4f14f9665d64896fe1111b8b3b80e86cb6664ced20a0f42e2bac7823ee5fc4e0

Sharing

Copy URL

Twitter E-mail

General

Target

4f14f9665d64896fe1111b8b3b80e86cb6664ced20a0f42e2bac7823ee5fc4e0
Size

772KB
MD5

821a651125c6fb00d9b1fbefcb50255f
SHA1

c9e440adee0b0d643aa12853bcf6b55ae497ffdd
SHA256

4f14f9665d64896fe1111b8b3b80e86cb6664ced20a0f42e2bac7823ee5fc4e0
SHA512

8a0dae24c4eed39f32f4c7ec52e96fe3f34df379faea948b5d87b4e39d0144f537e3e688a86f559c9e26dba26ba42acdb727ae9e9c4cf09ef50c7daaceb729d1
SSDEEP

12288:yyoKo2HRplC3pRUBL8252uui8FbECP7BhdfswdJ0NXdU8ZWH7DEP1rCJ7U3o:yyocxOpRt2rR8FfBhRJUEbDk1ulUY

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
4f14f9665d64896fe1111b8b3b80e86cb6664ced20a0f42e2bac7823ee5fc4e0

Files

4f14f9665d64896fe1111b8b3b80e86cb6664ced20a0f42e2bac7823ee5fc4e0
.exe windows:10 windows x64 arch:x64

e91c5a3e92623e396d79a8a599cf25a9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

WmiApSrv.pdb

Imports

msvcrt

wcsrchr
_wtol
realloc
strlen
_wcsicmp
_wtoi
wcschr
_vsnwprintf
exit
_exit
__wgetmainargs
_cexit
__setusermatherr
_initterm
__C_specific_handler
_wcmdln
_fmode
_amsg_exit
_XcptFilter
memmove
_CxxThrowException
?what@exception@@UEBAPEBDXZ
iswspace
atol
wcsspn
??1exception@@UEAA@XZ
wcscoll
iswdigit
wcspbrk
wcsstr
??0exception@@QEAA@AEBV0@@Z
_wcsupr
_wcslwr
??0exception@@QEAA@AEBQEBDH@Z
_wcsrev
wcscspn
_commode
??1type_info@@UEAA@XZ
_lock
_unlock
__CxxFrameHandler3
??0exception@@QEAA@AEBQEBD@Z
_purecall
__dllonexit
_onexit
_callnewh
free
__set_app_type
memset
wcslen
malloc
??_V@YAXPEAX@Z
memcpy
??3@YAXPEAX@Z
?terminate@@YAXXZ

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-1-0

OpenEventW
LeaveCriticalSection
WaitForSingleObject
ReleaseSemaphore
CreateEventW
DeleteCriticalSection
ReleaseMutex
TryEnterCriticalSection
CreateSemaphoreExW
EnterCriticalSection
CreateMutexW
SetEvent
AcquireSRWLockExclusive
ResetEvent
InitializeCriticalSection
ReleaseSRWLockExclusive
WaitForMultipleObjectsEx

api-ms-win-core-registry-l1-1-0

RegDeleteKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
RegOpenCurrentUser
RegEnumValueW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW

api-ms-win-core-processthreads-l1-1-0

SwitchToThread
GetCurrentThreadId
GetCurrentProcessId
GetStartupInfoW
GetCurrentProcess
TerminateProcess
GetExitCodeProcess

api-ms-win-security-base-l1-1-0

InitializeSecurityDescriptor
MakeAbsoluteSD

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-heap-l1-1-0

HeapSetInformation

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetCommandLineW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringW
MultiByteToWideChar

api-ms-win-core-synch-l1-2-0

Sleep
SleepConditionVariableSRW
WakeAllConditionVariable

api-ms-win-core-libraryloader-l1-2-0

LoadStringW
GetModuleFileNameW
LoadLibraryExW
GetProcAddress
FreeLibrary
GetModuleHandleW

api-ms-win-core-memory-l1-1-0

FlushViewOfFile
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetVersionExW
GetSystemDirectoryW
GetVersionExA
GetTickCount

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

ntdll

NtQuerySecurityObject
RtlGetOwnerSecurityDescriptor
RtlEqualSid
RtlGetDaclSecurityDescriptor
RtlGetAce
NtQueryObject

wbemcomn

?anyFailure@CStaticCritSec@@SAHXZ
??1CStaticCritSec@@QEAA@XZ
??0CStaticCritSec@@QEAA@XZ

api-ms-win-core-localization-l1-2-0

GetSystemDefaultLangID
FormatMessageW
GetLocaleInfoW

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-file-l1-1-0

CreateDirectoryW
WriteFile
CreateFileW
DeleteFileW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

