WsmSvc.pdb
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d3d11.dll
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
d3d11.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral3
Sample
s-etup.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral4
Sample
s-etup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1390254e815bcf8b165746e61b75c33a67be98a927def1c0dcd9af10da66d9fc.zip
-
Size
3.0MB
-
MD5
df260f1223832132ba7703c4d83fb5a7
-
SHA1
76589851f57e29c645669b7db1de810ff3b1cab3
-
SHA256
1390254e815bcf8b165746e61b75c33a67be98a927def1c0dcd9af10da66d9fc
-
SHA512
1c56fd67a71f61d41a56cabaa337e91e7ac52d9ef64acddfaed86a674897731460e9e4ae42807bec82051a53d18f776b2d63f8b911cb98b6a13854acd95ac7c1
-
SSDEEP
49152:+0Df17SYa2APxBpcuZpfDyQ/iF8R3QinAhbX2VrwDf6zN:7Dd7SCAPXpcuZV/iF8R3znAhbXgAf2N
Score
3/10
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/d3d11.dll
Files
-
1390254e815bcf8b165746e61b75c33a67be98a927def1c0dcd9af10da66d9fc.zip.zip
-
d3d11.dll.dll windows:6 windows x86 arch:x86
1a2012a93085bbeafed7a508663d6e82
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
PDB Paths
Imports
msvcrt
_wtoi
_wtof
_ftol2
_ultow
wcsrchr
wcsstr
wcscspn
wcstoul
rand
srand
_itow
strchr
_ftol2_sse
isdigit
ldiv
wcspbrk
strncmp
_wcsrev
_onexit
_lock
__dllonexit
_unlock
_amsg_exit
_initterm
free
malloc
_XcptFilter
??0exception@@QAE@XZ
_i64tow_s
memmove
isspace
_scprintf
_vsnprintf
_CxxThrowException
iswspace
tolower
iswxdigit
iswdigit
_wcsnicmp
wcsncmp
??0exception@@QAE@ABV0@@Z
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABQBD@Z
_strnicmp
_atoi64
_wtoi64
?terminate@@YAXXZ
??1type_info@@UAE@XZ
_except_handler4_common
iswalnum
??1exception@@UAE@XZ
memmove_s
memcpy_s
memset
_scwprintf
_vsnwprintf
wcschr
_wcsicmp
__CxxFrameHandler3
_purecall
memcpy
time
ntdll
EtwLogTraceEvent
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
EtwEventActivityIdControl
EtwEventRegister
RtlInitString
NtAllocateLocallyUniqueId
RtlNtStatusToDosError
EtwEventWriteTransfer
EtwEventEnabled
EtwEventProviderEnabled
EtwEventWrite
EtwEventUnregister
kernel32
ReleaseSemaphore
SwitchToThread
OpenProcess
QueryInformationJobObject
OpenJobObjectW
CreateSemaphoreW
K32GetProcessMemoryInfo
LocalFree
LocalAlloc
FreeLibrary
GetProcAddress
LoadLibraryW
GetLastError
CloseHandle
DisableThreadLibraryCalls
SetEvent
SetLastError
UnregisterWait
CreateEventW
WaitForSingleObject
InterlockedIncrement
InterlockedDecrement
HeapSetInformation
HeapCreate
HeapDestroy
GetProcessHeap
HeapAlloc
HeapReAlloc
HeapSize
HeapFree
DelayLoadFailureHook
InterlockedCompareExchange
LoadLibraryExA
InterlockedExchange
Sleep
OutputDebugStringA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
OpenEventW
CreateJobObjectW
SetInformationJobObject
AssignProcessToJobObject
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
MultiByteToWideChar
GetSystemTime
SystemTimeToFileTime
GetCurrentThread
WideCharToMultiByte
RegCloseKey
FindNLSString
CompareStringW
GetVersionExW
GetUserDefaultUILanguage
LoadLibraryA
InterlockedPushEntrySList
LoadLibraryExW
GetSystemDirectoryW
RegQueryValueExW
RegOpenKeyExW
TzSpecificLocalTimeToSystemTime
GetTimeZoneInformation
GetComputerNameExW
GetLocaleInfoW
SetThreadUILanguage
EnumUILanguagesW
FormatMessageW
InterlockedPopEntrySList
ExpandEnvironmentStringsW
InitializeSListHead
InterlockedFlushSList
SetThreadPreferredUILanguages
WaitForMultipleObjects
DeleteTimerQueueTimer
CreateTimerQueueTimer
ResetEvent
UnregisterWaitEx
QueueUserWorkItem
RegisterWaitForSingleObject
GetThreadLocale
RegDeleteValueW
RegSetValueExW
RegCreateKeyExW
RegNotifyChangeKeyValue
DebugBreak
