ap-file-wermgr[.]exe--13698776[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

ap-file-wermgr.exe--13698776.zip
Size

128KB
MD5

ce262202b229e9ccef0892d5037b2d7d
SHA1

558ef4b0a32cb7bcfbfcabe1b15456ef92c410c4
SHA256

baab0bdcd2611b54ef418225e65a2ad0fae2b9bba8e2d98d126c7ba14214d1c4
SHA512

6c7402840bcb09b5c7b8ce6f3f80996b8244eac4b6c95ac396b847013bfe8a091df4c39a3eb5e9cd2a90680dc17bd05c2eb3ebcb8a879c8eeb6c25ee6b8cf60a
SSDEEP

3072:0/BrOZx/JYKPogaIIB4Sc+0k11F9EXRzlWiqbXzc9cX5g2:0/Bj7fB4Hy1/EBBHwXg965l

Score

N/A

Malware Config

Signatures

Files

ap-file-wermgr.exe--13698776.zip
.zip

Password: cautionhandlewithcare
wermgr.exe
.exe windows x86

Password: cautionhandlewithcare

70d3a3403982f49546ec5a2fa7388b31

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:23

Not After

01/09/2022, 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5e:98:14:a5:b3:75:68:0d:71:d1:ee:9c:e7:27:e3:c0:e4:23:38:13:c5:da:0b:fa:d1:37:6d:23:2c:a6:bf:a1
Signer

Actual PE Digest

5e:98:14:a5:b3:75:68:0d:71:d1:ee:9c:e7:27:e3:c0:e4:23:38:13:c5:da:0b:fa:d1:37:6d:23:2c:a6:bf:a1

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

15/09/2022, 14:52
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_controlfp
?terminate@@YAXXZ
_acmdln
??0exception@@QAE@ABV0@@Z
_initterm
__setusermatherr
__dllonexit
__p__fmode
free
malloc
_cexit
_onexit
??0exception@@QAE@XZ
_exit
exit
??1type_info@@UAE@XZ
memmove
??1exception@@UAE@XZ
memcpy
_except_handler4_common
__set_app_type
__getmainargs
memcmp
_amsg_exit
_lock
__p__commode
_CxxThrowException
__CxxFrameHandler3
_callnewh
_unlock
_purecall
_ismbblead
_XcptFilter
realloc
memset

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-processthreads-l1-1-0

CreateProcessW
GetStartupInfoW
GetProcessId
GetCurrentProcessId
TerminateProcess
GetCurrentThreadId
GetCurrentThread
OpenProcessToken
OpenThreadToken
GetCurrentProcess

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError
SetLastError

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
GetProcAddress
GetModuleHandleExW
GetModuleFileNameA
FreeLibrary
GetModuleFileNameW
GetModuleHandleW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetSystemDirectoryW
GetSystemTime
GetTickCount64
GetTickCount

ntdll

RtlInitUnicodeString
NtOpenEvent
RtlNtStatusToDosError
EtwTraceMessage
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
NtQueryLicenseValue
EtwGetTraceEnableFlags
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
_vsnwprintf
_wcsicmp
_wtoi64
_wtoi
memcpy_s
_vsnprintf_s
DbgPrintEx
wcsncmp
wcsrchr
_vscwprintf
memmove_s
toupper
RtlFreeSid
NtAlpcSendWaitReceivePort
NtAlpcConnectPort
RtlAllocateAndInitializeSid
NtWaitForSingleObject
EtwEventWriteNoRegistration
ZwUpdateWnfStateData
ZwQueryWnfStateNameInformation
RtlCreateBoundaryDescriptor
RtlCreateServiceSid
RtlAddSIDToBoundaryDescriptor
RtlDeleteBoundaryDescriptor
NtQuerySystemInformation
NtClose
NtQueryInformationProcess
_wcsnicmp

api-ms-win-core-windowserrorreporting-l1-1-0

GetApplicationRecoveryCallback

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-wow64-l1-1-0

IsWow64Process
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW
DebugBreak

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-file-l1-1-0

GetFileTime
CreateFileW
FindClose
SetFileAttributesW
FindNextFileW
FindFirstFileW
GetFinalPathNameByHandleW
SetFileInformationByHandle
FindFirstFileExW
GetFileSizeEx
GetLongPathNameW
GetFileAttributesW
ReadFile