??0CHPtrArray@@QEAA@XZ
??0CHString@@QEAA@AEBV0@@Z
??0CHString@@QEAA@GH@Z
??0CHString@@QEAA@PEBD@Z
??0CHString@@QEAA@PEBE@Z
??0CHString@@QEAA@PEBG@Z
??0CHString@@QEAA@PEBGH@Z
??0CHString@@QEAA@XZ
??0CHStringArray@@QEAA@XZ
??0CRegistry@@QEAA@AEBV0@@Z
??0CRegistry@@QEAA@XZ
??0CRegistrySearch@@QEAA@AEBV0@@Z
??0CRegistrySearch@@QEAA@XZ
??1CHPtrArray@@QEAA@XZ
??1CHString@@QEAA@XZ
??1CHStringArray@@QEAA@XZ
??1CRegistry@@QEAA@XZ
??1CRegistrySearch@@QEAA@XZ
??4CHPtrArray@@QEAAAEAV0@AEBV0@@Z
??4CHString@@QEAAAEBV0@AEBV0@@Z
??4CHString@@QEAAAEBV0@D@Z
??4CHString@@QEAAAEBV0@G@Z
??4CHString@@QEAAAEBV0@PEAV0@@Z
??4CHString@@QEAAAEBV0@PEBD@Z
??4CHString@@QEAAAEBV0@PEBE@Z
??4CHString@@QEAAAEBV0@PEBG@Z
??4CHStringArray@@QEAAAEAV0@AEBV0@@Z
??4CRegistry@@QEAAAEAV0@AEBV0@@Z
??4CRegistrySearch@@QEAAAEAV0@AEBV0@@Z
??ACHPtrArray@@QEAAAEAPEAXH@Z
??ACHPtrArray@@QEBAPEAXH@Z
??ACHString@@QEBAGH@Z
??ACHStringArray@@QEAAAEAVCHString@@H@Z
??ACHStringArray@@QEBA?AVCHString@@H@Z
??BCHString@@QEBAPEBGXZ
??H@YA?AVCHString@@AEBV0@0@Z
??H@YA?AVCHString@@AEBV0@G@Z
??H@YA?AVCHString@@AEBV0@PEBG@Z
??H@YA?AVCHString@@GAEBV0@@Z
??H@YA?AVCHString@@PEBGAEBV0@@Z
??YCHString@@QEAAAEBV0@AEBV0@@Z
??YCHString@@QEAAAEBV0@D@Z
??YCHString@@QEAAAEBV0@G@Z
??YCHString@@QEAAAEBV0@PEBG@Z
?Add@CHPtrArray@@QEAAHPEAX@Z
?Add@CHStringArray@@QEAAHPEBG@Z
?AllocBeforeWrite@CHString@@IEAAXH@Z
?AllocBuffer@CHString@@IEAAXH@Z
?AllocCopy@CHString@@IEBAXAEAV1@HHH@Z
?AllocSysString@CHString@@QEBAPEAGXZ
?Append@CHPtrArray@@QEAAHAEBV1@@Z
?Append@CHStringArray@@QEAAHAEBV1@@Z
?AssignCopy@CHString@@IEAAXHPEBG@Z
?CheckAndAddToList@CRegistrySearch@@AEAAXPEAVCRegistry@@VCHString@@1AEAVCHPtrArray@@11H@Z
?Close@CRegistry@@QEAAXXZ
?CloseSubKey@CRegistry@@AEAAXXZ
?Collate@CHString@@QEBAHPEBG@Z
?Compare@CHString@@QEBAHPEBG@Z
?CompareNoCase@CHString@@QEBAHPEBG@Z
?ConcatCopy@CHString@@IEAAXHPEBGH0@Z
?ConcatInPlace@CHString@@IEAAXHPEBG@Z
?Copy@CHPtrArray@@QEAAXAEBV1@@Z
?Copy@CHStringArray@@QEAAXAEBV1@@Z
?CopyBeforeWrite@CHString@@IEAAXXZ
?CreateOpen@CRegistry@@QEAAJPEAUHKEY__@@PEBGPEAGKKPEAU_SECURITY_ATTRIBUTES@@PEAK@Z
?DeleteCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBG@Z
?DeleteCurrentKeyValue@CRegistry@@QEAAKPEBG@Z
?DeleteKey@CRegistry@@QEAAJPEAVCHString@@@Z
?DeleteValue@CRegistry@@QEAAJPEBG@Z
?ElementAt@CHPtrArray@@QEAAAEAPEAXH@Z
?ElementAt@CHStringArray@@QEAAAEAVCHString@@H@Z
?Empty@CHString@@QEAAXXZ
?EnumerateAndGetValues@CRegistry@@QEAAJAEAKAEAPEAGAEAPEAE@Z
?Find@CHString@@QEBAHG@Z
?Find@CHString@@QEBAHPEBG@Z
?FindOneOf@CHString@@QEBAHPEBG@Z
?Format@CHString@@QEAAXIZZ
?Format@CHString@@QEAAXPEBGZZ
?FormatMessageW@CHString@@QEAAXIZZ
?FormatMessageW@CHString@@QEAAXPEBGZZ
?FormatV@CHString@@QEAAXPEBGPEAD@Z
?FreeExtra@CHPtrArray@@QEAAXXZ
?FreeExtra@CHString@@QEAAXXZ
?FreeExtra@CHStringArray@@QEAAXXZ
