vmwp[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

vmwp.exe
Size

3.9MB
MD5

3990fd3b61a8d33ca46e5f3a349691ee
SHA1

2d744b449d72416abd8d685449550713452fb121
SHA256

7b733801cf250dd72de1a6ad65faba340ff8be803fc501d23b987b32f62a7e98
SHA512

ba44dd0563005170394dc5a37ce0d656293776a7e968a6f42fb54112f95368bb19123ca3b484a54b7f6255d9db4dbfbb9934d74a821eb644817f1f6fcd7b2b5a
SSDEEP

49152:aEsk+FbHzrYfjAdBvmRX20AASPXu6iLtQ5yHB2/uNlAVzEprmIAFR:w8yjKY

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
vmwp.exe

Files

vmwp.exe
.exe windows x64

198f25291556f27ffc3fbaec55dcae66

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegCreateKeyExW
RegDeleteKeyW
SetSecurityDescriptorDacl
GetSecurityDescriptorLength
RegDeleteTreeW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegOpenKeyExW
CheckTokenMembership
RegCloseKey
RegSetValueExW
GetSecurityDescriptorDacl
ConvertSecurityDescriptorToStringSecurityDescriptorW
GetNamedSecurityInfoW
SetNamedSecurityInfoW
CreateWellKnownSid
LookupAccountNameW
GetLengthSid
IsValidSid
GetSecurityDescriptorControl
CopySid
LookupAccountSidW
ConvertStringSidToSidW
ConvertSidToStringSidW
EqualSid
BuildTrusteeWithSidW
SetEntriesInAclW
EventActivityIdControl
PerfStopProvider
PerfStartProvider
PerfSetULongLongCounterValue
PerfIncrementULongCounterValue
PerfCreateInstance
PerfSetCounterSetInfo
PerfSetULongCounterValue
PerfSetCounterRefValue
PerfDeleteInstance
MakeSelfRelativeSD
MakeAbsoluteSD
GetTokenInformation
OpenThreadToken
OpenProcessToken
ImpersonateSelf
ImpersonateLoggedOnUser
RevertToSelf
SetThreadToken
GetTraceLoggerHandle
GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
TraceEvent
CryptAcquireContextW
CryptGenRandom
CryptReleaseContext
GetExplicitEntriesFromAclW
MapGenericMask

kernel32

GetCurrentProcess
SetPriorityClass
LocalFree
CloseHandle
GetCurrentThreadId
AcquireSRWLockShared
CreateThreadpoolTimer
InitializeSRWLock
RaiseFailFastException
GetLastError
ReleaseSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
CompareFileTime
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
RemoveDirectoryW
GetFullPathNameW
LoadLibraryExW
GetComputerNameExW
FreeLibrary
HeapFree
GetModuleHandleW
DeleteBoundaryDescriptor
CreatePrivateNamespaceW
OpenPrivateNamespaceW
AddSIDToBoundaryDescriptor
CreateBoundaryDescriptorW
ClosePrivateNamespace
SetFilePointer
GetFileSize
VirtualFree
VirtualAlloc
GetSystemTime
CancelIoEx
PeekNamedPipe
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeW
GetLocalTime
GetSystemFirmwareTable
OutputDebugStringW
QueueUserAPC
ReleaseSemaphore
CreateSemaphoreW
SetThreadPriority
SetThreadPriorityBoost
GetTickCount64
GetProcessHeap
GetPriorityClass
Sleep
HeapSetInformation
GetFileAttributesExW
GetLogicalDrives
GetDriveTypeW
SetFileCompletionNotificationModes
GetDiskFreeSpaceW
GetFileSizeEx
GetFileTime
CreateThread
DebugBreak
IsDebuggerPresent
WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
CloseThreadpoolWait
CreateThreadpoolWait
ExitProcess
InitializeConditionVariable
GetNumaNodeProcessorMask
GetNumaHighestNodeNumber
WakeConditionVariable
WakeAllConditionVariable
GetThreadPreferredUILanguages
SystemTimeToFileTime
FileTimeToSystemTime
CancelThreadpoolIo
StartThreadpoolIo
CloseThreadpoolIo
CreateThreadpoolIo
TrySubmitThreadpoolCallback
SubmitThreadpoolWork
CloseThreadpoolWork
CreateThreadpoolWork
CloseThreadpool
SetThreadpoolThreadMaximum
CreateThreadpool
SetThreadAffinityMask
HeapAlloc
SetProcessAffinityMask
GetProcessAffinityMask
GetSystemInfo
SleepConditionVariableSRW
SleepConditionVariableCS
WaitForSingleObjectEx
WriteFile
GetVolumeNameForVolumeMountPointW
GetFileAttributesW
GetVolumePathNameW
GetOverlappedResult
LocalReAlloc
SetFilePointerEx
SetEndOfFile
UnlockFileEx
LockFileEx
ReadFile
LoadLibraryW
GetSystemDirectoryW
TlsGetValue
TlsSetValue
TlsFree
TlsAlloc
WaitForSingleObject
ResumeThread
OpenThread
GetProcAddress
K32GetModuleInformation
SizeofResource
LockResource
LoadResource
FindResourceW
MultiByteToWideChar
WideCharToMultiByte
QueryPerformanceFrequency
SetThreadPreferredUILanguages
GetStartupInfoW
OutputDebugStringA
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetTickCount
UnhandledExceptionFilter
TerminateProcess
CreateFileW
DeleteFileW
DeviceIoControl
LocalSize
LocalAlloc
CompareStringW
RegQueryValueExW
SetLastError
FormatMessageW
GetModuleFileNameW
GetComputerNameW
SetEvent
InitializeSListHead
InterlockedPushEntrySList
InterlockedPopEntrySList
InterlockedFlushSList
WaitForMultipleObjects
DuplicateHandle
GetCurrentThread
CreateEventW
ResetEvent
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection

user32

GetIconInfo
LoadCursorW
UnregisterClassW
DestroyWindow
DispatchMessageW
PostThreadMessageW
TranslateMessage
KillTimer
GetMessageW
SetTimer
PeekMessageW
RegisterClassExW
DefWindowProcW
UnregisterDeviceNotification
RegisterDeviceNotificationW
PostMessageW
CreateWindowExW

msvcrt

_errno
_vscwprintf
vswprintf_s
_beginthreadex
memmove
_aligned_malloc
_aligned_free
wcstok_s
_wtoi64
_ultow_s
strncpy_s
rand_s
isprint
calloc
swscanf
realloc
wcsncpy_s
wcsstr
swprintf_s
sprintf_s
_wmakepath_s
__RTtypeid
pow
_vsnwprintf_s
?terminate@@YAXXZ
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
_commode
_fmode
_wcmdln
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_XcptFilter
_callnewh
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
_purecall
?name@type_info@@QEBAPEBDXZ
_wcsicmp
memmove_s
wcsncmp
_vsnwprintf
_resetstkoflw
wcscpy_s
_wcsnicmp
_wtoi
swscanf_s
memcpy_s
_CxxThrowException
__CxxFrameHandler3
free
wcsrchr
_finite
_isnan
wcschr
wcscat_s
iswalpha
towlower
malloc
__RTDynamicCast
floor
fmod
memcmp
memcpy
memset
_amsg_exit

dbghelp

ImageNtHeader

netapi32

NetGetJoinInformation
NetApiBufferFree

vmsif

VmsIfDriverOpen
VmsIfDriverClose
VmsIfPortFeatureStatusQuery
VmsIfPortFeatureStatusFree

vsconfig

VsCreateConfigurationManager

vmwpctrl

AllocateVirtualMachineGroupSid
IsVmWorkerProcessRunning
CreateVmWorkerProcessToken
CreateVmWorkerProcessMoniker
AllocateVirtualMachineSid

vmprox

SetVmErrInfo
GetVmErrInfo

ole32

GetRunningObjectTable
CoDisconnectObject
CoTaskMemAlloc
IIDFromString
StringFromGUID2
CoGetClassObject
CoCreateInstance
CoResumeClassObjects
CoRegisterClassObject
CoRevokeClassObject
CoInitializeEx
CoSuspendClassObjects
CoUninitialize
CoTaskMemFree
CoReleaseServerProcess
CoInitializeSecurity
CoAddRefServerProcess
StringFromCLSID
CoCreateGuid

