Manalyze report for 5a55a90856fba5eec9396e50a725a5540c8e3052269d6af9e80c382478175167

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2020-Dec-04 14:32:13
Detected languages	English - United States
Debug artifacts	sscqry.exe
CompanyName	Shared Services Canada
FileDescription	Software Asset Management and Query Tool
FileVersion	`3.11.11160.c8502464e4`
InternalName	sscqry.exe
LegalCopyright	Shared Services Canada
OriginalFilename	sscqry.exe
ProductName	Software Asset Manager
ProductVersion	`3.11.11160.c8502464e4`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\services` `Contains domain names: global.gc.ca https://205.193.217.50 https://sscquery.prod.global.gc.ca https://sscquery.ssc-spc.gc.ca prod.global.gc.ca spc.gc.ca ssc-spc.gc.ca sscquery.prod.global.gc.ca sscquery.ssc-spc.gc.ca`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryA LoadLibraryW LoadLibraryExW GetProcAddress` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: RegQueryValueExW RegOpenKeyA RegDeleteKeyA RegCloseKey RegQueryValueExA RegCreateKeyExA RegFlushKey RegSetValueExA RegOpenKeyExA` `Possibly launches other programs: CreateProcessA` `Uses Microsoft's cryptographic API: CryptAcquireContextA CryptGenRandom CryptReleaseContext` `Can create temporary files: CreateFileW GetTempPathW GetTempPathA CreateFileA` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc` `Has Internet access capabilities: WinHttpCloseHandle WinHttpOpen WinHttpGetProxyForUrl WinHttpGetIEProxyConfigForCurrentUser InternetGetConnectedState` `Leverages the raw socket API to access the Internet: freeaddrinfo getaddrinfo` `Functions related to the privilege level: AdjustTokenPrivileges OpenProcessToken` `Interacts with services: OpenSCManagerW EnumServicesStatusExW QueryServiceConfigW QueryServiceConfig2W OpenServiceW QueryServiceStatusEx CreateServiceA QueryServiceConfigA ChangeServiceConfigA ControlService OpenSCManagerA DeleteService OpenServiceA` `Enumerates local disk drives: GetVolumeInformationA` `Manipulates other processes: OpenProcess Process32NextW Process32FirstW` `Changes object ACLs: SetFileSecurityW`
Info	The PE is digitally signed.	`Signer: Shared Services Canada` `Issuer: Entrust Code Signing CA - OVCS1`
Safe	VirusTotal score: 0/69 (Scanned on 2021-03-31 21:29:12)	`All the AVs think this file is safe.`

Hashes

MD5	`2f4e61056639cddba81ee9c7bd6c62a2`
SHA1	`ab3304ee078b84e6085be5b5f950113161082512`
SHA256	`5a55a90856fba5eec9396e50a725a5540c8e3052269d6af9e80c382478175167`
SHA3	`da7b24747ba0be3cd15404f39ee0a8734ac9a85384499269dfcf49d56581bb85`
SSDeep	`49152:niq+paNOjngM3glZ6nPtHcSMrv2kz2Da3TRe:LLYtK2Dao`
Imports Hash	`368bde47258325cf86d3b33e4910af80`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x118`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2020-Dec-04 14:32:13
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x172a00`
SizeOfInitializedData	`0xfae00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000158000 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x273000`
SizeOfHeaders	`0x400`
Checksum	`0x1dfd95`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`909890ebc1434360165d5370d31ecc6c`
SHA1	`355f04ce5b16143a6e0699777a9bab0d051e2c92`
SHA256	`720de5d53578bb0dbe61ee9560d959fde3de3629a34e3f795db1f6bb478088ce`
SHA3	`9feec60900abd443b0169efd9e960638633708adad80c2faa89e0aed4543c9dc`
VirtualSize	`0x1728e2`
VirtualAddress	`0x1000`
SizeOfRawData	`0x172a00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.48986`

