WmiApSrv[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

WmiApSrv.exe
Size

196KB
MD5

7520e2f79c7f6e0b804b91dfa7e357c2
SHA1

53366aa437b6c637ada2d88d1c754c298a1f7204
SHA256

fcaf4a9f4ad5c6ebc069daa27636f159a268cd1d53d26709eb819862e542913f
SHA512

2317b8e06f0b44abcd8fe07dbb53c2227c2f39f08d860e69ebf3331e0f64baf4d122b20fbea28ecb777269ffb37a1bc0fd8690a45104b7eaa1c0e01f95377719
SSDEEP

3072:bgVaRWROb4WduvIUt4Gn4Y2bhhrfDGjU+7XAt7HUZnRvdF2:bgWWMkWQvIUt4OCDQUrUnRvdF

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
WmiApSrv.exe

Files

WmiApSrv.exe
.exe windows x64

4334f3348ccc03846956880f91fec500

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_vsnwprintf
wcsrchr
_wtol
realloc
strlen
_wcsicmp
_wtoi
wcschr
wcsstr
wcspbrk
iswdigit
wcscoll
_wcsupr
atol
iswspace
_callnewh
_wcslwr
_wcsrev
wcscspn
free
memset
wcslen
_purecall
malloc
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
_onexit
__dllonexit
_CxxThrowException
_unlock
__CxxFrameHandler4
??1type_info@@UEAA@XZ
??_V@YAXPEAX@Z
memcpy
?terminate@@YAXXZ
??3@YAXPEAX@Z
_commode
wcsspn
_fmode
_wcmdln
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
_lock
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
memmove
__CxxFrameHandler3

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-1-0

CreateSemaphoreExW
WaitForMultipleObjectsEx
ReleaseSRWLockExclusive
EnterCriticalSection
CreateEventW
AcquireSRWLockExclusive
OpenEventW
CreateMutexW
DeleteCriticalSection
SetEvent
ReleaseMutex
ResetEvent
ReleaseSemaphore
WaitForSingleObject
InitializeCriticalSection
TryEnterCriticalSection
LeaveCriticalSection

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegQueryInfoKeyW
RegEnumValueW
RegCreateKeyExW
RegDeleteValueW
RegCloseKey
RegDeleteKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenCurrentUser
RegSetValueExW

api-ms-win-core-processthreads-l1-1-0

SwitchToThread
GetCurrentProcess
GetStartupInfoW
TerminateProcess
GetCurrentThreadId
GetExitCodeProcess
GetCurrentProcessId

api-ms-win-security-base-l1-1-0

InitializeSecurityDescriptor
MakeAbsoluteSD

api-ms-win-core-errorhandling-l1-1-0

SetLastError
RaiseException
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-heap-l1-1-0

HeapSetInformation

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetCommandLineW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte
CompareStringW

api-ms-win-core-synch-l1-2-0

Sleep
SleepConditionVariableSRW
WakeAllConditionVariable

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameW
FreeLibrary
LoadStringW
GetProcAddress
GetModuleHandleW
LoadLibraryExW

api-ms-win-core-memory-l1-1-0

CreateFileMappingW
FlushViewOfFile
UnmapViewOfFile
MapViewOfFile

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetVersionExW
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

ntdll

NtQuerySecurityObject
RtlGetOwnerSecurityDescriptor
RtlEqualSid
RtlGetDaclSecurityDescriptor
RtlGetAce
NtQueryObject

wbemcomn

??0CStaticCritSec@@QEAA@XZ
??1CStaticCritSec@@QEAA@XZ
?anyFailure@CStaticCritSec@@SAHXZ

api-ms-win-core-localization-l1-2-0

GetSystemDefaultLangID
FormatMessageW
GetLocaleInfoW

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-file-l1-1-0

DeleteFileW
CreateFileW
WriteFile
CreateDirectoryW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

