45e9a93b673ac7f8b80aeab8bc7f2bf2e6e51f5a42bb4e6fd8003411ebfa24cbN

Sharing

Copy URL Twitter E-mail

General

Target

45e9a93b673ac7f8b80aeab8bc7f2bf2e6e51f5a42bb4e6fd8003411ebfa24cbN
Size

60KB
MD5

2e06e789ae31983a0371999b9ce5b6d0
SHA1

0fc77f987ad095167e79fb3720b762422fb41b5a
SHA256

45e9a93b673ac7f8b80aeab8bc7f2bf2e6e51f5a42bb4e6fd8003411ebfa24cb
SHA512

4eb4ae0c0074c3d2a2f7a79db50772a26113014be637bfbf6ef9fce9eaeeddafb57d601ae20f2ee5679930d31d2385ffb13a5828cc049a836c89a2b8b97e551c
SSDEEP

1536:Vsmf2mVkYRp2GEtW8die1/SGhmch0op1sKYteakGZGlAltAD2:+mDuYb2BD1Jh0K1szQalZSAltAC

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/wkssvc.dll

Files

45e9a93b673ac7f8b80aeab8bc7f2bf2e6e51f5a42bb4e6fd8003411ebfa24cbN
.cab
wkssvc.dll
.dll windows:5 windows x86 arch:x86

a24dced278b9c85e240122e13e243dd9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

wkssvc.pdb

Imports

msvcrt

wcslen
wcscat
wcscpy
_wcsicmp
_wcsnicmp
_snwprintf
wcschr
wcsrchr
wcsncmp
wcsncpy
strncpy
free
_initterm
_adjust_fdiv
malloc
swprintf
_vsnprintf
sprintf
wcsspn
wcstoul
_vsnwprintf
_wcsupr
_wcslwr
wcscmp
toupper
memcpy
memset
_except_handler3

ntdll

NtSetInformationThread
NtAdjustPrivilegesToken
NtDuplicateToken
NtOpenProcessToken
RtlCompareMemoryUlong
RtlxUnicodeStringToOemSize
NlsMbOemCodePageTag
RtlInitializeSid
RtlSubAuthoritySid
RtlAdjustPrivilege
RtlDeleteSecurityObject
RtlLengthSid
RtlSetSaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAce
RtlCreateAcl
RtlNewSecurityObject
RtlEqualSid
RtlFreeUnicodeString
RtlConvertSidToUnicodeString
RtlCompareMemory
NtDeviceIoControlFile
NtFsControlFile
NtLoadDriver
NtUnloadDriver
RtlInitUnicodeString
NtOpenFile
RtlCopyLuid
RtlAcquireResourceShared
RtlDeleteResource
DbgPrint
RtlInitializeResource
RtlNtStatusToDosError
NtQueryInformationProcess
RtlDeregisterWait
RtlAcquireResourceExclusive
RtlReleaseResource
RtlRegisterWait
NtAccessCheckAndAuditAlarm
NtClose
RtlCompareUnicodeString
NtQueryInformationToken
NtOpenThreadToken
RtlGetNtProductType
RtlQueryRegistryValues
NtQueryVolumeInformationFile
RtlRunEncodeUnicodeString
RtlRunDecodeUnicodeString
RtlAppendUnicodeStringToString
RtlCopyUnicodeString
RtlIntegerToUnicodeString
NtCreateFile
RtlFreeOemString
RtlUnicodeStringToOemString
RtlInitString
NtCreateEvent
DbgBreakPoint
RtlCopySid

advapi32

MD5Init
MD5Update
MD5Final
RegQueryValueExW
SetThreadToken
RevertToSelf
OpenThreadToken
RegisterEventSourceW
SystemFunction007
SystemFunction001
RegQueryInfoKeyW
LsaDelete
LsaCreateSecret
LsaQuerySecret
LsaSetSecret
LsaSetInformationPolicy
RegDeleteKeyW
RegCreateKeyExW
CryptAcquireContextW
CryptGenRandom
CryptReleaseContext
LookupAccountSidW
GetSidSubAuthorityCount
GetSidSubAuthority
RegOpenKeyW
LsaOpenSecret
ChangeServiceConfigW
StartServiceW
EnumDependentServicesW
ControlService
OpenSCManagerW
OpenServiceW
QueryServiceConfigW
QueryServiceStatus
CloseServiceHandle
RegConnectRegistryW
ReportEventW
SystemFunction029
DeregisterEventSource
LsaOpenPolicy
LsaQueryInformationPolicy
LsaFreeMemory
LsaClose
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegisterServiceCtrlHandlerW
I_ScSetServiceBitsW
SetServiceStatus
RegNotifyChangeKeyValue