.rdata

MD5	`2eb09c98877c15d78d0964574319a3c5`
SHA1	`3c802e33e4e60776c5a058e8a2b45eef8b5ff11a`
SHA256	`b44b1f19a9564a85f6fd7a773484fcfaebe7984a4daa29602b9401203fdc5df0`
SHA3	`bb00e44c7886940cac36608aceebec5449cf89a6e591a0c44b6b3b053cc10653`
VirtualSize	`0x4a834`
VirtualAddress	`0x174000`
SizeOfRawData	`0x4aa00`
PointerToRawData	`0x172e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.8782`

.data

MD5	`0b1f9ef1a38a03c324fe7b91c18882f9`
SHA1	`62eebca47f7ee1f113e3a27fd8d98b748783479b`
SHA256	`466d3f286820bc50a9986a7b905ff91fdb2f3ac5ea61d80f8617faec470715fd`
SHA3	`1f6015bbd31eb65695f945b86284e93b22d6ce6149e7dae287b62389ae4766ee`
VirtualSize	`0x9b4b8`
VirtualAddress	`0x1bf000`
SizeOfRawData	`0x3400`
PointerToRawData	`0x1bd800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.25871`

.pdata

MD5	`6a510b42e21e86600e2ca31b32e25162`
SHA1	`a7be5424f5585176bcff5c40063bd9dca21089b9`
SHA256	`3a088be4db944a27092fc16a4faf6099d16b06d8deaea805d264fd6a2ddc3c02`
SHA3	`99f499c937d7e14b087e21d11d0c6334abb1ce4e118ed12e7d081c95df6ec07f`
VirtualSize	`0x130f8`
VirtualAddress	`0x25b000`
SizeOfRawData	`0x13200`
PointerToRawData	`0x1c0c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.20733`

_RDATA

MD5	`d97901f0a9f5a31b146b8da240f420cb`
SHA1	`5883d8dd0f9c7805db226d980640f0ad1d2202eb`
SHA256	`39f75ae8545c4a7c13e2b95c2b060b4f579892ec6e71946867a35ae9971b4e39`
SHA3	`9d3b9eecf3b675e232215a189dfd39501e2e290586347ba2c6fa9cf75fb0ff21`
VirtualSize	`0x94`
VirtualAddress	`0x26f000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1d3e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.43262`

.rsrc

MD5	`898e873c714e7a4ed2e83ff0cdbd1db1`
SHA1	`6442cec33eb1771a927bea977c6d98343eaeda1b`
SHA256	`0dd42c002e00dedeb1babaf4136a789d7194279b4953958676c36638f8710343`
SHA3	`e3c3309b792a2bd692a571f274dc535e3de62eae80b24acf77edcd37a5b33295`
VirtualSize	`0x580`
VirtualAddress	`0x270000`
SizeOfRawData	`0x600`
PointerToRawData	`0x1d4000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.91338`

.reloc

MD5	`bf8d4057e96a7603d24174ff36508189`
SHA1	`196f87e911234df849b8389970ebacbfcbdaa69e`
SHA256	`3a16a9d3067d8dc24956ac5cfb7007c043cd10bd7695b200e8308c2ac529f8e5`
SHA3	`a9580c800cf280d6e6fff66c388ef1469163e3f813efaf8d772bf38263efadb7`
VirtualSize	`0x1270`
VirtualAddress	`0x271000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x1d4600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.29728`