??0CHPtrArray@@QEAA@XZ
??0CHString@@QEAA@AEBV0@@Z
??0CHString@@QEAA@GH@Z
??0CHString@@QEAA@PEBD@Z
??0CHString@@QEAA@PEBE@Z
??0CHString@@QEAA@PEBG@Z
??0CHString@@QEAA@PEBGH@Z
??0CHString@@QEAA@XZ
??0CHStringArray@@QEAA@XZ
??0CRegistry@@QEAA@AEBV0@@Z
??0CRegistry@@QEAA@XZ
??0CRegistrySearch@@QEAA@AEBV0@@Z
??0CRegistrySearch@@QEAA@XZ
??1CHPtrArray@@QEAA@XZ
??1CHString@@QEAA@XZ
??1CHStringArray@@QEAA@XZ
??1CRegistry@@QEAA@XZ
??1CRegistrySearch@@QEAA@XZ
??4CHPtrArray@@QEAAAEAV0@AEBV0@@Z
??4CHString@@QEAAAEBV0@AEBV0@@Z
??4CHString@@QEAAAEBV0@D@Z
??4CHString@@QEAAAEBV0@G@Z
??4CHString@@QEAAAEBV0@PEAV0@@Z
??4CHString@@QEAAAEBV0@PEBD@Z
??4CHString@@QEAAAEBV0@PEBE@Z
??4CHString@@QEAAAEBV0@PEBG@Z
??4CHStringArray@@QEAAAEAV0@AEBV0@@Z
??4CRegistry@@QEAAAEAV0@AEBV0@@Z
??4CRegistrySearch@@QEAAAEAV0@AEBV0@@Z
??ACHPtrArray@@QEAAAEAPEAXH@Z
??ACHPtrArray@@QEBAPEAXH@Z
??ACHString@@QEBAGH@Z
??ACHStringArray@@QEAAAEAVCHString@@H@Z
??ACHStringArray@@QEBA?AVCHString@@H@Z
??BCHString@@QEBAPEBGXZ
??H@YA?AVCHString@@AEBV0@0@Z
??H@YA?AVCHString@@AEBV0@G@Z
??H@YA?AVCHString@@AEBV0@PEBG@Z
??H@YA?AVCHString@@GAEBV0@@Z
??H@YA?AVCHString@@PEBGAEBV0@@Z
??YCHString@@QEAAAEBV0@AEBV0@@Z
??YCHString@@QEAAAEBV0@D@Z
??YCHString@@QEAAAEBV0@G@Z
??YCHString@@QEAAAEBV0@PEBG@Z
?Add@CHPtrArray@@QEAAHPEAX@Z
?Add@CHStringArray@@QEAAHPEBG@Z
?AllocBeforeWrite@CHString@@IEAAXH@Z
?AllocBuffer@CHString@@IEAAXH@Z
?AllocCopy@CHString@@IEBAXAEAV1@HHH@Z
?AllocSysString@CHString@@QEBAPEAGXZ
?Append@CHPtrArray@@QEAAHAEBV1@@Z
?Append@CHStringArray@@QEAAHAEBV1@@Z
?AssignCopy@CHString@@IEAAXHPEBG@Z
?CheckAndAddToList@CRegistrySearch@@AEAAXPEAVCRegistry@@VCHString@@1AEAVCHPtrArray@@11H@Z
?Close@CRegistry@@QEAAXXZ
?CloseSubKey@CRegistry@@AEAAXXZ
?Collate@CHString@@QEBAHPEBG@Z
?Compare@CHString@@QEBAHPEBG@Z
?CompareNoCase@CHString@@QEBAHPEBG@Z
?ConcatCopy@CHString@@IEAAXHPEBGH0@Z
?ConcatInPlace@CHString@@IEAAXHPEBG@Z
?Copy@CHPtrArray@@QEAAXAEBV1@@Z
?Copy@CHStringArray@@QEAAXAEBV1@@Z
?CopyBeforeWrite@CHString@@IEAAXXZ
?CreateOpen@CRegistry@@QEAAJPEAUHKEY__@@PEBGPEAGKKPEAU_SECURITY_ATTRIBUTES@@PEAK@Z
?DeleteCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBG@Z
?DeleteCurrentKeyValue@CRegistry@@QEAAKPEBG@Z
?DeleteKey@CRegistry@@QEAAJPEAVCHString@@@Z
?DeleteValue@CRegistry@@QEAAJPEBG@Z
?ElementAt@CHPtrArray@@QEAAAEAPEAXH@Z
?ElementAt@CHStringArray@@QEAAAEAVCHString@@H@Z
?Empty@CHString@@QEAAXXZ
?EnumerateAndGetValues@CRegistry@@QEAAJAEAKAEAPEAGAEAPEAE@Z
?Find@CHString@@QEBAHG@Z
?Find@CHString@@QEBAHPEBG@Z
?FindOneOf@CHString@@QEBAHPEBG@Z
?Format@CHString@@QEAAXIZZ
?Format@CHString@@QEAAXPEBGZZ
?FormatMessageW@CHString@@QEAAXIZZ
?FormatMessageW@CHString@@QEAAXPEBGZZ
?FormatV@CHString@@QEAAXPEBGPEAD@Z
?FreeExtra@CHPtrArray@@QEAAXXZ
?FreeExtra@CHString@@QEAAXXZ