?FreeSearchList@CRegistrySearch@@QEAAHHAEAVCHPtrArray@@@Z
?GetAllocLength@CHString@@QEBAHXZ
?GetAt@CHPtrArray@@QEBAPEAXH@Z
?GetAt@CHString@@QEBAGH@Z
?GetAt@CHStringArray@@QEBA?AVCHString@@H@Z
?GetBuffer@CHString@@QEAAPEAGH@Z
?GetBufferSetLength@CHString@@QEAAPEAGH@Z
?GetClassNameW@CRegistry@@QEAAPEAGXZ
?GetCurrentBinaryKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGPEAEPEAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QEAAKPEBGPEAEPEAK@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAK@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAK@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHStringArray@@@Z
?GetCurrentRawKeyValue@CRegistry@@AEAAKPEAUHKEY__@@PEBGPEAXPEAK3@Z
?GetCurrentRawSubKeyValue@CRegistry@@AEAAKPEBGPEAXPEAK2@Z
?GetCurrentSubKeyCount@CRegistry@@QEAAKXZ
?GetCurrentSubKeyName@CRegistry@@QEAAKAEAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QEAAKAEAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QEAAKPEBGAEAK@Z
?GetCurrentSubKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QEAAKPEBGPEAXPEAK@Z
?GetData@CHPtrArray@@QEAAPEAPEAXXZ
?GetData@CHPtrArray@@QEBAPEAPEBXXZ
?GetData@CHString@@IEBAPEAUCHStringData@@XZ
?GetData@CHStringArray@@QEAAPEAVCHString@@XZ
?GetData@CHStringArray@@QEBAPEBVCHString@@XZ
?GetLength@CHString@@QEBAHXZ
?GetLongestClassStringSize@CRegistry@@QEAAKXZ
?GetLongestSubKeySize@CRegistry@@QEAAKXZ
?GetLongestValueData@CRegistry@@QEAAKXZ
?GetLongestValueName@CRegistry@@QEAAKXZ
?GetSize@CHPtrArray@@QEBAHXZ
?GetSize@CHStringArray@@QEBAHXZ
?GetUpperBound@CHPtrArray@@QEBAHXZ
?GetUpperBound@CHStringArray@@QEBAHXZ
?GetValueCount@CRegistry@@QEAAKXZ
?GethKey@CRegistry@@QEAAPEAUHKEY__@@XZ
?Init@CHString@@IEAAXXZ
?InsertAt@CHPtrArray@@QEAAXHPEAV1@@Z
?InsertAt@CHPtrArray@@QEAAXHPEAXH@Z
?InsertAt@CHStringArray@@QEAAXHPEAV1@@Z
?InsertAt@CHStringArray@@QEAAXHPEBGH@Z
?IsEmpty@CHString@@QEBAHXZ
?Left@CHString@@QEBA?AV1@H@Z
?LoadStringW@CHString@@IEAAHIPEAGI@Z
?LoadStringW@CHString@@QEAAHI@Z
?LocateKeyByNameOrValueName@CRegistrySearch@@QEAAHPEAUHKEY__@@PEBG1PEAPEBGKAEAVCHString@@3@Z
?LockBuffer@CHString@@QEAAPEAGXZ
?MakeLower@CHString@@QEAAXXZ
?MakeReverse@CHString@@QEAAXXZ
?MakeUpper@CHString@@QEAAXXZ
?Mid@CHString@@QEBA?AV1@H@Z
?Mid@CHString@@QEBA?AV1@HH@Z
?NextSubKey@CRegistry@@QEAAKXZ
?Open@CRegistry@@QEAAJPEAUHKEY__@@PEBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QEAAJPEAUHKEY__@@PEBGK@Z
?OpenCurrentUser@CRegistry@@QEAAKPEBGK@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QEAAJPEBG0AEAVCHString@@@Z
?OpenSubKey@CRegistry@@AEAAKXZ
?PrepareToReOpen@CRegistry@@AEAAXXZ
?Release@CHString@@QEAAXXZ
?Release@CHString@@SAXPEAUCHStringData@@@Z
?ReleaseBuffer@CHString@@QEAAXH@Z
?RemoveAll@CHPtrArray@@QEAAXXZ
?RemoveAll@CHStringArray@@QEAAXXZ
?RemoveAt@CHPtrArray@@QEAAXHH@Z
