WmiPrvSE[.]exe[.]7z

Resubmissions

24-04-2024 13:27

240424-qp27lsaf8x 3

24-04-2024 13:23

240424-qmsv6aaf32 3

Sharing

Copy URL

Twitter E-mail

General

Target

WmiPrvSE.exe.7z
Size

161KB
MD5

5a29c1c396d669df4db1779d32fa8515
SHA1

8fa6335a774ecb27dcc88dd0fae40e79eaf16c95
SHA256

143b0d14fab8a4f7e147d432f3a7db111651053fee963d8f64eccd58e606dd7c
SHA512

f936302b252046ab36839173e40c0697237e3673e788359e5c7f25fe0a05c1cf79b6273c2f23ebde25c7e2ac2ce820d69e6ca662b6d64da200454ffb3a11c18a
SSDEEP

3072:zQ1alQbCPhqr0QtCBLDowLyMOnQEJAiQqTFcPpZ8Qc+mPiMxlos:zQ2Qb3SBp+MOn7AwFWwL+Mv

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/WmiPrvSE.exe/WmiPrvSE.exe

Files

WmiPrvSE.exe.7z
.7z

Password: infected
WmiPrvSE.exe/WmiPrvSE.exe
.exe windows:10 windows x64 arch:x64

Password: infected

b71cb3ac5c352bec857c940cbc95f0f3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

WmiPrvSE.pdb

Imports

msvcrt

_cexit
_exit
_ismbblead
__set_app_type
memcmp
__setusermatherr
_initterm
_acmdln
__getmainargs
_onexit
__dllonexit
_amsg_exit
_fmode
_XcptFilter
??8type_info@@QEBAHAEBV0@@Z
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
__CxxFrameHandler3
_unlock
_lock
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
??0exception@@QEAA@AEBQEBD@Z
memmove
memcpy
_commode
_CxxThrowException
__C_specific_handler
_purecall
_itow
wcstok
_vsnwprintf
exit
memset

ntdll

RtlNtStatusToDosError
RtlAddAccessAllowedAce
RtlLengthSid
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwGetTraceEnableFlags
NtQuerySystemInformation
RtlCreateAcl
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
EtwTraceMessage

api-ms-win-core-synch-l1-1-0

SetEvent
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
CreateEventW
WaitForSingleObject
LeaveCriticalSection
WaitForMultipleObjectsEx

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-security-base-l1-1-0

MakeSelfRelativeSD
GetSecurityDescriptorLength
AddAce
MakeAbsoluteSD
CopySid
GetLengthSid
InitializeSecurityDescriptor
AccessCheck
MapGenericMask
AllocateAndInitializeSid
FreeSid
GetTokenInformation
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
InitializeAcl
SetSecurityDescriptorDacl
GetAclInformation
RevertToSelf
ImpersonateLoggedOnUser

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
GetModuleHandleExW
GetProcAddress
GetModuleFileNameW
GetModuleHandleW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentThread
TlsFree
CreateThread
OpenThreadToken
SetThreadToken
GetCurrentProcess
SwitchToThread
TlsAlloc
GetStartupInfoW
TerminateProcess
GetCurrentProcessId
OpenProcessToken

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW

api-ms-win-core-string-l1-1-0

CompareStringW
GetStringTypeExW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree
HeapCreate
HeapDestroy
HeapSetInformation

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegSetValueExW
RegQueryValueExW
RegDeleteKeyExW
RegCreateKeyExW
RegOpenKeyExW

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventWrite
EventUnregister

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-memory-l1-1-0

MapViewOfFile
CreateFileMappingW
OpenFileMappingW
UnmapViewOfFile

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-localization-l1-2-0

LCMapStringW

api-ms-win-core-threadpool-legacy-l1-1-0

ChangeTimerQueueTimer

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

fastprox

?Release@CWbemCallSecurity@@UEAAKXZ
?QueryInterface@CWbemCallSecurity@@UEAAJAEBU_GUID@@PEAPEAX@Z
?SetThreadSecurity@CWbemCallSecurity@@UEAAJPEAU_IWmiThreadSecHandle@@@Z
?GetThreadSecurity@CWbemCallSecurity@@UEAAJW4tag_WMI_THREAD_SECURITY_ORIGIN@@PEAPEAU_IWmiThreadSecHandle@@@Z
?AddRef@CWbemCallSecurity@@UEAAKXZ
?New@CWbemCallSecurity@@SAPEAV1@XZ

ncobjapi

WmiCreateObjectWithFormat
WmiDestroyObject
WmiEventSourceDisconnect
WmiSetAndCommitObject
WmiEventSourceConnect

wbemcomn

BreakOnDbgAndRenterLoop
GetMemLogObject
?Write@CMemoryLog@@QEAAXJ@Z
_ThrowMemoryException_
?GetPreferredLanguages@CMUILocale@@SAJKPEAPEAGPEAK@Z
?_Free@CMUILocale@@SAHPEAX@Z
?SetPreferredLanguages@CMUILocale@@SAJKPEBGPEAK@Z
?PublishProviderStarted@CPublishWMIOperationEvent@@SAJPEAGJ0K0@Z
?Init@CPublishWMIOperationEvent@@SAJXZ

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 284KB - Virtual size: 284KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 111KB - Virtual size: 111KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 472B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 63KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

b71cb3ac5c352bec857c940cbc95f0f3

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-apiquery-l1-1-0

fastprox

ncobjapi

wbemcomn

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 284KB - Virtual size: 284KB

.rdata Size: 111KB - Virtual size: 111KB

.data Size: 7KB - Virtual size: 9KB

.pdata Size: 14KB - Virtual size: 13KB

.didat Size: 512B - Virtual size: 472B

.rsrc Size: 63KB - Virtual size: 62KB

.reloc Size: 3KB - Virtual size: 3KB

.text
Size: 284KB - Virtual size: 284KB

.rdata
Size: 111KB - Virtual size: 111KB

.data
Size: 7KB - Virtual size: 9KB

.pdata
Size: 14KB - Virtual size: 13KB

.didat
Size: 512B - Virtual size: 472B

.rsrc
Size: 63KB - Virtual size: 62KB

.reloc
Size: 3KB - Virtual size: 3KB