GetTickCount64
DuplicateHandle
FreeLibraryWhenCallbackReturns
GetModuleHandleExW
CloseThreadpoolWork
CreateThreadpoolWork
SubmitThreadpoolWork
CreateThread
LocalFileTimeToFileTime
CloseThreadpoolIo
WaitForThreadpoolIoCallbacks
CreateThreadpoolIo
FileTimeToSystemTime
CancelThreadpoolIo
StartThreadpoolIo
GetCommandLineW
InterlockedCompareExchange64
RegEnumKeyExW
RegEnumValueW
CreateFileW
GetFullPathNameW
RegSetKeySecurity
GlobalFree
oleaut32
SysAllocString
SysFreeString
SysAllocStringLen
SysStringLen
GetErrorInfo
VariantInit
VariantClear
VarCmp
logoncli
DsGetDcNameW
netapi32
DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory
ole32
CoTaskMemFree
CoDisconnectObject
CoUninitialize
CoFreeUnusedLibrariesEx
CoInitializeEx
CoCreateInstance
CoSetProxyBlanket
CoRevokeClassObject
CoTaskMemAlloc
rpcrt4
UuidFromStringW
UuidCreate
api-ms-win-security-base-l1-1-0
CreateWellKnownSid
ImpersonateLoggedOnUser
ImpersonateSelf
RevertToSelf
IsWellKnownSid
EqualSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAce
MapGenericMask
AdjustTokenPrivileges
AllocateAndInitializeSid
FreeSid
CopySid
GetLengthSid
GetKernelObjectSecurity
MakeSelfRelativeSD
SetSecurityDescriptorSacl
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
MakeAbsoluteSD
IsValidSid
CheckTokenMembership
SetKernelObjectSecurity
DuplicateTokenEx
AccessCheckAndAuditAlarmW
AddAccessAllowedAceEx
GetSecurityDescriptorLength
InitializeAcl
GetSecurityDescriptorSacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup
Exports
Exports
@Borlndmm@SysGetMem$qqri
@Borlndmm@SysGetMem$qqri
?AddEvent@CWSManEnumerator@@QAEKPAUWSMAN_OBJECT@@0@Z
?AddObject@CWSManEnumerator@@QAEKPAUWSMAN_OBJECT@@0@Z
?Alloc@WSManMemory@@SGPAXIABVCallSite@TestSystem@@W4Mode@3@@Z
?AllocBstr@WSManMemory@@SGPAGPBGHABVCallSite@TestSystem@@@Z
D3D11CreateDevice
?Close@CWSManEnumerator@@QAEKXZ
?Free@WSManMemory@@SGXPAXABVCallSite@TestSystem@@@Z
?FreeBstr@WSManMemory@@SGXPAGHABVCallSite@TestSystem@@@Z
?Freeze@CWSManEnumerator@@QAEXXZ
?GetHeap@WSManMemory@@SGPAXXZ
?GetNext@CWSManEnumerator@@QAEKPAPAUWSMAN_OBJECT@@H@Z
?GetTotalObjectByteSize@CWSManEnumerator@@QAEHPAK@Z
?Initialize@CWSManEnumerator@@QAEKKKKK@Z
?Initialize@CWSManEnumerator@@QAEKPAX@Z
?ReAlloc@WSManMemory@@SGPAXPAXIABVCallSite@TestSystem@@W4Mode@3@@Z
CreateProvHost
EnumServiceUserResources
FwGetParsedDocument
FwGetRootElement
FwIsXmlEscapedProperly
FwXmlCloseParser
FwXmlCompareAttributeName
FwXmlCompareAttributeNameEx
FwXmlCompareElementName
FwXmlCompareElementNameEx
FwXmlCompareElementNameLen
FwXmlCompareElementNameSpace
FwXmlCompareName
FwXmlCreateXmlFromElement
FwXmlDecodeXmlEscapes
FwXmlEncodeXmlEscapes
FwXmlFindAttribute
FwXmlFindAttributeEx
FwXmlFindChildElement
FwXmlFindChildElementEx
FwXmlGetAttribute
FwXmlGetAttributeNameEx
FwXmlGetAttributeNamespacePrefix
FwXmlGetAttributeValue
FwXmlGetAttributeValueDWord
FwXmlGetBooleanValue
FwXmlGetBuffer
FwXmlGetChild
FwXmlGetElementName
FwXmlGetElementNameEx
FwXmlGetElementNamespacePrefix
FwXmlGetElementNamespaceUrl
FwXmlGetEntryNameEx
FwXmlGetNamespaceForPrefix
FwXmlGetNormalizedString
FwXmlGetReferenceXmlFromElement
FwXmlGetSimpleContent
FwXmlGetSimpleContentEx
FwXmlGetSimpleContentEx2
FwXmlHasText
FwXmlIsEmpty
FwXmlIsMustUnderstand
FwXmlIsNull
FwXmlIsSimpleContent
FwXmlIsSimpleContentOrEmpty
FwXmlIsTrueValue
FwXmlNumAttributes
FwXmlNumChildren
FwXmlNumChildrenWithName
FwXmlNumConsecutiveChildrenWithName
FwXmlParsePrefixedXML
FwXmlParseText
FwXmlParserCreate
FwXmlUpdatePrefixes
GetServiceSecurity
RegisterModule
ServiceMain
SetServiceSecurity
StartSoapProcessor
StopSoapProcessor
SubscriptionsProvEndEnumerate
