ntdsa.pdb
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ntdsa.dll
Resource
win7-20240704-en
windows7-x64
2 signatures
120 seconds
Behavioral task
behavioral2
Sample
ntdsa.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
120 seconds
General
-
Target
98f158cc7c32c5aee328ee1c62c9878d5042ff847219378f20c68e6b26550397N
-
Size
706KB
-
MD5
0e3158db3841ac3d9a4d564fd2f79ce0
-
SHA1
06793388c8563208fbb065109be4c1b5b4c929cf
-
SHA256
98f158cc7c32c5aee328ee1c62c9878d5042ff847219378f20c68e6b26550397
-
SHA512
23a4082a84b29b7245206a3e25c9048fe4557fb2a1f1cf86c5fc0fe7a102689ae98102d0eba3de6b8d7d0b85794ceb035cefcbc8ac98fa09e9d7b4e4b981ed8c
-
SSDEEP
12288:Ye3nfWsP+oZkw89axYdV+IMxUbEMAzz/CRvV+V2UOBNvRm1U7xieJavYvjyVjXUU:usWoZkwkpdV8xUIMAz2RtZUqNZmLep23
Score
3/10
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/ntdsa.dll
Files
-
98f158cc7c32c5aee328ee1c62c9878d5042ff847219378f20c68e6b26550397N.cab
-
ntdsa.dll.dll windows:5 windows x86 arch:x86
6cb78a1646cb64b24d1406bd45526e45
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
PDB Paths
Imports
msvcrt
free
wcsncat
swprintf
wcschr
_wcsicmp
wcscat
wcsrchr
_except_handler3
wcscpy
_snwprintf
wcslen
malloc
_purecall
_errno
_strdup
_strcmpi
mbtowc
wcstombs
_wtoi
isdigit
strftime
_strupr
_adjust_fdiv
_initterm
mbstowcs
strtol
_endthreadex
__CxxFrameHandler
??2@YAPAXI@Z
??3@YAXPAX@Z
wcsncmp
towlower
iswxdigit
wcstol
isxdigit
_i64tow
iswcntrl
strncpy
_splitpath
_makepath
_resetstkoflw
_vsnwprintf
_vsnprintf
strstr
isspace
_strnicmp
wcscmp
iswdigit
time
tolower
isalpha
_ultow
towupper
wcsncpy
sscanf
strtoul
srand
strncmp
atoi
_wcsdup
calloc
rand
realloc
_daylight
_timezone
_itow
_heapmin
exit
_itoa
_ultoa
signal
strrchr
_stricmp
_getpid
_memicmp
atol
strchr
_beginthreadex
qsort
bsearch
_wcsnicmp
_abnormal_termination
_local_unwind2
_snprintf
strerror
sprintf
memmove
swscanf
_sleep
wcstoul
ntdll
RtlLengthSid
RtlAllocateHeap
RtlReAllocateHeap
RtlFreeHeap
RtlSubAuthorityCountSid
RtlEqualSid
RtlDestroyHeap
RtlWalkHeap
RtlCreateHeap
RtlGetDaclSecurityDescriptor
RtlGetControlSecurityDescriptor
RtlGetGroupSecurityDescriptor
RtlGetOwnerSecurityDescriptor
RtlRunDecodeUnicodeString
RtlInitString
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlRunEncodeUnicodeString
NtCreateFile
RtlDeregisterWait
RtlRegisterWait
RtlCompareUnicodeString
RtlInitializeCriticalSection
RtlInsertElementGenericTableAvl
RtlEnumerateGenericTableWithoutSplayingAvl
RtlDeleteElementGenericTableAvl
RtlInitializeGenericTableAvl
NtConnectPort
NtRequestWaitReplyPort
DbgPrint
RtlNtStatusToDosError
RtlValidSid
NtClose
NtCreateEvent
NtOpenEvent
RtlInitUnicodeString
RtlLengthSecurityDescriptor
RtlValidRelativeSecurityDescriptor
RtlDnsHostNameToComputerName
RtlAllocateAndInitializeSid
RtlSubAuthoritySid
RtlCopySid
RtlEqualDomainName
RtlInsertElementGenericTable
RtlInitializeGenericTable
RtlLookupElementGenericTable
RtlConvertSidToUnicodeString
DbgBreakPoint
NtQueryInformationToken
NtOpenThreadToken
RtlRandomEx
RtlUnicodeStringToAnsiString
RtlCompareMemory
RtlLargeIntegerToChar
NtShutdownSystem
RtlAdjustPrivilege
NtQuerySystemTime
RtlFreeSid
RtlMakeSelfRelativeSD
ntdsapi
DsCrackSpnW
DsMakeSpnW
DsFreeNameResultW
DsCrackNamesW
ntdsatq
_AtqReadSocket@16
