xpmg[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

xpmg.exe
Size

10.9MB
MD5

73e43654e9f3df0d07d25051b2d3cfeb
SHA1

6eebcc3ab72ea0eeb5b9d3340145b41bea23423b
SHA256

666944b19c707afaa05453909d395f979a267b28ff43d90d143cd36f6b74b53e
SHA512

871600ae79b26bde4b5601fcf3c9e2e3d2a9f9bc04cd06d10cf69036a714a5b89b811da07070e021e7d844fc8c57a406e17361e8f738b1068b24d989e40e659c
SSDEEP

196608:KoykUxv987qMNR4Ok/RDpgPnqSuR3pfRkAJ:7UxFUqMNR4Ok5DpgPnqSuR3pfRf

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
xpmg.exe

Files

xpmg.exe
.exe windows:6 windows x64 arch:x64

b499fbb2966a868acfd7581339fc5018

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ole32

CoInitialize
StgCreateDocfile
CoTaskMemFree
CoCreateInstance
CoUninitialize

user32

GetUserObjectInformationW
MessageBoxW
GetProcessWindowStation

ws2_32

gethostname
__WSAFDIsSet
inet_ntop
WSAWaitForMultipleEvents
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
WSAIoctl
inet_pton
sendto
recvfrom
getpeername
socket
listen
bind
accept
send
recv
getservbyname
getservbyport
gethostbyaddr
inet_ntoa
inet_addr
gethostbyname
getsockname
freeaddrinfo
getaddrinfo
shutdown
ntohs
WSASocketW
WSARecv
select
getsockopt
connect
WSAStringToAddressW
WSASend
WSAGetLastError
WSASetLastError
WSACleanup
WSAStartup
setsockopt
ntohl
htons
htonl
ioctlsocket
closesocket

bcrypt

BCryptGenRandom

advapi32

CryptDestroyKey
RegOpenKeyExW
RegGetValueW
RegEnumKeyExW
RegQueryInfoKeyW
RegSetValueExW
RegEnumValueW
SystemFunction036
CryptAcquireContextA
CryptReleaseContext
CryptGenRandom
CryptEnumProvidersA
CryptAcquireContextW
DeregisterEventSource
RegisterEventSourceW
ReportEventW
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptEncrypt
CryptImportKey
RegCloseKey
CryptDestroyHash

