MoUsoCoreWorker[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

MoUsoCoreWorker.exe
Size

3.2MB
MD5

306c399a68fad5db1e898c6693f46939
SHA1

838c7e1d8fb863a652c0e84566f86c5034394d38
SHA256

7cbf03f1f8e127e40be0a137af8179001989c43add4a178d7ce2ba4030b176ff
SHA512

6e964a1423e177e372f1e1b3d926a72cea9e1de94947a972a19f8567dadc95fa71c710d3b0a4c8c56ea59c9e7371a12baaf438638d7dbc25a95fd11facda894c
SSDEEP

49152:40wWNvYNNmRnScdu5AweP9yuFypOajC+JGcFFQnPxIuYp2bmqVzM0M:xdvVhyjC++G

Score

1^/10

Malware Config

Signatures

Files

MoUsoCoreWorker.exe
.exe windows x64

caca03e67627477c9a4068641c74b69f

Code Sign

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8d
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05/05/2022, 19:23

Not After

04/05/2023, 19:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

72:a1:68:d9:46:30:a2:ad:16:80:08:00:68:1e:30:f9:bf:f9:75:d4:1f:45:11:a5:e6:64:7d:da:2c:0d:33:9c
Signer

Actual PE Digest

72:a1:68:d9:46:30:a2:ad:16:80:08:00:68:1e:30:f9:bf:f9:75:d4:1f:45:11:a5:e6:64:7d:da:2c:0d:33:9c

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

07/02/2023, 20:40
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

api-ms-win-crt-runtime-l1-1-0

_invalid_parameter_noinfo_noreturn
_initialize_onexit_table
_register_onexit_function
_crt_atexit
_cexit
_seh_filter_exe
_set_app_type
_configure_wide_argv
_initialize_wide_environment
_get_wide_winmain_command_line
_initterm
_initterm_e
terminate
exit
_exit
_c_exit
_set_invalid_parameter_handler
abort
_register_thread_local_exe_atexit_callback
_beginthreadex
_set_errno
_errno
_invalid_parameter_noinfo

api-ms-win-crt-string-l1-1-0

isspace
wcsncmp
_wcsdup
isupper
islower
__strncnt
iswspace
strcspn
wcscmp
towlower
_wcsnicmp
wcsnlen
strncpy_s
strnlen
wcscat_s
wcscpy_s
wcsncpy_s
tolower
_wcsicmp
strcpy_s

api-ms-win-crt-stdio-l1-1-0

_get_stream_buffer_pointers
fwrite
fputwc
ungetwc
ungetc
fgetc
fgetwc
fgetpos
_fseeki64
fsetpos
fputc
setvbuf
_wfsopen
fseek
fflush
__stdio_common_vsprintf_s
__stdio_common_vswprintf_s
__stdio_common_vsprintf
__stdio_common_vsnprintf_s
__stdio_common_vsnwprintf_s
fread
__stdio_common_vswscanf
fclose
__stdio_common_vswprintf
_set_fmode
__p__commode

api-ms-win-crt-heap-l1-1-0

calloc
_recalloc
free
_set_new_mode
_callnewh
realloc
malloc

api-ms-win-crt-convert-l1-1-0

strtoull
mbstowcs_s
_ui64toa_s
wcstod
_ui64tow_s
_i64tow_s
_i64toa_s
wcstoul
_wtol
wcstol
strtol
strtof
wcstoull
_wcstod_l
wcstoll
strtod

api-ms-win-crt-locale-l1-1-0

___mb_cur_max_func
_free_locale
___lc_collate_cp_func
_create_locale
_unlock_locales
setlocale
_configthreadlocale
__pctype_func
localeconv
_lock_locales
___lc_codepage_func
___lc_locale_name_func

api-ms-win-crt-math-l1-1-0

__setusermatherr
ceilf
ldexp
frexp
pow
powf

api-ms-win-core-errorhandling-l1-1-0

RaiseException
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-processthreads-l1-1-0

TlsGetValue
TlsSetValue
TlsFree
SwitchToThread
TerminateProcess
GetExitCodeThread
GetExitCodeProcess
TlsAlloc
OpenProcessToken
GetCurrentThread
GetCurrentProcess
GetStartupInfoW
CreateProcessAsUserW
OpenThreadToken
CreateThread
GetCurrentProcessId
GetCurrentThreadId
CreateProcessW

api-ms-win-core-localization-l1-2-0

FormatMessageA
LCMapStringEx
GetLocaleInfoEx
GetCPInfo
FormatMessageW

api-ms-win-core-com-l1-1-0

CoTaskMemFree
CoResumeClassObjects
CoCreateInstance
CoCreateGuid
CoRevokeClassObject
CoRegisterClassObject
CoReleaseServerProcess
CoCreateFreeThreadedMarshaler
CoRevertToSelf
CoGetApartmentType
CoGetObjectContext
CoImpersonateClient
CoTaskMemAlloc
StringFromGUID2
CoTaskMemRealloc
CoUninitialize
CoAddRefServerProcess
CoInitializeEx