_AtqWriteSocket@16
_AtqWriteDatagramSocket@16
_AtqGetAcceptExAddrs@24
_AtqSyncWsaSend@16
_AtqCloseSocket@8
AtqTerminate
_AtqSetInfo2@8
_AtqSetInfo@8
AtqInitialize
_AtqFreeContext@8
_AtqContextSetInfo@12
_AtqGetDatagramAddrs@24
_AtqContextGetInfo@8
_AtqCloseEndpoint@4
_AtqStopEndpoint@4
_AtqStartEndpoint@4
_AtqEndpointSetInfo2@12
_AtqCreateEndpoint@8
_AtqContextSetInfo2@12
_AtqGetInfo@4
wldap32
ord79
ord310
ord304
ord118
ord77
ord300
ord306
ord307
ord142
ord211
ord311
ord73
ord301
ord309
ord54
ord145
ord16
ord14
ord203
ord18
ord26
ord140
ord41
ord13
ord122
ord97
ord224
ord308
samsrv
SamIDsCreateObjectInDomain
SamIDsSetObjectInformation
SampCommitBufferedWrites
SamILoopbackConnect
SamrOpenDomain
SamrOpenUser
SamrOpenAlias
SamrOpenGroup
SampAcquireWriteLock
SampDsChangePasswordUser
SamrCloseHandle
SamIRevertNullSession
SamIImpersonateNullSession
SamrDeleteGroup
SampProcessSingleLoopbackTask
SampNotifyReplicatedInChange
SamINotifyRoleChange
SampNotifyAuditChange
SampNetLogonNotificationRequired
SampIsAuditingEnabled
SampFlagsToAccountControl
SamIHandleObjectUpdate
SamIFloatingSingleMasterOpEx
SampInvalidateRidRange
SamIIsAttributeProtected
SampInvalidateDomainCache
SampReleaseWriteLock
SamrDeleteAlias
SamrDeleteUser
SamIMixedDomain2
SampAccountControlToFlags
SamIQueryServerRole2
SampGetSerialNumberDomain2
SampSetSerialNumberDomain2
SampAcquireSamLockExclusive
SampReleaseSamLockExclusive
SamINotifyServerDelta
SampAbortSingleLoopbackTask
esent
JetTerm
JetAttachDatabase
JetCreateTableColumnIndex
JetGetTableColumnInfo
JetCloseDatabase
JetDetachDatabase
JetPrepareUpdate
JetSetColumn
JetUpdate
JetEndSession
JetBeginSession
JetOpenDatabase
JetEnumerateColumns
JetGetCurrentIndex
JetSetCurrentIndex4
JetGotoBookmark
JetGotoSecondaryIndexBookmark
JetIntersectIndexes
JetInit
JetEscrowUpdate
JetRetrieveColumn
JetSetColumns
JetSeek
JetMakeKey
JetCommitTransaction
JetRollback
JetGetLock
JetBeginTransaction
JetSetTableSequential
JetOpenTempTable
JetGetTableInfo
JetGetDatabaseInfo
JetDefragment
JetCreateIndex2
JetGetRecordPosition
JetConvertDDL
JetAddColumn
JetGetSystemParameter
JetDeleteTable
JetCreateTable
JetStopServiceInstance
JetSetIndexRange
JetDeleteColumn
JetIndexRecordCount
JetCreateInstance
JetSetCurrentIndex2
JetOpenTempTable2
JetDelete
JetGotoPosition
JetGetBookmark
JetGetSecondaryIndexBookmark
JetRetrieveKey
JetDupCursor
JetSetSystemParameter
JetUpdate2
JetCloseTable
JetRetrieveColumns
JetMove
JetGetColumnInfo
JetGetTableIndexInfo
JetSetCurrentIndex
JetDeleteIndex
JetGetIndexInfo
JetOpenTable
netapi32
NetLocalGroupDelMembers
NetAlertRaiseEx
NetApiBufferFree
DsValidateSubnetNameW
NetApiBufferAllocate
DsGetDcCloseW
DsGetDcNextW
DsGetDcOpenW
DsGetDcNameW
NetUserModalsGet
NetLocalGroupAddMembers
kernel32
MapViewOfFile
ExpandEnvironmentStringsA
FlushFileBuffers
MoveFileW
CreateFileW
SetFilePointer
SetErrorMode
ReadFile
DelayLoadFailureHook
GetLocalTime
ResumeThread
GetPrivateProfileSectionA
GetEnvironmentVariableA
GetEnvironmentVariableW
LocalReAlloc
TryEnterCriticalSection
FileTimeToLocalFileTime
GetSystemTime
GetVersionExA
DuplicateHandle
lstrcatA
IsValidCodePage
OutputDebugStringA
GetUserDefaultLangID
CreateSemaphoreW
IsValidLocale
GetSystemDefaultLangID
GetExitCodeThread