oleaut32

SafeArrayGetElemsize
SafeArrayGetElement
SafeArrayPutElement
VarBstrCmp
VariantTimeToSystemTime
SystemTimeToVariantTime
SafeArrayRedim
SysStringLen
SysAllocStringLen
SysReAllocStringLen
SafeArrayPtrOfIndex
VariantInit
SysAllocString
SafeArrayGetVartype
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayUnaccessData
SafeArrayAccessData
VariantChangeTypeEx
VariantClear
SafeArrayDestroy
SafeArrayCreateVectorEx
SafeArrayCreate
SafeArrayGetDim
SysFreeString
VarCmp
SafeArrayCreateVector
VariantCopy
SafeArrayCopy

wevtapi

EvtSubscribe
EvtCreateRenderContext
EvtRender
EvtClose

shlwapi

PathRenameExtensionW
PathIsRelativeW
PathAppendW
PathFindExtensionW
PathStripToRootW
PathIsNetworkPathW
PathFindFileNameW
PathRemoveFileSpecW

setupapi

SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupDiSetDeviceRegistryPropertyW
SetupDiGetDeviceInstanceIdW

rpcrt4

UuidIsNil
UuidToStringW
RpcStringFreeW
UuidCreate
UuidFromStringW
UuidCompare

shell32

ord165
CommandLineToArgvW

crypt32

CertGetCertificateChain
CertDuplicateCertificateContext
CryptAcquireCertificatePrivateKey
CertFreeCertificateChain
CertEnumCertificatesInStore
CertCloseStore
CertFreeCertificateContext
CertFindCertificateInStore
CertVerifyCertificateChainPolicy
CertGetNameStringW
CertGetCertificateContextProperty
CertOpenStore
CertVerifySubjectCertificateContext
CertCompareCertificateName

framedynos

??4WBEMTimeSpan@@QEAAAEBV0@QEAG@Z
??4WBEMTime@@QEAAAEBV0@AEBU_SYSTEMTIME@@@Z
??0WBEMTimeSpan@@QEAA@AEBU_FILETIME@@@Z
?GetBSTR@WBEMTimeSpan@@QEBAPEAGXZ
?GetSYSTEMTIME@WBEMTime@@QEBAHPEAU_SYSTEMTIME@@@Z
?GetBSTR@WBEMTime@@QEBAPEAGXZ
??4WBEMTime@@QEAAAEBV0@QEAG@Z

ws2_32

select
sendto
WSASocketW
recvfrom
WSAEnumNetworkEvents
WSACreateEvent
setsockopt
WSACloseEvent
WSASend
WSAGetOverlappedResult
getsockname
ntohs
closesocket
WSARecvFrom
bind
WSAIoctl
WSARecv
WSAPoll
recv
ioctlsocket
WSADuplicateSocketW
getpeername
ntohl
WSACleanup
WSAStartup
htons
WSAEventSelect
WSAGetLastError
InetNtopW
shutdown

virtdisk

GetVirtualDiskOperationProgress
GetVirtualDiskInformation
OpenVirtualDisk

iphlpapi

GetAdaptersAddresses

winmm

timeGetTime

ntdll

RtlNumberOfSetBits
RtlInitializeBitMap
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlCaptureStackBackTrace
RtlGetCompressionWorkSpaceSize
RtlDecompressBufferEx
RtlCompressBuffer
RtlInitUnicodeStringEx
RtlDosPathNameToNtPathName_U_WithStatus
RtlIsDosDeviceName_U
RtlPcToFileHeader
RtlNtStatusToDosError
RtlFreeUnicodeString
NtCreateFile
RtlComputeCrc32
RtlSetAllBits
RtlClearAllBits
RtlSetBits
RtlClearBits
RtlTestBit
RtlClearBit
RtlFindSetBitsAndClear
RtlAreBitsClear
NtQueryInformationFile
NtFsControlFile
RtlDosPathNameToRelativeNtPathName_U_WithStatus
RtlFreeHeap
DbgPrint