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
GetModuleHandleW
LoadLibraryExW
GetModuleFileNameA
GetModuleHandleExW
FreeLibrary
LoadLibraryExA
SizeofResource
GetModuleFileNameW
LoadResource

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventActivityIdControl
EventRegister
EventWriteTransfer
EventUnregister

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-string-l2-1-0

CharUpperW
CharNextW

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

api-ms-win-core-registry-l1-1-0

RegCopyTreeW
RegCreateKeyExW
RegEnumValueW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
RegDeleteValueW
RegDeleteTreeW
RegGetValueW
RegEnumKeyExW
RegCloseKey
RegQueryInfoKeyW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

oleaut32

RegisterTypeLi
LoadTypeLi
SysStringLen
SysAllocString
SetErrorInfo
SysFreeString
GetErrorInfo
VarUI4FromStr
UnRegisterTypeLi
VariantClear
VariantInit
VariantTimeToSystemTime
SysAllocStringByteLen
SystemTimeToVariantTime
VarUI8FromDec
SysStringByteLen

api-ms-win-core-synch-l1-1-0

WaitForSingleObjectEx
ResetEvent
InitializeCriticalSectionAndSpinCount
AcquireSRWLockExclusive
WaitForSingleObject
InitializeSRWLock
AcquireSRWLockShared
ReleaseSRWLockShared
LeaveCriticalSection
CreateEventExW
TryEnterCriticalSection
CreateMutexExW
OpenSemaphoreW
OpenEventW
ReleaseSemaphore
CreateEventW
CreateMutexW
ReleaseMutex
CreateSemaphoreExW
InitializeCriticalSectionEx
ReleaseSRWLockExclusive
DeleteCriticalSection
SetEvent
EnterCriticalSection

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringEx
GetStringTypeW
WideCharToMultiByte

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
InitializeConditionVariable
Sleep
InitOnceComplete
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
SleepConditionVariableCS

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
ExpandEnvironmentStringsW

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
TrySubmitThreadpoolCallback
CreateThreadpoolTimer
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
WaitForThreadpoolTimerCallbacks
FreeLibraryWhenCallbackReturns
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
SetThreadpoolTimer
SetThreadpoolWait
CreateThreadpoolWait

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetSystemInfo
GetLocalTime
GetVersionExW
GlobalMemoryStatusEx

api-ms-win-core-timezone-l1-1-0

TzSpecificLocalTimeToSystemTime
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-datetime-l1-1-1

GetTimeFormatEx
GetDateFormatEx

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlPcToFileHeader
RtlUnwindEx

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead
InterlockedPushEntrySList

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-file-l1-1-0

FileTimeToLocalFileTime
CreateFileW
SetFileAttributesW
FindNextFileW
SetFilePointer
GetDiskFreeSpaceExW
SetFileInformationByHandle
GetFileAttributesExW
DeleteFileW
FindFirstFileW
FindFirstFileExW
ReadFile
SetFileTime
FindClose
WriteFile
GetFileAttributesW
GetFullPathNameW
GetFileInformationByHandle
CreateDirectoryW

api-ms-win-core-file-l1-2-2

AreFileApisANSI

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-file-l2-1-0

CreateSymbolicLinkW
GetFileInformationByHandleEx
MoveFileExW
CreateHardLinkW

api-ms-win-core-file-l2-1-2

CopyFileW

ntdll

RtlPublishWnfStateData
RtlSubscribeWnfStateChangeNotification
NtQueryWnfStateData
RtlGetDeviceFamilyInfoEnum
RtlUnsubscribeWnfNotificationWaitForCompletion

api-ms-win-crt-time-l1-1-0

_W_Gettnames
_gmtime64_s
_Getdays
_Getmonths
_W_Getdays
_W_Getmonths
_Wcsftime
_Gettnames
wcsftime
_mkgmtime64
_Strftime
_mktime64
_localtime64_s

api-ms-win-crt-filesystem-l1-1-0

_wsplitpath_s
_lock_file
_unlock_file

api-ms-win-core-memory-l1-1-0

VirtualProtect
VirtualQuery

api-ms-win-core-featurestaging-l1-1-0

GetFeatureEnabledState
UnsubscribeFeatureStateChangeNotification
RecordFeatureUsage
SubscribeFeatureStateChangeNotification

api-ms-win-core-featurestaging-l1-1-1

GetFeatureVariant

api-ms-win-security-base-l1-1-0

GetTokenInformation
AllocateAndInitializeSid
AdjustTokenPrivileges
ImpersonateLoggedOnUser
RevertToSelf
CheckTokenMembership
DuplicateTokenEx
FreeSid

rpcrt4

UuidCreate
I_RpcBindingInqLocalClientPID
RpcImpersonateClient
RpcRevertToSelf

api-ms-win-eventing-controller-l1-1-0

ControlTraceW
QueryAllTracesW
EnableTraceEx2
StartTraceW

api-ms-win-eventing-legacy-l1-1-0

FlushTraceW
QueryTraceW

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

userenv

DeriveAppContainerSidFromAppContainerName
DestroyEnvironmentBlock
CreateEnvironmentBlock