ReleaseMutex
GetThreadPriority
GetModuleHandleW
DeleteCriticalSection
LoadLibraryExA
DeviceIoControl
GetFileAttributesA
GetVolumeNameForVolumeMountPointA
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
CreateFileA
WriteFile
CompareFileTime
RaiseException
ReleaseSemaphore
GetVersionExW
GetModuleHandleA
GetModuleFileNameA
lstrcpyA
ResetEvent
LocalAlloc
lstrlenW
GetComputerNameExW
GetComputerNameW
DnsHostnameToComputerNameW
SetProcessWorkingSetSize
TlsAlloc
CreateSemaphoreA
GlobalMemoryStatusEx
DebugBreak
GetWindowsDirectoryW
CreateFileMappingA
MulDiv
GetSystemDirectoryW
GetSystemInfo
CreateMutexA
GetProcAddress
FreeLibrary
InterlockedCompareExchange
LoadLibraryA
lstrlenA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
MultiByteToWideChar
TlsGetValue
CompareStringW
LocalFree
SetLastError
InterlockedIncrement
GetUserDefaultLCID
GetACP
LeaveCriticalSection
EnterCriticalSection
TlsSetValue
LCMapStringW
GetLastError
SystemTimeToFileTime
InterlockedExchangeAdd
FormatMessageW
LoadLibraryW
VirtualFree
VirtualAlloc
InterlockedDecrement
CloseHandle
WideCharToMultiByte
Sleep
WaitForSingleObject
SetEvent
WaitForMultipleObjects
SetThreadPriority
GetCurrentThread
InterlockedExchange
CreateEventA
IsDebuggerPresent
InitializeCriticalSectionAndSpinCount
InitializeCriticalSection
advapi32
MapGenericMask
CreatePrivateObjectSecurityWithMultipleInheritance
SetSecurityDescriptorRMControl
SetSecurityDescriptorGroup
GetAclInformation
InitializeAcl
GetAce
AddAce
AddAccessAllowedAce
LogonUserW
AllocateAndInitializeSid
CheckTokenMembership
MakeAbsoluteSD
SetSecurityDescriptorOwner
MakeSelfRelativeSD
CreateWellKnownSid
SetPrivateObjectSecurityEx
LsaQueryInformationPolicy
OpenThreadToken
GetTokenInformation
RegisterTraceGuidsA
TraceEvent
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
CopySid
GetSecurityDescriptorGroup
RegDeleteValueA
QueryServiceStatus
QueryServiceConfigA
IsValidSecurityDescriptor
MD5Final
MD5Update
MD5Init
RegNotifyChangeKeyValue
RegDeleteKeyA
RegCreateKeyA
DeregisterEventSource
ReportEventA
GetTraceLoggerHandle
DeleteAce
AddAccessAllowedObjectAce
IsValidSid
LsaFreeMemory
DestroyPrivateObjectSecurity
GetSecurityDescriptorRMControl
EqualPrefixSid
EqualSid
RegisterEventSourceA
ReportEventW
RegFlushKey
CryptReleaseContext
CryptDestroyHash
CryptGetHashParam
CryptDuplicateHash
CryptHashData
CryptCreateHash
CryptAcquireContextA
CryptGenRandom
InitiateSystemShutdownExW
SystemFunction026
SystemFunction027
SystemFunction024
SystemFunction025
RegEnumValueA
RegQueryInfoKeyA
ConvertStringSDToSDDomainA
ConvertSidToStringSidA
ConvertStringSidToSidA
CryptDeriveKey
OpenProcessToken
AdjustTokenPrivileges
ConvertStringSDToSDDomainW
RegOpenKeyA
RegQueryValueExA
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
SetNamedSecurityInfoA
ConvertStringSecurityDescriptorToSecurityDescriptorA
RegOpenKeyExA
RegSetValueExA
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegConnectRegistryW
RegOpenKeyW
RegQueryValueExW
RegDeleteValueW
RegCloseKey
GetSecurityDescriptorOwner
GetLengthSid
OpenSCManagerA
OpenServiceA
ControlService
CloseServiceHandle
ImpersonateLoggedOnUser
RevertToSelf
ConvertStringSidToSidW
GetWindowsAccountDomainSid
LsaOpenPolicy
LsaLookupSids