SubscriptionsProvEnumerate
SubscriptionsProvPullEnumerate
SvchostPushServiceGlobals
WSManAckEvents
WSManAddSubscriptionManagerInternal
WSManCloseCommand
WSManCloseEnumerationHandle
WSManCloseEnumeratorHandle
WSManCloseObjectHandle
WSManCloseOperation
WSManClosePublisherHandle
WSManCloseSession
WSManCloseSessionHandle
WSManCloseShell
WSManCloseSubscriptionHandle
WSManConstructError
WSManCreateEnumeratorInternal
WSManCreateInternal
WSManCreateInternalEx
WSManCreatePullSubscription
WSManCreatePushSubscription
WSManCreateSession
WSManCreateSessionInternal
WSManCreateShell
WSManDecodeObject
WSManDeinitialize
WSManDeleteInternal
WSManDeleteInternalEx
WSManDeliverEndSubscriptionNotification
WSManDeliverEvent
WSManEncodeObject
WSManEncodeObjectEx
WSManEncodeObjectInternal
WSManEnumerateInternal
WSManEnumerateInternalEx
WSManEnumeratorAddEvent
WSManEnumeratorAddObject
WSManEnumeratorBatchPolicyViolated
WSManEnumeratorNextObject
WSManEnumeratorObjectCount
WSManGetErrorMessage
WSManGetInternal
WSManGetInternalEx
WSManGetSessionOptionAsDword
WSManGetSessionOptionAsString
WSManIdentifyInternal
WSManInitialize
WSManInvokeInternal
WSManInvokeInternalEx
WSManPluginAuthzOperationComplete
WSManPluginAuthzQueryQuotaComplete
WSManPluginAuthzUserComplete
WSManPluginFreeRequestDetails
WSManPluginGetOperationParameters
WSManPluginObjectAndBookmarkResult
WSManPluginObjectAndEprResult
WSManPluginObjectResult
WSManPluginOperationComplete
WSManPluginReceiveResult
WSManPluginReportContext
WSManPluginShutdown
WSManPluginStartup
WSManProvCreate
WSManProvDelete
WSManProvEndEnumerate
WSManProvEnumerate
WSManProvGet
WSManProvInvoke
WSManProvPullEnumerate
WSManProvPut
WSManPull
WSManPullEvents
WSManPutInternal
WSManPutInternalEx
WSManReceiveShellOutput
WSManRemoveSubscriptionManagerInternal
WSManRunShellCommand
WSManSendShellInput
WSManSetSessionOption
WSManShellProvEndEnumerate
WSManShellProvPullEnumerate
WSManSignalShell
Sections
.text Size: 1.0MB - Virtual size: 1.0MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 11KB - Virtual size: 16KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 827KB - Virtual size: 827KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
-
s-etup.exe.exe windows:6 windows x86 arch:x86
3ee74f5f298a31808b779b57777ec95d
Code Sign
06:94:f5:f6:0b:0b:46:22:d3:39:78:dd:4b:ce:e5:69Certificate
IssuerCN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before17-11-2020 00:00Not After21-11-2023 23:59SubjectCN=Skutta\, Kristjan,O=Skutta\, Kristjan,L=Berlin,C=DEExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08Certificate
IssuerCN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before22-10-2013 12:00Not After22-10-2028 12:00SubjectCN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=USExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate
IssuerCN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=USNot Before21-09-2022 00:00Not After21-11-2033 23:59SubjectCN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate
IssuerCN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before23-03-2022 00:00Not After22-03-2037 23:59SubjectCN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate
IssuerCN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before01-08-2022 00:00Not After09-11-2031 23:59SubjectCN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=USKey Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
da:ad:bb:f5:ae:10:6d:31:7a:b6:44:21:84:cc:ff:f0:e3:59:9d:17:4a:45:b9:46:64:7b:35:ba:7c:4d:11:b4Signer
Actual PE Digestda:ad:bb:f5:ae:10:6d:31:7a:b6:44:21:84:cc:ff:f0:e3:59:9d:17:4a:45:b9:46:64:7b:35:ba:7c:4d:11:b4Digest Algorithmsha256PE Digest MatchestrueHeaders