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
CreateMutexExW
CreateMutexW
AcquireSRWLockExclusive
OpenSemaphoreW
AcquireSRWLockShared
CreateEventW
ReleaseSRWLockShared
EnterCriticalSection
ReleaseMutex
InitializeCriticalSectionEx
WaitForSingleObject
WaitForSingleObjectEx
OpenMutexW
SetEvent
ReleaseSRWLockExclusive
CreateSemaphoreExW
ReleaseSemaphore
DeleteCriticalSection

api-ms-win-core-com-l1-1-0

CoCreateInstance
CoInitializeSecurity
CoUninitialize
CoInitializeEx
CoMarshalInterface

api-ms-win-core-memory-l1-1-0

OpenFileMappingW
UnmapViewOfFile
MapViewOfFile
ReadProcessMemory
CreateFileMappingW

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventRegister
EventWriteTransfer
EventProviderEnabled
EventUnregister

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
ExpandEnvironmentStringsW

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegGetValueW
RegCreateKeyExW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegCloseKey
RegEnumKeyExW

oleaut32

SysAllocString
SysFreeString

api-ms-win-security-base-l1-1-0

GetTokenInformation
GetSidSubAuthorityCount
GetSidSubAuthority
AllocateAndInitializeSid
SetKernelObjectSecurity
SetSecurityDescriptorDacl
CheckTokenMembership
FreeSid
InitializeSecurityDescriptor
GetKernelObjectSecurity
GetSecurityDescriptorDacl

api-ms-win-service-management-l1-1-0

OpenServiceW
CloseServiceHandle
OpenSCManagerW

api-ms-win-service-management-l2-1-0

QueryServiceStatusEx

api-ms-win-service-winsvc-l1-1-0

ControlService

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolTimer

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW

api-ms-win-core-toolhelp-l1-1-0

CreateToolhelp32Snapshot
Process32NextW
Process32FirstW

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW

wer

WerReportAddDump
WerReportSubmit
WerpSetCallBack
WerpSetReportInformation
WerpGetReportInformation
WerpGetReportType
WerpGetReportSettings
WerpLoadReportFromBuffer
WerReportCloseHandle
WerpDestroyWerString
WerpCleanWer
WerStorePurge
WerpCloseStore
WerpCreateMachineStore
WerpSetExitListeners
WerpSubmitReportFromStore
WerpGetWerStringData
WerpEnumerateStoreNext
WerpEnumerateStoreStart
WerpOpenMachineQueue
WerpIsOnBattery
WerpIsTransportAvailable

api-ms-win-core-namespace-l1-1-0

OpenPrivateNamespaceW
ClosePrivateNamespace

Sections

.text
Size: 91KB - Virtual size: 91KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 1KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 79KB - Virtual size: 78KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
wermgr.exe.METADATA

Sharing

General

Malware Config

Signatures

Files

Password: cautionhandlewithcare

Password: cautionhandlewithcare

70d3a3403982f49546ec5a2fa7388b31

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

5e:98:14:a5:b3:75:68:0d:71:d1:ee:9c:e7:27:e3:c0:e4:23:38:13:c5:da:0b:fa:d1:37:6d:23:2c:a6:bf:a1Signer

Signature Validations

Verification

15/09/2022, 14:52 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

ntdll

api-ms-win-core-windowserrorreporting-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-wow64-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-synch-l1-2-1

api-ms-win-core-file-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-registry-l1-1-0

oleaut32

api-ms-win-security-base-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-security-provider-l1-1-0

api-ms-win-core-toolhelp-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

wer

api-ms-win-core-namespace-l1-1-0

Sections

.text Size: 91KB - Virtual size: 91KB

.imrsiv Size: - Virtual size: 4B

.data Size: 1KB - Virtual size: 5KB

.idata Size: 9KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 32B

.rsrc Size: 79KB - Virtual size: 78KB

.reloc Size: 6KB - Virtual size: 5KB

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

5e:98:14:a5:b3:75:68:0d:71:d1:ee:9c:e7:27:e3:c0:e4:23:38:13:c5:da:0b:fa:d1:37:6d:23:2c:a6:bf:a1
Signer

15/09/2022, 14:52
Valid: false

.text
Size: 91KB - Virtual size: 91KB

.imrsiv
Size: - Virtual size: 4B

.data
Size: 1KB - Virtual size: 5KB

.idata
Size: 9KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 32B

.rsrc
Size: 79KB - Virtual size: 78KB

.reloc
Size: 6KB - Virtual size: 5KB