purna[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

purna.exe
Size

11.4MB
MD5

9d81ba5d44801ddc1d76812dc101a9c9
SHA1

0fe12d1182be146861081e935e980fccf6705dd4
SHA256

629e69e2109f3bc7d00143ae6c6a5c26133ccfc3f9c67d473b8e017daf5b47c4
SHA512

e0c3f677ca65f89667a5ff1d171a94431303a1edf2ec22a67f84115260e860a846cfdc1cd6ca8c6d9504fb5947f8a57933a51f45a72ad07f425495979f0c19e4
SSDEEP

196608:rs//7RtEA0lyMB6XF5sRVhbv8+FOOhV98VqBcZPIs2q9eKuKW6h:rsX7/T4E1O51EAD8Qi972+eKTr

Score

7^/10

themida

Malware Config

Signatures

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
sample	themida

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
purna.exe

Files

purna.exe
.exe windows:6 windows x64 arch:x64

fd3db48db85c43c868e8cf4f2874eca4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptImportKey
CryptDestroyKey
GetLengthSid
GetTokenInformation
InitializeAcl
IsValidSid
SetSecurityInfo
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
CopySid
ConvertSidToStringSidA
CryptEncrypt
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptDestroyHash
CryptHashData
AddAccessAllowedAce

crypt32

CertGetCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertFreeCertificateChain
CertGetNameStringA
CertFindExtension
CertOpenStore
CertCloseStore
CryptQueryObject
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CryptStringToBinaryA

d3dcompiler_43

D3DCompile

imm32

ImmReleaseContext
ImmSetCompositionWindow
ImmSetCandidateWindow
ImmGetContext

kernel32

GetFileInformationByHandleEx
GetCurrentThreadId
OutputDebugStringW
GetCurrentProcessId
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
FindClose
SetUnhandledExceptionFilter
GetSystemTimeAsFileTime
GetFileAttributesExW
CreateFileMappingA
UnmapViewOfFile
MapViewOfFile
GetProcessHeap
HeapFree
HeapReAlloc
GetLastError
HeapAlloc
ReadFile
GetFileSizeEx
InitializeSListHead
GetLocaleInfoEx
UnhandledExceptionFilter
CreateFileA
AllocConsole
SetConsoleTitleA
CreateProcessA
CloseHandle
Sleep
WaitForSingleObject
AreFileApisANSI
GetCurrentDirectoryW
FindFirstFileW
CreateDirectoryW
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
WaitForMultipleObjects
PeekNamedPipe
GetFileType
GetStdHandle
GetEnvironmentVariableA
WaitForSingleObjectEx
MoveFileExA
GetTickCount
VerifyVersionInfoA
GetSystemDirectoryA
SleepEx
LeaveCriticalSection
EnterCriticalSection
LocalFree
FormatMessageA
SetLastError
QueryFullProcessImageNameW
GetModuleHandleW
GetModuleFileNameW
GetModuleFileNameA
CreateFileMappingW
VirtualProtect
CreateThread
GetCurrentProcess
GlobalUnlock
WideCharToMultiByte
GlobalLock
GlobalFree
GlobalAlloc
QueryPerformanceCounter
FreeLibrary
VerSetConditionMask
GetProcAddress
QueryPerformanceFrequency
LoadLibraryA
MultiByteToWideChar
GetLocaleInfoA
GetModuleHandleA
HeapDestroy
HeapSize
CreateFileW
InitializeCriticalSectionEx
DeleteCriticalSection

msvcp140

?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?always_noconv@codecvt_base@std@@QEBA_NXZ
??Bid@locale@std@@QEAA_KXZ
??7ios_base@std@@QEBA_NXZ
?setf@ios_base@std@@QEAAHHH@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z
?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV?$basic_ios@DU?$char_traits@D@std@@@1@AEAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
??4?$_Iosb@H@std@@QEAAAEAV01@$$QEAV01@@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?ReportUnhandledError@_ExceptionHolder@details@Concurrency@@AEAAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
??1_Lockit@std@@QEAA@XZ
??0_Lockit@std@@QEAA@H@Z
?uncaught_exceptions@std@@YAHXZ
?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A
?_Xbad_alloc@std@@YAXXZ
?_Winerror_map@std@@YAHH@Z
?_Xbad_function_call@std@@YAXXZ
?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A
?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
?id@?$ctype@D@std@@2V0locale@2@A
?_Syserror_map@std@@YAPEBDH@Z
?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?do_encoding@?$codecvt@_SDU_Mbstatet@@@std@@MEBAHXZ
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ
?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z

normaliz

IdnToAscii

psapi

GetModuleInformation

rpcrt4

RpcStringFreeA
UuidCreate
UuidToStringA

shell32

ShellExecuteA

shlwapi

PathFindFileNameW

user32

SetCursorPos
ReleaseCapture
IsWindowUnicode
GetClientRect
SetCursor
SetCapture
GetForegroundWindow
GetKeyboardLayout
TrackMouseEvent
ClientToScreen
GetCapture
ScreenToClient
LoadCursorA
GetMessageExtraInfo
GetKeyState
SetClipboardData
GetClipboardData
EmptyClipboard
CloseClipboard
OpenClipboard
CreateWindowExA
RegisterClassA
BlockInput
ExitWindowsEx
PostMessageA
UpdateWindow
PostQuitMessage
UnregisterClassA
PeekMessageA
TranslateMessage
DefWindowProcA
MessageBoxA
ShowWindow
SetWindowPos
GetWindowRect
DestroyWindow
DispatchMessageA
GetCursorPos