Imports

pdh.dll	`PdhMakeCounterPathW` `PdhCloseQuery` `PdhAddCounterW` `PdhOpenQueryA` `PdhGetFormattedCounterValue` `PdhCollectQueryData`
WINHTTP.dll	`WinHttpCloseHandle` `WinHttpOpen` `WinHttpGetProxyForUrl` `WinHttpGetIEProxyConfigForCurrentUser`
PSAPI.DLL	`GetProcessImageFileNameW` `GetProcessMemoryInfo` `GetModuleFileNameExW` `GetModuleFileNameExA`
WSOCK32.dll	`WSAStartup` `WSACleanup` `WSAGetLastError` `recv` `connect` `socket` `closesocket` `__WSAFDIsSet` `gethostbyname` `getsockname` `WSASetLastError` `shutdown` `send` `inet_ntoa` `getsockopt` `select`
WS2_32.dll	`freeaddrinfo` `getaddrinfo`
KERNEL32.dll	`GetStdHandle` `WriteFile` `GetModuleFileNameW` `GetModuleFileNameA` `MultiByteToWideChar` `WideCharToMultiByte` `GetCurrentProcess` `ExitProcess` `TerminateProcess` `GetModuleHandleExW` `GetCommandLineA` `GetCommandLineW` `GetACP` `GetCurrentThread` `OutputDebugStringA` `OutputDebugStringW` `CloseHandle` `WaitForSingleObjectEx` `CreateThread` `HeapAlloc` `HeapFree` `FindClose` `FindFirstFileExA` `FindNextFileA` `FindNextFileW` `IsValidCodePage` `GetOEMCP` `GetCPInfo` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableA` `CompareStringW` `LCMapStringW` `SetStdHandle` `GetFileType` `GetStringTypeW` `GetProcessHeap` `HeapSize` `HeapReAlloc` `FlushFileBuffers` `GetConsoleCP` `GetConsoleMode` `SetFilePointerEx` `WriteConsoleW` `CreateFileW` `MoveFileExW` `AreFileApisANSI` `ReadFile` `TryEnterCriticalSection` `HeapCreate` `GetFullPathNameW` `GetDiskFreeSpaceW` `LockFile` `InitializeCriticalSection` `SetFilePointer` `GetFullPathNameA` `SetEndOfFile` `UnlockFileEx` `GetTempPathW` `TlsGetValue` `WaitForSingleObject` `GetFileAttributesW` `GetVersionExW` `UnmapViewOfFile` `HeapValidate` `Sleep` `GetTempPathA` `FormatMessageW` `GetDiskFreeSpaceA` `GetFileAttributesA` `GetFileAttributesExW` `FlushViewOfFile` `CreateFileA` `LoadLibraryA` `GetVersionExA` `DeleteFileA` `DeleteFileW` `GetSystemInfo` `LoadLibraryW` `HeapCompact` `HeapDestroy` `UnlockFile` `CreateFileMappingA` `LocalFree` `LockFileEx` `GetFileSize` `SystemTimeToFileTime` `GetSystemTime` `FormatMessageA` `CreateFileMappingW` `RaiseException` `GetTickCount` `OpenProcess` `GlobalFree` `CreatePipe` `GetTimeZoneInformation` `CreateProcessA` `GetExitCodeProcess` `VirtualQuery` `VirtualProtect` `VirtualFree` `VirtualAlloc` `GetNativeSystemInfo` `IsBadReadPtr` `Thread32Next` `Thread32First` `SuspendThread` `ResumeThread` `GetModuleHandleA` `CreateToolhelp32Snapshot` `GetExitCodeThread` `Process32NextW` `SetEvent` `TerminateThread` `Process32FirstW` `ResetEvent` `Module32FirstW` `GetThreadTimes` `Module32NextW` `CreateEventA` `ConvertThreadToFiber` `IsWow64Process` `GetProcessTimes` `OpenThread` `QueryPerformanceFrequency` `GetSystemPowerStatus` `SetErrorMode` `GetVolumeInformationA` `GetComputerNameExW` `FileTimeToSystemTime` `GetSystemDirectoryA` `VirtualUnlock` `VirtualLock` `ExpandEnvironmentStringsW` `ExpandEnvironmentStringsA` `GetEnvironmentVariableW` `GetEnvironmentVariableA` `SetThreadPriority` `HeapLock` `HeapWalk` `GetProcessHeaps` `HeapUnlock` `CreateDirectoryW` `RemoveDirectoryW` `SetFileTime` `GetFileInformationByHandle` `MoveFileW` `ReleaseSemaphore` `CreateSemaphoreA` `FindFirstFileW` `TlsAlloc` `InitializeCriticalSectionAndSpinCount` `DeleteCriticalSection` `LeaveCriticalSection` `EnterCriticalSection` `SetLastError` `GetLastError` `RtlUnwindEx` `GetModuleHandleW` `IsProcessorFeaturePresent` `GetStartupInfoW` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `IsDebuggerPresent` `RtlVirtualUnwind` `RtlLookupFunctionEntry` `RtlCaptureContext` `InitializeSListHead` `GetSystemTimeAsFileTime` `GetCurrentThreadId` `GetCurrentProcessId` `QueryPerformanceCounter` `LoadLibraryExW` `GetProcAddress` `FreeLibrary` `TlsFree` `MapViewOfFile` `TlsSetValue` `RtlUnwind` `ExitThread` `FreeLibraryAndExitThread` `CreateMutexW` `DuplicateHandle`
SHELL32.dll	`SHGetFolderPathW`
ADVAPI32.dll	`RegQueryValueExW` `LookupAccountNameW` `CryptAcquireContextA` `CryptGenRandom` `CryptReleaseContext` `OpenSCManagerW` `EnumServicesStatusExW` `QueryServiceConfigW` `QueryServiceConfig2W` `OpenServiceW` `QueryServiceStatusEx` `GetSecurityInfo` `SetSecurityDescriptorDacl` `SetFileSecurityW` `RegOpenKeyA` `SetEntriesInAclW` `ConvertStringSidToSidW` `InitializeSecurityDescriptor` `CreateServiceA` `AdjustTokenPrivileges` `RevertToSelf` `QueryServiceConfigA` `LookupPrivilegeValueA` `ChangeServiceConfigA` `ControlService` `StartServiceA` `ImpersonateSelf` `ChangeServiceConfig2A` `OpenThreadToken` `RegDeleteKeyA` `OpenProcessToken` `LsaOpenPolicy` `LsaClose` `LookupAccountSidW` `GetTokenInformation` `RegCloseKey` `StartServiceCtrlDispatcherA` `CloseServiceHandle` `RegQueryValueExA` `SetServiceStatus` `OpenSCManagerA` `RegCreateKeyExA` `RegisterServiceCtrlHandlerExA` `RegFlushKey` `DeleteService` `RegSetValueExA` `RegOpenKeyExA` `OpenServiceA`
WININET.dll	`InternetGetConnectedState`