LsaClose
ConvertSidToStringSidW
SystemFunction036
CryptDestroyKey
CryptSetHashParam
GetSidSubAuthority
GetSidSubAuthorityCount
FreeSid
LookupAccountSidA
RegOpenKeyExW
SetSecurityDescriptorSacl
ws2_32
inet_ntoa
WSALookupServiceNextW
WSALookupServiceBeginW
ntohl
htonl
inet_addr
closesocket
WSAGetLastError
WSAIoctl
WSAEventSelect
WSASocketA
getaddrinfo
setsockopt
WSALookupServiceEnd
user32
wsprintfA
CharLowerBuffW
wsprintfW
rpcrt4
RpcEpRegisterA
RpcErrorStartEnumeration
RpcServerInqBindings
RpcEpUnregister
RpcBindingVectorFree
RpcServerListen
RpcBindingInqAuthClientA
RpcBindingToStringBindingA
RpcStringBindingParseA
RpcProtseqVectorFreeA
MesEncodeFixedBufferHandleCreate
RpcBindingFree
RpcBindingServerFromClient
RpcRaiseException
RpcSsContextLockExclusive
RpcStringBindingParseW
RpcBindingToStringBindingW
RpcTestCancel
MesBufferHandleReset
MesDecodeBufferHandleCreate
NdrServerCall2
RpcBindingSetOption
RpcSsGetContextBinding
RpcSsDestroyClientContext
RpcBindingCopy
RpcMgmtInqServerPrincNameW
RpcBindingSetAuthInfoExW
RpcEpResolveBinding
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcCancelThreadEx
I_RpcGetExtendedError
RpcAsyncCompleteCall
RpcAsyncCancelCall
RpcAsyncInitializeHandle
NdrMesTypeAlignSize2
NdrMesTypeEncode2
NdrMesTypeDecode2
NdrClientCall2
NdrAsyncClientCall
I_RpcBindingHandleToAsyncHandle
I_RpcExceptionFilter
RpcBindingSetAuthInfoExA
RpcBindingFromStringBindingA
RpcStringBindingComposeA
RpcNetworkInqProtseqsA
RpcServerUseProtseqExA
RpcServerUseProtseqEpExA
RpcServerInqDefaultPrincNameA
RpcServerRegisterAuthInfoA
RpcServerRegisterIf2
RpcServerRegisterIfEx
RpcMgmtStopServerListening
UuidCompare
RpcFreeAuthorizationContext
RpcRevertToSelf
RpcImpersonateClient
UuidToStringA
RpcStringFreeA
UuidCreate
UuidToStringW
RpcStringFreeW
I_RpcBindingInqSecurityContext
I_RpcGetCurrentCallHandle
MesHandleFree
RpcGetAuthorizationContextForClient
RpcErrorEndEnumeration
RpcErrorGetNextRecord
RpcErrorGetNumberOfRecords
UuidFromStringW
cryptdll
CDGenerateRandomBits
CDLocateCheckSum
crypt32
CertCloseStore
CryptDecodeObject
CertFindExtension
CertEnumCertificatesInStore
CryptDecryptAndVerifyMessageSignature
CryptSignAndEncryptMessage
CryptVerifyMessageSignature
CertOpenStore
CryptSignMessage
CertFreeCertificateContext
CertGetSubjectCertificateFromStore
CertVerifyCertificateChainPolicy
CertGetCertificateChain
CertDuplicateCertificateContext
CertFreeCertificateChain
CertGetNameStringW
dnsapi
DnsNameCompare_W
DnsValidateName_UTF8
DnsValidateName_W
DnsFlushResolverCacheEntry_W
lsasrv
LsaIFree_LSAPR_UNICODE_STRING_BUFFER
LsaIQueryInformationPolicyTrusted
LsaINotifyGCStatusChange
LsaIFree_LSAPR_POLICY_INFORMATION
LsaIAuditSamEvent
LsaIAdtAuditingEnabledByCategory
LsaIHealthCheck
LsaIForestTrustFindMatch
authz
AuthziInitializeAuditParamsWithRM
AuthziInitializeAuditEvent
AuthziLogAuditEvent
AuthziInitializeAuditEventType
AuthzInitializeContextFromSid
AuthzGetInformationFromContext
AuthziModifyAuditEvent2
AuthzInitializeObjectAccessAuditEvent2
AuthzOpenObjectAudit
AuthzAccessCheck
AuthzInitializeContextFromToken
AuthzFreeContext
AuthzFreeResourceManager
AuthzInitializeResourceManager
AuthzFreeAuditEvent
samlib
SamFreeMemory
SamLookupDomainInSamServer
SamCloseHandle