userenv

UnloadUserProfile

vcruntime140

__std_terminate
strstr
strchr
__std_exception_destroy
__std_exception_copy
strrchr
longjmp
__intrinsic_setjmp
__current_exception_context
__current_exception
__C_specific_handler
_CxxThrowException
memcmp
memchr
memset
memcpy
memcpy

vcruntime140_1

__CxxFrameHandler4

wldap32

ldap_set_optionA
ldap_initA
ldap_get_values_lenA
ldap_value_free_len
ldap_sslinitA
ldap_unbind_s
ldap_get_dnA
ldap_next_attributeA
ldap_first_attributeA
ldap_next_entry
ldap_simple_bind_sA
ldap_bind_sA
ldap_search_sA
ldap_msgfree
ldap_err2stringA
ldap_first_entry
ldap_memfreeA
ber_free

ws2_32

accept
closesocket
recv
send
WSAGetLastError
bind
connect
getpeername
getsockname
getsockopt
htons
htons
setsockopt
socket
WSASetLastError
WSAIoctl
WSAStartup
WSACleanup
gethostname
htonl
listen
htonl
ioctlsocket
sendto
recvfrom
FreeAddrInfoW
getaddrinfo
__WSAFDIsSet
select

ucrtbase

atoi
strtoul
_strtoui64
strtol
strtod
_strtoi64
getenv
_fstat64
remove
_lock_file
_stat64
_unlock_file
_unlink
_access
realloc
calloc
malloc
free
_callnewh
_set_new_mode
localeconv
___lc_codepage_func
_configthreadlocale
_dsign
__setusermatherr
_dclass
acosf
ceilf
cosf
fmodf
sinf
sqrtf
strerror
system
exit
__sys_nerr
_invalid_parameter_noinfo
abort
_resetstkoflw
_invalid_parameter_noinfo_noreturn
_beginthreadex
_getpid
_errno
_register_thread_local_exe_atexit_callback
_c_exit
_configure_narrow_argv
_Exit
_initterm_e
_initterm
_get_narrow_winmain_command_line
_set_app_type
_seh_filter_exe
terminate
_cexit
_crt_atexit
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
__p__commode
__stdio_common_vfprintf
fwrite
_wfopen
_read
_lseeki64
_write
__stdio_common_vsprintf
fread
__stdio_common_vsscanf
feof
fputs
fopen
_close
_open
fseek
ftell
fclose
fputc
__stdio_common_vfwprintf
_popen
_pclose
fgets
_set_fmode
fgetc
_get_stream_buffer_pointers
freopen_s
_fseeki64
fsetpos
ungetc
setvbuf
fgetpos
__acrt_iob_func
fflush
_mbsdup
isupper
strncpy
strspn
strncmp
tolower
strpbrk
strcspn
strcmp
_time64
_localtime64
strftime
_gmtime64
qsort

d3d11

D3D11CreateDeviceAndSwapChain

d3dx11_43

D3DX11CreateShaderResourceViewFromMemory

dwmapi

DwmExtendFrameIntoClientArea

urlmon

URLDownloadToFileW

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 883KB - Virtual size: 896KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 53KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 5KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.imports
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.themida
Size: 5.9MB - Virtual size: 5.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

.taggant
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.SCY
Size: 15KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

fd3db48db85c43c868e8cf4f2874eca4

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

crypt32

d3dcompiler_43

imm32

kernel32

msvcp140

normaliz

psapi

rpcrt4

shell32

shlwapi

user32

userenv

vcruntime140

vcruntime140_1

wldap32

ws2_32

ucrtbase

d3d11

d3dx11_43

dwmapi

urlmon

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

Size: 883KB - Virtual size: 896KB

Size: 4KB - Virtual size: 8KB

Size: 53KB - Virtual size: 56KB

Size: 512B - Virtual size: 4KB

Size: 5KB - Virtual size: 8KB

.imports Size: 2KB - Virtual size: 4KB

.tls Size: 512B - Virtual size: 4KB

.rsrc Size: 512B - Virtual size: 4KB

.themida Size: 5.9MB - Virtual size: 5.9MB

.boot Size: 3.5MB - Virtual size: 3.5MB

.reloc Size: 512B - Virtual size: 4KB

.taggant Size: 8KB - Virtual size: 12KB

.SCY Size: 15KB - Virtual size: 16KB

.text
Size: 1.2MB - Virtual size: 1.2MB

.imports
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

.themida
Size: 5.9MB - Virtual size: 5.9MB

.boot
Size: 3.5MB - Virtual size: 3.5MB

.reloc
Size: 512B - Virtual size: 4KB

.taggant
Size: 8KB - Virtual size: 12KB

.SCY
Size: 15KB - Virtual size: 16KB