Delayed Imports

HandlerEx

Ordinal	`1`
Address	`0x1b10`

ServiceMain

Ordinal	`2`
Address	`0x1010`

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x360`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.46753`
MD5	`00856ed42fe5a04b7a43b4a916d3e65d`
SHA1	`b2d22f7e55e9fde8e6a669b9305c73f36e911363`
SHA256	`358a94584ddd1a53e112d55e0d8e932fbed86ab6a62b5f5eb1354005e2175aec`
SHA3	`2670be726080814d675cd1e5b438233fb8688c59b64b84286f098630bd662a69`

1 (#2)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	3.11.11160.0
ProductVersion	3.11.11160.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
CompanyName	Shared Services Canada
FileDescription	Software Asset Management and Query Tool
FileVersion (#2)	3.11.11160.c8502464e4
InternalName	sscqry.exe
LegalCopyright	Shared Services Canada
OriginalFilename	sscqry.exe
ProductName	Software Asset Manager
ProductVersion (#2)	3.11.11160.c8502464e4

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2020-Dec-04 14:32:13
Version	`0.0`
SizeofData	`35`
AddressOfRawData	`0x1a4ef8`
PointerToRawData	`0x1a3cf8`
Referenced File	sscqry.exe

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2020-Dec-04 14:32:13
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x1a4f1c`
PointerToRawData	`0x1a3d1c`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2020-Dec-04 14:32:13
Version	`0.0`
SizeofData	`712`
AddressOfRawData	`0x1a4f30`
PointerToRawData	`0x1a3d30`

TLS Callbacks

Load Configuration

Size	`0x108`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1401bf028`

RICH Header

XOR Key	`0xc4c2a410`
Unmarked objects	`0`
241 (40116)	`11`
243 (40116)	`160`
242 (40116)	`16`
199 (41118)	`5`
C++ objects (VS2019 Update 2 (16.2) compiler 27905)	`37`
C objects (VS2019 Update 2 (16.2) compiler 27905)	`19`
ASM objects (VS2019 Update 2 (16.2) compiler 27905)	`9`
Imports (VS2008 SP1 build 30729)	`29`
Total imports	`353`
264 (28106)	`198`
Exports (28106)	`1`
Resource objects (28106)	`1`
151	`1`
Linker (28106)	`1`

Errors

Leave a comment

No comments yet.