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsCreateStringReference
WindowsDeleteString
WindowsGetStringRawBuffer

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoActivateInstance

api-ms-win-core-sysinfo-l1-2-0

VerSetConditionMask
GetSystemTimePreciseAsFileTime
GetProductInfo

winsqlite3

sqlite3_open16
sqlite3_column_int
sqlite3_initialize
sqlite3_exec
sqlite3_busy_timeout
sqlite3_bind_text16
sqlite3_shutdown
sqlite3_prepare16_v2
sqlite3_errmsg
sqlite3_bind_int
sqlite3_column_text16
sqlite3_extended_errcode
sqlite3_step
sqlite3_bind_blob
sqlite3_column_bytes
sqlite3_column_blob
sqlite3_finalize
sqlite3_close_v2

wofutil

WofSetFileDataLocation

api-ms-win-crt-utility-l1-1-0

rand_s
rand

crypt32

CertVerifyCertificateChainPolicy

api-ms-win-core-path-l1-1-0

PathCchCanonicalize

bcrypt

BCryptFinishHash
BCryptGetProperty
BCryptHashData
BCryptDestroyHash
BCryptCreateHash
BCryptOpenAlgorithmProvider
BCryptCloseAlgorithmProvider

api-ms-win-core-kernel32-legacy-l1-1-1

PowerSetRequest
VerifyVersionInfoW
PowerClearRequest
PowerCreateRequest

api-ms-win-core-apiquery-l2-1-0

IsApiSetImplemented

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-sysinfo-l1-2-1

GetPhysicallyInstalledSystemMemory

api-ms-win-core-processtopology-obsolete-l1-1-0

GetActiveProcessorCount

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

api-ms-win-core-shutdown-l1-1-1

InitiateShutdownW

api-ms-win-oobe-notification-l1-1-0

OOBEComplete

api-ms-win-power-setting-l1-1-0

PowerGetActiveScheme
PowerSettingRegisterNotification
PowerSettingUnregisterNotification
PowerReadACValue

api-ms-win-power-base-l1-1-0

CallNtPowerInformation

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW

api-ms-win-core-kernel32-legacy-l1-1-0

DosDateTimeToFileTime
FileTimeToDosDateTime

cabinet

ord20
ord13
ord11
ord10
ord14
ord22
ord12
ord23

iphlpapi

GetNetworkConnectivityHint

api-ms-win-service-management-l1-1-0

CloseServiceHandle
OpenServiceW
OpenSCManagerW

api-ms-win-service-management-l2-1-0

QueryServiceStatusEx

wintrust

CryptCATAdminEnumCatalogFromHash
CryptCATAdminReleaseContext
WinVerifyTrust
WTHelperGetProvSignerFromChain
CryptCATCatalogInfoFromContext
CryptCATAdminAcquireContext
CryptCATAdminReleaseCatalogContext
CryptCATAdminCalcHashFromFileHandle
WTHelperProvDataFromStateData

Sections

.text
Size: 2.2MB - Virtual size: 2.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 843KB - Virtual size: 842KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 79KB - Virtual size: 87KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 89KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 128B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

_RDATA
Size: 512B - Virtual size: 384B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

caca03e67627477c9a4068641c74b69f

Code Sign

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8dCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

72:a1:68:d9:46:30:a2:ad:16:80:08:00:68:1e:30:f9:bf:f9:75:d4:1f:45:11:a5:e6:64:7d:da:2c:0d:33:9cSigner

Signature Validations

Verification

07/02/2023, 20:40 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

oleaut32

api-ms-win-core-synch-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-synch-l1-2-1

api-ms-win-core-handle-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-file-l1-2-2

api-ms-win-core-io-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-file-l2-1-2

ntdll

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-featurestaging-l1-1-0

api-ms-win-core-featurestaging-l1-1-1

api-ms-win-security-base-l1-1-0

rpcrt4

api-ms-win-eventing-controller-l1-1-0

api-ms-win-eventing-legacy-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

userenv

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

winsqlite3

wofutil

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8d
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

72:a1:68:d9:46:30:a2:ad:16:80:08:00:68:1e:30:f9:bf:f9:75:d4:1f:45:11:a5:e6:64:7d:da:2c:0d:33:9c
Signer

07/02/2023, 20:40
Valid: false

.text
Size: 2.2MB - Virtual size: 2.2MB

.rdata
Size: 843KB - Virtual size: 842KB

.data
Size: 79KB - Virtual size: 87KB

.pdata
Size: 89KB - Virtual size: 89KB

.didat
Size: 512B - Virtual size: 128B

_RDATA
Size: 512B - Virtual size: 384B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 19KB - Virtual size: 19KB