SamOpenGroup
SamQueryInformationUser
SamOpenUser
SamOpenAlias
SamLookupNamesInDomain
SamConnectWithCreds
SamOpenDomain
Exports
Exports
AppendRDN
AttrTypeToKey
CountNameParts
CrackSingleName
DBDsReplBackupUpdate
DBUpdateBackupTimeStamps
DSNAMEToHashKeyExternal
DSNAMEToMappedStrExternal
DSStrToHashKeyExternal
DSStrToMappedStrExternal
DbgPrintErrorInfo
DebPrint
DebugTest
DirAddEntry
DirBind
DirCompare
DirErrorToNtStatus
DirErrorToWinError
DirFindEntry
DirGetDomainHandle
DirModifyDN
DirModifyEntry
DirNotifyRegister
DirNotifyUnRegister
DirOperationControl
DirPrepareForImpersonate
DirProtectEntry
DirRead
DirRemoveEntry
DirReplicaAdd
DirReplicaDelete
DirReplicaDemote
DirReplicaGetDemoteTarget
DirReplicaModify
DirReplicaReferenceUpdate
DirReplicaSetCredentials
DirReplicaSynchronize
DirSearch
DirStopImpersonating
DirTransactControl
DoAssert
DoLogEvent
DoLogEventAndTrace
DoLogOverride
DoLogUnhandledError
DsChangeBootOptions
DsCheckConstraint
DsFreeServersAndSitesForNetLogon
DsGetBootOptions
DsGetDefaultObjCategory
DsGetEventConfig
DsGetServersAndSitesForNetLogon
DsInitialize
DsInitializeCritSecs
DsIsBeingBackSynced
DsPrepareUninitialize
DsTraceEvent
DsUninitialize
DsUpdateOnPDC
DsWaitUntilDelayedStartupIsDone
DsaDisableUpdates
DsaEnableUpdates
DsaExeStartRoutine
DsaSetInstallCallback
FindNetbiosDomainName
GCVerifyCacheLookup
GetConfigDsName
GetConfigParam
GetConfigParamAllocW
GetConfigParamW
GetConfigurationInfo
GetConfigurationName
GetConfigurationNamesList
GetDnsRootAlias
GetRDNInfoExternal
GuidBasedDNSNameFromDSName
ImpersonateAnyClient
InitCommarg
IsMangledRDNExternal
IsStringGuid
MapSpnServiceClass
MatchCrossRefByNetbiosName
MatchCrossRefBySid
MatchDomainDnByDnsName
MatchDomainDnByNetbiosName
MtxAddrFromTransportAddr
MtxSame
NameMatched
NameMatchedStringNameOnly
NamePrefix
QuoteRDNValue
SampAddLoopbackTask
SampAmIGC
SampComputeGroupType
SampDeriveMostBasicDsClass
SampDoesDomainExist
SampDsAttrFromSamAttr
SampDsClassFromSamObjectType
SampDsControl
SampExistsDsLoopback
SampExistsDsTransaction
SampGCLookupNames
SampGCLookupSids
SampGetAccountCounts
SampGetClassAttribute
SampGetDisplayEnumerationIndex
SampGetDsAttrIdByName
SampGetEnterpriseSidList
SampGetGroupsForToken
SampGetLoopbackObjectClassId
SampGetMemberships
SampGetQDIRestart
SampGetSamAttrIdByName
SampGetServerRoleFromFSMO
SampIsSecureLdapConnection
SampIsWriteLockHeldByDs
SampMaybeBeginDsTransaction
SampMaybeEndDsTransaction
SampNetlogonPing
SampSamAttrFromDsAttr
SampSamObjectTypeFromDsClass
SampSetDsa
SampSetIndexRanges
SampSetLsa
SampSetSam
SampSignalStart
SampVerifySids
THAlloc
THClearErrors
THCreate
THDestroy
THFree
THGetErrorString
THQuery
THReAlloc
THRestore
THSave
THVerifyCount
TransportAddrFromMtxAddr
TrimDSNameBy
UnImpersonateAnyClient
UpdateDSPerfStats
showInAddressBookArrayV1
Sections
.text Size: 1.3MB - Virtual size: 1.3MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
PAGELK Size: 5KB - Virtual size: 4KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 24KB - Virtual size: 166KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 79KB - Virtual size: 79KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 43KB - Virtual size: 43KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