?FreeExtra@CHStringArray@@QEAAXXZ
?FreeSearchList@CRegistrySearch@@QEAAHHAEAVCHPtrArray@@@Z
?GetAllocLength@CHString@@QEBAHXZ
?GetAt@CHPtrArray@@QEBAPEAXH@Z
?GetAt@CHString@@QEBAGH@Z
?GetAt@CHStringArray@@QEBA?AVCHString@@H@Z
?GetBuffer@CHString@@QEAAPEAGH@Z
?GetBufferSetLength@CHString@@QEAAPEAGH@Z
?GetClassNameW@CRegistry@@QEAAPEAGXZ
?GetCurrentBinaryKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGPEAEPEAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QEAAKPEBGPEAEPEAK@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAK@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAK@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHStringArray@@@Z
?GetCurrentRawKeyValue@CRegistry@@AEAAKPEAUHKEY__@@PEBGPEAXPEAK3@Z
?GetCurrentRawSubKeyValue@CRegistry@@AEAAKPEBGPEAXPEAK2@Z
?GetCurrentSubKeyCount@CRegistry@@QEAAKXZ
?GetCurrentSubKeyName@CRegistry@@QEAAKAEAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QEAAKAEAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QEAAKPEBGAEAK@Z
?GetCurrentSubKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QEAAKPEBGPEAXPEAK@Z
?GetData@CHPtrArray@@QEAAPEAPEAXXZ
?GetData@CHPtrArray@@QEBAPEAPEBXXZ
?GetData@CHString@@IEBAPEAUCHStringData@@XZ
?GetData@CHStringArray@@QEAAPEAVCHString@@XZ
?GetData@CHStringArray@@QEBAPEBVCHString@@XZ
?GetLength@CHString@@QEBAHXZ
?GetLongestClassStringSize@CRegistry@@QEAAKXZ
?GetLongestSubKeySize@CRegistry@@QEAAKXZ
?GetLongestValueData@CRegistry@@QEAAKXZ
?GetLongestValueName@CRegistry@@QEAAKXZ
?GetSize@CHPtrArray@@QEBAHXZ
?GetSize@CHStringArray@@QEBAHXZ
?GetUpperBound@CHPtrArray@@QEBAHXZ
?GetUpperBound@CHStringArray@@QEBAHXZ
?GetValueCount@CRegistry@@QEAAKXZ
?GethKey@CRegistry@@QEAAPEAUHKEY__@@XZ
?Init@CHString@@IEAAXXZ
?InsertAt@CHPtrArray@@QEAAXHPEAV1@@Z
?InsertAt@CHPtrArray@@QEAAXHPEAXH@Z
?InsertAt@CHStringArray@@QEAAXHPEAV1@@Z
?InsertAt@CHStringArray@@QEAAXHPEBGH@Z
?IsEmpty@CHString@@QEBAHXZ
?Left@CHString@@QEBA?AV1@H@Z
?LoadStringW@CHString@@IEAAHIPEAGI@Z
?LoadStringW@CHString@@QEAAHI@Z
?LocateKeyByNameOrValueName@CRegistrySearch@@QEAAHPEAUHKEY__@@PEBG1PEAPEBGKAEAVCHString@@3@Z
?LockBuffer@CHString@@QEAAPEAGXZ
?MakeLower@CHString@@QEAAXXZ
?MakeReverse@CHString@@QEAAXXZ
?MakeUpper@CHString@@QEAAXXZ
?Mid@CHString@@QEBA?AV1@H@Z
?Mid@CHString@@QEBA?AV1@HH@Z
?NextSubKey@CRegistry@@QEAAKXZ
?Open@CRegistry@@QEAAJPEAUHKEY__@@PEBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QEAAJPEAUHKEY__@@PEBGK@Z
?OpenCurrentUser@CRegistry@@QEAAKPEBGK@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QEAAJPEBG0AEAVCHString@@@Z
?OpenSubKey@CRegistry@@AEAAKXZ
?PrepareToReOpen@CRegistry@@AEAAXXZ
?Release@CHString@@QEAAXXZ
?Release@CHString@@SAXPEAUCHStringData@@@Z
?ReleaseBuffer@CHString@@QEAAXH@Z
?RemoveAll@CHPtrArray@@QEAAXXZ