secur32

LsaCallAuthenticationPackage
LsaDeregisterLogonProcess
LsaRegisterLogonProcess
LsaLookupAuthenticationPackage
LsaFreeReturnBuffer

netapi32

NetUserSetInfo
NetApiBufferFree
I_NetListTraverse
I_NetListCanonicalize
I_NetNameCanonicalize
I_NetPathCanonicalize
NetUnregisterDomainNameChangeNotification
NetRegisterDomainNameChangeNotification
DsRoleFreeMemory
DsRoleGetPrimaryDomainInformation
DsGetDcNameW
NetApiBufferAllocate
NetUserGetInfo
I_NetServerReqChallenge
I_NetServerAuthenticate3
NetUseDel
NetUseAdd
NetLocalGroupAddMember
NetLocalGroupDelMember
DsEnumerateDomainTrustsW
I_NetNameValidate
I_NetNameCompare
NetUserAdd
Netbios
NetpIsRemote
DsGetDcNameWithAccountW
I_NetPathType

rpcrt4

RpcServerUseProtseqEpW
NdrServerCall2
RpcServerRegisterIfEx
RpcRevertToSelf
RpcImpersonateClient
RpcBindingServerFromClient
RpcServerUnregisterIf
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcBindingFree
RpcStringFreeW
I_RpcBindingIsClientLocal

kernel32

LoadLibraryW
GetComputerNameExW
GetComputerNameW
GetSystemWindowsDirectoryW
FreeLibrary
LoadLibraryA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
DisableThreadLibraryCalls
MoveFileExW
GetFileSize
SetFilePointer
GetCurrentProcessId
GetCurrentThread
FlushFileBuffers
GetLocalTime
GetWindowsDirectoryW
GetFileAttributesW
GetProcAddress
DelayLoadFailureHook
EnumerateLocalComputerNamesW
DnsHostnameToComputerNameW
AddLocalAlternateComputerNameW
CreateDirectoryW
RemoveLocalAlternateComputerNameW
SetLocalPrimaryComputerNameW
GetVersionExW
SetComputerNameExW
WriteFile
InterlockedCompareExchange
Sleep
QueryDosDeviceW
DefineDosDeviceW
DosPathToSessionPathW
GetVersion
GlobalMemoryStatus
CreateFileW
LocalReAlloc
LocalUnlock
LocalLock
WaitForMultipleObjects
OpenEventW
LocalAlloc
LocalFree
ResetEvent
WaitForSingleObject
DeleteCriticalSection
CloseHandle
InitializeCriticalSection
CreateEventW
lstrcmpW
EnterCriticalSection
SetEvent
GetLastError
LeaveCriticalSection

ntdsapi

DsFreeNameResultW
DsMakePasswordCredentialsW
DsBindWithCredW
DsCrackNamesW
DsFreePasswordCredentials
DsUnBindW

samlib

SamCloseHandle
SamSetInformationUser
SamQueryInformationUser
SamOpenUser
SamFreeMemory
SamLookupNamesInDomain
SamOpenDomain
SamConnect

Exports

Exports

ServiceMain
SvchostPushServiceGlobals

Sections

.text
Size: 121KB - Virtual size: 120KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a24dced278b9c85e240122e13e243dd9

Headers

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

advapi32

secur32

netapi32

rpcrt4

kernel32

ntdsapi

samlib

Exports

Exports

Sections

.text Size: 121KB - Virtual size: 120KB

.data Size: 3KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 1016B

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 121KB - Virtual size: 120KB

.data
Size: 3KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 1016B

.reloc
Size: 5KB - Virtual size: 5KB