?RemoveAt@CHStringArray@@QEAAXHH@Z
?ReverseFind@CHString@@QEBAHG@Z
?RewindSubKeys@CRegistry@@QEAAXXZ
?Right@CHString@@QEBA?AV1@H@Z
?SafeStrlen@CHString@@KAHPEBG@Z
?SearchAndBuildList@CRegistrySearch@@QEAAHVCHString@@AEAVCHPtrArray@@00HPEAUHKEY__@@@Z
?SetAt@CHPtrArray@@QEAAXHPEAX@Z
?SetAt@CHString@@QEAAXHG@Z
?SetAt@CHStringArray@@QEAAXHPEBG@Z
?SetAtGrow@CHPtrArray@@QEAAXHPEAX@Z
?SetAtGrow@CHStringArray@@QEAAXHPEBG@Z
?SetCHStringResourceHandle@@YAXPEAUHINSTANCE__@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAK@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAK@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHStringArray@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHString@@@Z
?SetDefaultValues@CRegistry@@AEAAXXZ
?SetPlatformID@CRegistry@@CAHXZ
?SetSize@CHPtrArray@@QEAAXHH@Z
?SetSize@CHStringArray@@QEAAXHH@Z
?SpanExcluding@CHString@@QEBA?AV1@PEBG@Z
?SpanIncluding@CHString@@QEBA?AV1@PEBG@Z
?TrimLeft@CHString@@QEAAXXZ
?TrimRight@CHString@@QEAAXXZ
?UnlockBuffer@CHString@@QEAAXXZ
?myRegCreateKeyEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGKPEAGKKQEAU_SECURITY_ATTRIBUTES@@PEAPEAU2@PEAK@Z
?myRegDeleteKey@CRegistry@@AEAAJPEAUHKEY__@@PEBG@Z
?myRegDeleteValue@CRegistry@@AEAAJPEAUHKEY__@@PEBG@Z
?myRegEnumKey@CRegistry@@AEAAJPEAUHKEY__@@KPEAGK@Z
?myRegEnumValue@CRegistry@@AEAAJPEAUHKEY__@@KPEAGPEAK22PEAE2@Z
?myRegOpenKeyEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGKKPEAPEAU2@@Z
?myRegQueryInfoKey@CRegistry@@AEAAJPEAUHKEY__@@PEAGPEAK22222222PEAU_FILETIME@@@Z
?myRegQueryValueEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGPEAK2PEAE2@Z
?myRegSetValueEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGKKPEBEK@Z
?s_dwPlatform@CRegistry@@0KA
?s_fPlatformSet@CRegistry@@0HA

Sections

.text
Size: 119KB - Virtual size: 119KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 296B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 568KB - Virtual size: 572KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

e91c5a3e92623e396d79a8a599cf25a9

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

ntdll

wbemcomn

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-file-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Exports

Exports

Sections

.text Size: 119KB - Virtual size: 119KB

.rdata Size: 68KB - Virtual size: 68KB

.data Size: 4KB - Virtual size: 5KB

.pdata Size: 8KB - Virtual size: 7KB

.didat Size: 512B - Virtual size: 296B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 568KB - Virtual size: 572KB

.text
Size: 119KB - Virtual size: 119KB

.rdata
Size: 68KB - Virtual size: 68KB

.data
Size: 4KB - Virtual size: 5KB

.pdata
Size: 8KB - Virtual size: 7KB

.didat
Size: 512B - Virtual size: 296B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 568KB - Virtual size: 572KB