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
PDB Paths
launcher.pdb
Imports
kernel32
GetModuleFileNameW
GetLongPathNameW
VirtualQuery
LoadLibraryExW
GetCurrentThreadId
VerifyVersionInfoW
VerSetConditionMask
SetUnhandledExceptionFilter
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
CreateProcessW
GetExitCodeProcess
GetModuleHandleW
LoadLibraryA
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
ResetEvent
WaitForSingleObjectEx
CreateEventW
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
GetStartupInfoW
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
FatalAppExitA
ExpandEnvironmentStringsW
lstrcmpW
GetModuleFileNameA
GetModuleHandleA
GetSystemDirectoryW
LocalAlloc
InterlockedIncrement
InterlockedDecrement
FreeLibrary
InitializeCriticalSection
HeapSize
GetTimeZoneInformation
SetStdHandle
OutputDebugStringW
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
HeapReAlloc
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
ReadConsoleW
GetFileSizeEx
ReadFile
HeapAlloc
GetProcAddress
LoadLibraryW
GetCurrentProcess
TerminateProcess
Process32Next
GetCurrentProcessId
Process32First
FormatMessageW
LocalFree
GetLastError
CreateToolhelp32Snapshot
CreateFileW
Sleep
WaitForSingleObject
CloseHandle
OpenProcess
MultiByteToWideChar
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
HeapFree
WriteConsoleW
GetFileType
WriteFile
GetStdHandle
ExitProcess
GetModuleHandleExW
FreeLibraryAndExitThread
InterlockedExchangeAdd
WideCharToMultiByte
FormatMessageA
GetLocaleInfoEx
GetCurrentDirectoryW
CreateDirectoryW
FindClose
FindFirstFileW
FindFirstFileExW
FindNextFileW
GetFileAttributesW
GetFileAttributesExW
GetFileInformationByHandle
GetFinalPathNameByHandleW
GetFullPathNameW
SetEndOfFile
SetFileInformationByHandle
SetFilePointerEx
AreFileApisANSI
CopyFileW
GetFileInformationByHandleEx
GetStringTypeW
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSectionEx
TryEnterCriticalSection
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
SleepConditionVariableSRW
GetExitCodeThread
EncodePointer
DecodePointer
LCMapStringEx
CompareStringEx
GetCPInfo
RtlUnwind
RaiseException
SetLastError
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetDriveTypeW
CreateThread
ExitThread
user32
GetWindowThreadProcessId
EnumWindows
GetClassNameW
GetWindowLongW
PostMessageW
DestroyIcon
DispatchMessageW
TranslateMessage
IsDialogMessageW
GetMessageW
LoadImageW
MoveWindow
CreateDialogParamW
EndDialog
FindWindowW
PostQuitMessage
DestroyWindow
ShowWindow
EnableWindow
LoadBitmapW
SetWindowTextW
SetWindowPos
GetSystemMetrics
SetWindowLongW
ScreenToClient
GetWindowRect
SendMessageW
GetClientRect
GetDlgItem
SetDlgItemTextW
MessageBoxW
wsprintfW
IsWindow
FindWindowExW
shell32
SHGetFolderPathW
ShellExecuteExW
advapi32
OpenSCManagerW
RegSetValueExW
RegDeleteKeyValueW
RegGetValueW
RegDeleteKeyW
CloseServiceHandle
DeleteService
QueryServiceStatus
ControlService
OpenServiceW
RegOpenKeyW
RegDeleteValueW
RegQueryValueExW
RegSetValueExA
RegOpenKeyExA
RegEnumKeyExA
RegQueryInfoKeyW
RegOpenKeyExW
RegCloseKey
d3d11
D3D11CreateDevice
comctl32
ord17
Exports
Exports
NoHotPatch
Sections
.text Size: 406KB - Virtual size: 406KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 87KB - Virtual size: 86KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 5KB - Virtual size: 15KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 154KB - Virtual size: 154KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 15KB - Virtual size: 14KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