WmiPrvSE[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

WmiPrvSE.exe
Size

485KB
MD5

60ff40cfd7fb8fe41ee4fe9ae5fe1c51
SHA1

3ea7cc066317ac45f963c2227c4c7c50aa16eb7c
SHA256

2198a7b58bccb758036b969ddae6cc2ece07565e2659a7c541a313a0492231a3
SHA512

991e38e2b480ffc58ec5ade9dcc8747a57b29fbc9b12397a8010e73143c4dfb420e5248a0c3acf0832812c0e804080ed5a83952b9c05419d93763372ece775c3
SSDEEP

12288:ahBzXzR4mnIu0CWQjONc3XmvzjnyBEIl/t8:qumnGDjnyBll/

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
WmiPrvSE.exe

Files

WmiPrvSE.exe
.exe windows x64

b71cb3ac5c352bec857c940cbc95f0f3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_cexit
_exit
_ismbblead
__set_app_type
memcmp
__setusermatherr
_initterm
_acmdln
__getmainargs
_onexit
__dllonexit
_amsg_exit
_fmode
_XcptFilter
??8type_info@@QEBAHAEBV0@@Z
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
__CxxFrameHandler3
_unlock
_lock
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
??0exception@@QEAA@AEBQEBD@Z
memmove
memcpy
_commode
_CxxThrowException
__C_specific_handler
_purecall
_itow
wcstok
_vsnwprintf
exit
memset

ntdll

RtlNtStatusToDosError
RtlAddAccessAllowedAce
RtlLengthSid
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwGetTraceEnableFlags
NtQuerySystemInformation
RtlCreateAcl
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
EtwTraceMessage

api-ms-win-core-synch-l1-1-0

SetEvent
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
CreateEventW
WaitForSingleObject
LeaveCriticalSection
WaitForMultipleObjectsEx

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-security-base-l1-1-0

MakeSelfRelativeSD
GetSecurityDescriptorLength
AddAce
MakeAbsoluteSD
CopySid
GetLengthSid
InitializeSecurityDescriptor
AccessCheck
MapGenericMask
AllocateAndInitializeSid
FreeSid
GetTokenInformation
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
InitializeAcl
SetSecurityDescriptorDacl
GetAclInformation
RevertToSelf
ImpersonateLoggedOnUser

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
GetModuleHandleExW
GetProcAddress
GetModuleFileNameW
GetModuleHandleW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentThread
TlsFree
CreateThread
OpenThreadToken
SetThreadToken
GetCurrentProcess
SwitchToThread
TlsAlloc
GetStartupInfoW
TerminateProcess
GetCurrentProcessId
OpenProcessToken

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW

api-ms-win-core-string-l1-1-0

CompareStringW
GetStringTypeExW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree
HeapCreate
HeapDestroy
HeapSetInformation

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegSetValueExW
RegQueryValueExW
RegDeleteKeyExW
RegCreateKeyExW
RegOpenKeyExW

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventWrite
EventUnregister

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-memory-l1-1-0

MapViewOfFile
CreateFileMappingW
OpenFileMappingW
UnmapViewOfFile

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-localization-l1-2-0

LCMapStringW

api-ms-win-core-threadpool-legacy-l1-1-0

ChangeTimerQueueTimer

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

fastprox

?Release@CWbemCallSecurity@@UEAAKXZ
?QueryInterface@CWbemCallSecurity@@UEAAJAEBU_GUID@@PEAPEAX@Z
?SetThreadSecurity@CWbemCallSecurity@@UEAAJPEAU_IWmiThreadSecHandle@@@Z
?GetThreadSecurity@CWbemCallSecurity@@UEAAJW4tag_WMI_THREAD_SECURITY_ORIGIN@@PEAPEAU_IWmiThreadSecHandle@@@Z
?AddRef@CWbemCallSecurity@@UEAAKXZ
?New@CWbemCallSecurity@@SAPEAV1@XZ

ncobjapi

WmiCreateObjectWithFormat
WmiDestroyObject
WmiEventSourceDisconnect
WmiSetAndCommitObject
WmiEventSourceConnect

wbemcomn

BreakOnDbgAndRenterLoop
GetMemLogObject
?Write@CMemoryLog@@QEAAXJ@Z
_ThrowMemoryException_
?GetPreferredLanguages@CMUILocale@@SAJKPEAPEAGPEAK@Z
?_Free@CMUILocale@@SAHPEAX@Z
?SetPreferredLanguages@CMUILocale@@SAJKPEBGPEAK@Z
?PublishProviderStarted@CPublishWMIOperationEvent@@SAJPEAGJ0K0@Z
?Init@CPublishWMIOperationEvent@@SAJXZ

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 284KB - Virtual size: 284KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 111KB - Virtual size: 111KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 472B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 63KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b71cb3ac5c352bec857c940cbc95f0f3

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ntdll

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-apiquery-l1-1-0

fastprox

ncobjapi

wbemcomn

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 284KB - Virtual size: 284KB

.rdata Size: 111KB - Virtual size: 111KB

.data Size: 7KB - Virtual size: 9KB

.pdata Size: 14KB - Virtual size: 13KB

.didat Size: 512B - Virtual size: 472B

.rsrc Size: 63KB - Virtual size: 62KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 284KB - Virtual size: 284KB

.rdata
Size: 111KB - Virtual size: 111KB

.data
Size: 7KB - Virtual size: 9KB

.pdata
Size: 14KB - Virtual size: 13KB

.didat
Size: 512B - Virtual size: 472B

.rsrc
Size: 63KB - Virtual size: 62KB

.reloc
Size: 3KB - Virtual size: 3KB