?RemoveAll@CHStringArray@@QEAAXXZ
?RemoveAt@CHPtrArray@@QEAAXHH@Z
?RemoveAt@CHStringArray@@QEAAXHH@Z
?ReverseFind@CHString@@QEBAHG@Z
?RewindSubKeys@CRegistry@@QEAAXXZ
?Right@CHString@@QEBA?AV1@H@Z
?SafeStrlen@CHString@@KAHPEBG@Z
?SearchAndBuildList@CRegistrySearch@@QEAAHVCHString@@AEAVCHPtrArray@@00HPEAUHKEY__@@@Z
?SetAt@CHPtrArray@@QEAAXHPEAX@Z
?SetAt@CHString@@QEAAXHG@Z
?SetAt@CHStringArray@@QEAAXHPEBG@Z
?SetAtGrow@CHPtrArray@@QEAAXHPEAX@Z
?SetAtGrow@CHStringArray@@QEAAXHPEBG@Z
?SetCHStringResourceHandle@@YAXPEAUHINSTANCE__@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAK@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAK@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHStringArray@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHString@@@Z
?SetDefaultValues@CRegistry@@AEAAXXZ
?SetPlatformID@CRegistry@@CAHXZ
?SetSize@CHPtrArray@@QEAAXHH@Z
?SetSize@CHStringArray@@QEAAXHH@Z
?SpanExcluding@CHString@@QEBA?AV1@PEBG@Z
?SpanIncluding@CHString@@QEBA?AV1@PEBG@Z
?TrimLeft@CHString@@QEAAXXZ
?TrimRight@CHString@@QEAAXXZ
?UnlockBuffer@CHString@@QEAAXXZ
?myRegCreateKeyEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGKPEAGKKQEAU_SECURITY_ATTRIBUTES@@PEAPEAU2@PEAK@Z
?myRegDeleteKey@CRegistry@@AEAAJPEAUHKEY__@@PEBG@Z
?myRegDeleteValue@CRegistry@@AEAAJPEAUHKEY__@@PEBG@Z
?myRegEnumKey@CRegistry@@AEAAJPEAUHKEY__@@KPEAGK@Z
?myRegEnumValue@CRegistry@@AEAAJPEAUHKEY__@@KPEAGPEAK22PEAE2@Z
?myRegOpenKeyEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGKKPEAPEAU2@@Z
?myRegQueryInfoKey@CRegistry@@AEAAJPEAUHKEY__@@PEAGPEAK22222222PEAU_FILETIME@@@Z
?myRegQueryValueEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGPEAK2PEAE2@Z
?myRegSetValueEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGKKPEBEK@Z
?s_dwPlatform@CRegistry@@0KA
?s_fPlatformSet@CRegistry@@0HA

Sections

.text
Size: 112KB - Virtual size: 111KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 56KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 296B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

4334f3348ccc03846956880f91fec500

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

ntdll

wbemcomn

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-file-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 112KB - Virtual size: 111KB

.rdata Size: 56KB - Virtual size: 52KB

.data Size: 4KB - Virtual size: 6KB

.pdata Size: 8KB - Virtual size: 7KB

.didat Size: 4KB - Virtual size: 296B

.rsrc Size: 4KB - Virtual size: 2KB

.reloc Size: 4KB - Virtual size: 1008B

.text
Size: 112KB - Virtual size: 111KB

.rdata
Size: 56KB - Virtual size: 52KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 8KB - Virtual size: 7KB

.didat
Size: 4KB - Virtual size: 296B

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 1008B