
ungetc
fclose
fseek
_write
fgetpos
_read
__stdio_common_vfprintf
fgetc
fwrite
_open
_wfopen
fputc
fopen
__stdio_common_vsprintf
__p__commode
fread
__stdio_common_vsscanf
setvbuf

api-ms-win-crt-utility-l1-1-0

rand
qsort
srand

api-ms-win-crt-string-l1-1-0

strncmp
strcpy_s
isupper
strspn
tolower
_stricmp
strpbrk
strncpy
strcmp
strcspn
_strdup

api-ms-win-crt-heap-l1-1-0

realloc
_callnewh
_set_new_mode
free
malloc
calloc

api-ms-win-crt-convert-l1-1-0

atoi
strtoull
strtol
strtoul
strtod
strtoll
wcstombs

api-ms-win-crt-filesystem-l1-1-0

_wremove
_access
_stat64
_fstat64
_unlink
_unlock_file
rename
_lock_file

api-ms-win-crt-time-l1-1-0

_gmtime64
_time64
strftime

api-ms-win-crt-runtime-l1-1-0

_set_app_type
_cexit
_get_initial_narrow_environment
_initterm
_initterm_e
_exit
_errno
__p___argc
__p___argv
_c_exit
_register_thread_local_exe_atexit_callback
_crt_atexit
__sys_errlist
__sys_nerr
_beginthreadex
_seh_filter_exe
_invalid_parameter_noinfo_noreturn
_register_onexit_function
abort
exit
_getpid
system
_initialize_onexit_table
_initialize_narrow_environment
_configure_narrow_argv
terminate

api-ms-win-crt-math-l1-1-0

fmodf
cosf
ceilf
pow
acosf
_dsign
sinf
sqrt
sqrtf
__setusermatherr

api-ms-win-crt-locale-l1-1-0

___lc_codepage_func
localeconv
_configthreadlocale

Sections

.text
Size: - Virtual size: 809KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 213KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 247KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.meta0
Size: - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.meta1
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.meta2
Size: 4.0MB - Virtual size: 4.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

940e8146ef7dbfb749f6842f9e010a1e

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

imm32

d3dcompiler_43

dwmapi

msvcp140

normaliz

ws2_32

wldap32

crypt32

ntdll

shlwapi

d3d11

d3dx11_43

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: - Virtual size: 809KB

.rdata Size: - Virtual size: 213KB

.data Size: - Virtual size: 247KB

.pdata Size: - Virtual size: 32KB

.meta0 Size: - Virtual size: 1.4MB

.meta1 Size: 5KB - Virtual size: 4KB

.meta2 Size: 4.0MB - Virtual size: 4.0MB

.rsrc Size: 512B - Virtual size: 480B

.text
Size: - Virtual size: 809KB

.rdata
Size: - Virtual size: 213KB

.data
Size: - Virtual size: 247KB

.pdata
Size: - Virtual size: 32KB

.meta0
Size: - Virtual size: 1.4MB

.meta1
Size: 5KB - Virtual size: 4KB

.meta2
Size: 4.0MB - Virtual size: 4.0MB

.rsrc
Size: 512B - Virtual size: 480B