kernel32

QueryDepthSList
InterlockedFlushSList
InterlockedPushEntrySList
InterlockedPopEntrySList
DuplicateHandle
LoadLibraryExW
FreeLibraryAndExitThread
GetThreadTimes
GetCurrentThread
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
LCMapStringEx
GetCPInfo
CompareStringEx
DecodePointer
EncodePointer
SignalObjectAndWait
CreateThread
GetThreadPriority
GetCurrentProcessorNumberEx
GetLogicalProcessorInformationEx
GetNumaHighestNodeNumber
GetThreadGroupAffinity
SetThreadGroupAffinity
GetProcessAffinityMask
ExitThread
ResumeThread
SetConsoleCtrlHandler
ExitProcess
GetDriveTypeW
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
SetStdHandle
GetLastError
FormatMessageA
FormatMessageW
MultiByteToWideChar
WideCharToMultiByte
LocalFree
CloseHandle
SetLastError
CreateIoCompletionPort
GetQueuedCompletionStatus
PostQueuedCompletionStatus
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
SetEvent
WaitForSingleObject
SleepEx
CreateEventW
SetWaitableTimer
WaitForMultipleObjects
QueueUserAPC
TerminateThread
InitializeCriticalSectionEx
CreateWaitableTimerW
LoadLibraryA
InitializeCriticalSection
Sleep
GetSystemInfo
VirtualFree
GetEnvironmentVariableW
GetCurrentDirectoryW
CreateDirectoryW
CreateFileW
DeleteFileW
FlushFileBuffers
GetFileAttributesW
GetFileInformationByHandle
GetFileTime
GetFullPathNameW
RemoveDirectoryW
SetEndOfFile
SetFileAttributesW
SetFilePointerEx
DeviceIoControl
GetWindowsDirectoryW
GetModuleHandleW
GetProcAddress
CreateDirectoryExW
CopyFileExW
GetConsoleOutputCP
AreFileApisANSI
DeleteFileA
GetTempPathA
GetTempFileNameA
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetCurrentProcess
GetExitCodeProcess
GetNativeSystemInfo
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleExA
CreateFileA
GetFileAttributesExA
LockFileEx
UnlockFileEx
FreeLibrary
LoadLibraryW
FindClose
ResetEvent
CreateEventA
GetTickCount
QueryPerformanceCounter
MapViewOfFile
CreateFileMappingW
GetSystemTime
GetSystemTimeAsFileTime
SystemTimeToFileTime
GetProcessHeap
GetCurrentProcessId
GetFileSize
UnlockFile
HeapDestroy
HeapCompact
HeapAlloc
HeapReAlloc
WaitForSingleObjectEx
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
HeapSize
HeapValidate
CloseThreadpoolWait
CreateMutexW
GetTempPathW
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
HeapFree
HeapCreate
ReadFile
RaiseException
TryEnterCriticalSection
GetCurrentThreadId
RtlVirtualUnwind
GetStdHandle
GetFileType
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleExW
GetACP
ReleaseSemaphore
GetExitCodeThread
CreateSemaphoreA
GetSystemDirectoryA
TerminateProcess
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
FindFirstFileW
FindNextFileW
InitializeConditionVariable
WakeConditionVariable
SleepConditionVariableCS
SetThreadPriority
GetFileSizeEx
CreateFileMappingA
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
QueryPerformanceFrequency
GetSystemDirectoryW
GetEnvironmentVariableA
VerSetConditionMask
GetModuleHandleA
VerifyVersionInfoW
PeekNamedPipe
SetThreadpoolWait
CreateThreadpoolWait
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
CreateThreadpoolTimer
FreeLibraryWhenCallbackReturns
FlushProcessWriteBuffers
CreateSemaphoreExW
CreateEventExW
SetEnvironmentVariableW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetTimeZoneInformation
IsValidCodePage
WriteConsoleW
GetOEMCP
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
MoveFileExW
UnmapViewOfFile
SwitchToThread
ReleaseSRWLockShared
AcquireSRWLockShared
TryAcquireSRWLockExclusive
SleepConditionVariableSRW
GetTickCount64
GetStringTypeW
WakeAllConditionVariable
GetLocaleInfoEx
FindFirstFileExW
FreeEnvironmentStringsW

oleaut32

OleCreatePropertyFrame
SysAllocStringByteLen
SysStringByteLen
VariantClear
VariantInit
SysFreeString
SysAllocString

ntdll

RtlPcToFileHeader
RtlCaptureContext
RtlLookupFunctionEntry
RtlUnwindEx
RtlUnwind

crypt32

CertGetCertificateChain
CertCloseStore
CertFindCertificateInStore
CertFreeCertificateContext
CertOpenSystemStoreW
CertOpenStore
CertEnumCertificatesInStore
CryptStringToBinaryW
PFXImportCertStore
CryptDecodeObjectEx
CertAddCertificateContextToStore
CertFindExtension
CertGetNameStringW
CryptQueryObject
CertCreateCertificateChainEngine
CertFreeCertificateChainEngine
CertFreeCertificateChain

Sections

.text
Size: 8.1MB - Virtual size: 8.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 115KB - Virtual size: 290KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 314KB - Virtual size: 313KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 60KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b499fbb2966a868acfd7581339fc5018

Headers

DLL Characteristics

File Characteristics

Imports

ole32

user32

ws2_32

bcrypt

advapi32

kernel32

oleaut32

ntdll

crypt32

Sections

.text Size: 8.1MB - Virtual size: 8.1MB

.rdata Size: 2.3MB - Virtual size: 2.3MB

.data Size: 115KB - Virtual size: 290KB

.pdata Size: 314KB - Virtual size: 313KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 60KB - Virtual size: 59KB

.text
Size: 8.1MB - Virtual size: 8.1MB

.rdata
Size: 2.3MB - Virtual size: 2.3MB

.data
Size: 115KB - Virtual size: 290KB

.pdata
Size: 314KB - Virtual size: 313KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 60KB - Virtual size: 59KB