gdi32

CreateCompatibleDC
GetDIBits
DeleteDC

vid

VidGetHvPartitionId
VidRegisterCpuidHandler
VidDeletePartition
VidGetPartitionFriendlyName
VidSetPartitionFriendlyName
VidSetPartitionProperty
VidSetRelativeWeight
VidSetCpuReserve
VidSetCpuCap
VidGetSystemTopology
VidCloseStatisticsHandle
VidOpenStatisticsHandle
VidRegisterLegacyFpErrorHandler
VidCreateTimer
VidSetAbsoluteTimer
VidCancelTimer
VidCreatePartitionEx
VidSetHvMemoryPolicy
VidUnregisterHandler
VidTranslateGvaToGpa
VidGetVirtualProcessorState
VidSavePartitionState
VidInjectSyntheticMachineCheckEvent
VidStartVirtualProcessor
VidStopVirtualProcessor
VidGetVirtualProcessorRunningStatus
VidGetHvRuntimeForAllVps
VidSetVirtualProcessorState
VidMarkPagePoisoned
VidCreateMemoryBlock
VidSetMemoryBlockNotificationQueue
VidDmWorkingSetModify
VidDmSlpSetup
VidCreateMemoryBlockGpaRange
VidDestroyMemoryBlock
VidDmMemoryBlockQueryTopology
VidWriteMemoryBlockPageRange
VidReadMemoryBlockPageRange
VidMapMemoryBlockPageRange
VidHandleMessageAndGetNextMessage
VidTrimPartitionMemory
VidMessageSlotMap
VidMessageSlotHandleAndGetNext
VidSetVirtualProcessorStateCached
VidRestorePartitionState
VidDestroyGpaRange
VidUnmapMemoryBlockPageRangeBulk
VidSetMemoryBlockClientNotifications
VidReservePages
VidReleasePages
VidDmBalloon
VidDmSlpDisable
VidDmHotAdd
VidDmUnBalloon
VidDmSlpQuery
VidDmHotAddUndo
VidSetupMessageQueue
VidCreateMmioGpaRange
VidRegisterIoPortHandler
VidRegisterMsrHandler
VidRegisterApicEoiHandler
VidRegisterTripleFaultHandler
VidDeleteTimer
VidRegisterExceptionHandler
VidGetRootReferenceTime
VidGetHvMemoryBalance
VidMapHvLocalStatsPage
VidUnmapHvLocalStatsPage
VidMapHvGlobalStatsPage
VidUnmapHvGlobalStatsPage
VidStatsUnMapPartition
VidStatsMapPartition
VidClearVirtualProcessorInterrupt
VidGetPartitionProperty
VidAssertVirtualProcessorInterrupt

secur32

GetComputerObjectNameW

vmbuspipe

VmbusPipeServerConnectPipe
VmbusPipeServerOfferChannel

userenv

ExpandEnvironmentStringsForUserW

mpr

WNetGetUniversalNameW

authz

AuthzFreeContext
AuthzInitializeContextFromToken
AuthzFreeResourceManager
AuthzInitializeResourceManager
AuthzAccessCheck

Exports

Exports

Microsoft_WDF_UMDF_Version

Sections

.text
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 113KB - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 91KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

198f25291556f27ffc3fbaec55dcae66

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

user32

msvcrt

dbghelp

netapi32

vmsif

vsconfig

vmwpctrl

vmprox

ole32

oleaut32

wevtapi

shlwapi

setupapi

rpcrt4

shell32

crypt32

framedynos

ws2_32

virtdisk

iphlpapi

winmm

ntdll

gdi32

vid

secur32

vmbuspipe

userenv

mpr

authz

Exports

Exports

Sections

.text Size: 2.4MB - Virtual size: 2.4MB

.data Size: 113KB - Virtual size: 151KB

.pdata Size: 91KB - Virtual size: 90KB

.idata Size: 21KB - Virtual size: 21KB

.rsrc Size: 1.2MB - Virtual size: 1.2MB

.reloc Size: 36KB - Virtual size: 36KB

.text
Size: 2.4MB - Virtual size: 2.4MB

.data
Size: 113KB - Virtual size: 151KB

.pdata
Size: 91KB - Virtual size: 90KB

.idata
Size: 21KB - Virtual size: 21KB

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

.reloc
Size: 36KB - Virtual size: 36KB