94177ee648be242d0f97efb3717ca1f043e707d726e39ed380a537f7b7950324

Sharing

Copy URL

Twitter E-mail

General

Target

94177ee648be242d0f97efb3717ca1f043e707d726e39ed380a537f7b7950324
Size

765KB
MD5

fc664e00b1c8f50e24a50137cdc2bc01
SHA1

76ebb768f0e2a69a6946c99d9eab420b6875c4c3
SHA256

94177ee648be242d0f97efb3717ca1f043e707d726e39ed380a537f7b7950324
SHA512

3afcdfaf6bd12f9a69833dfb19b09c8c0f911343d216df61088e59eff8c71dfc6672d4814af2de5ebaafd1294a47a58d9368c13ead398adb020ebbe179edf918
SSDEEP

12288:S4hgOaj08hCM286FggLbrQXbR7jqkf1Hm7tJc0FS3jicGWVSI7dMua43Ek0cIHAm:S4laxm86LaRFdGJm0Q3WKVSwdr13Ek0y

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
94177ee648be242d0f97efb3717ca1f043e707d726e39ed380a537f7b7950324

Files

94177ee648be242d0f97efb3717ca1f043e707d726e39ed380a537f7b7950324
.exe windows:10 windows x64 arch:x64

abc6b16fb24ff75624e2f3bcd6d1e693

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

WmiApSrv.pdb

Imports

msvcrt

_wcsicmp
memmove_s
wcschr
strlen
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
memcpy_s
wcsrchr
_vsnwprintf
iswspace
atol
_onexit
__dllonexit
realloc
_lock
?terminate@@YAXXZ
memmove
??1type_info@@UEAA@XZ
_commode
wcsspn
_fmode
_wcmdln
__C_specific_handler
_initterm
__setusermatherr
_cexit
wcscoll
_exit
exit
iswdigit
wcspbrk
wcsstr
_wcsupr
_unlock
_wcslwr
_wcsrev
__set_app_type
__wgetmainargs
_amsg_exit
wcscspn
_XcptFilter
_CxxThrowException
__CxxFrameHandler3
_callnewh
?what@exception@@UEBAPEBDXZ
_wtol
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
free
memset
wcslen
malloc
memcpy
_wtoi

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
ReleaseSemaphore
EnterCriticalSection
ReleaseMutex
InitializeCriticalSection
CreateSemaphoreExW
ResetEvent
AcquireSRWLockExclusive
TryEnterCriticalSection
SetEvent
CreateEventW
LeaveCriticalSection
ReleaseSRWLockExclusive
OpenEventW
CreateMutexW
WaitForMultipleObjectsEx
DeleteCriticalSection

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumValueW
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegOpenCurrentUser
RegEnumKeyExW
RegDeleteKeyExW
RegDeleteValueW

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcess
GetExitCodeProcess
SwitchToThread
GetCurrentThreadId
GetStartupInfoW
GetCurrentProcessId

api-ms-win-security-base-l1-1-0

InitializeSecurityDescriptor
MakeAbsoluteSD

api-ms-win-core-errorhandling-l1-1-0

RaiseException
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-heap-l1-1-0

HeapSetInformation

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
ExpandEnvironmentStringsW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar
CompareStringW

api-ms-win-core-synch-l1-2-0

SleepConditionVariableSRW
WakeAllConditionVariable
Sleep

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
FreeLibrary
LoadStringW
LoadLibraryExW
GetModuleFileNameW
GetProcAddress

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
FlushViewOfFile
CreateFileMappingW
MapViewOfFile

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetVersionExA
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetTickCount
GetVersionExW

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

ntdll

NtQuerySecurityObject
RtlGetOwnerSecurityDescriptor
RtlEqualSid
RtlGetDaclSecurityDescriptor
RtlGetAce
NtQueryObject

wbemcomn

??0CStaticCritSec@@QEAA@XZ
?anyFailure@CStaticCritSec@@SAHXZ
??1CStaticCritSec@@QEAA@XZ

api-ms-win-core-localization-l1-2-0

GetLocaleInfoW
GetSystemDefaultLangID
FormatMessageW

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-file-l1-1-0

DeleteFileW
CreateFileW
WriteFile
CreateDirectoryW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-debug-l1-1-0

OutputDebugStringA

Exports

Exports

??0CHPtrArray@@QEAA@XZ
??0CHString@@QEAA@AEBV0@@Z
??0CHString@@QEAA@GH@Z
??0CHString@@QEAA@PEBD@Z
??0CHString@@QEAA@PEBE@Z
??0CHString@@QEAA@PEBG@Z
??0CHString@@QEAA@PEBGH@Z
??0CHString@@QEAA@XZ
??0CHStringArray@@QEAA@XZ
??0CRegistry@@QEAA@AEBV0@@Z
??0CRegistry@@QEAA@XZ
??0CRegistrySearch@@QEAA@AEBV0@@Z
??0CRegistrySearch@@QEAA@XZ
??1CHPtrArray@@QEAA@XZ
??1CHString@@QEAA@XZ
??1CHStringArray@@QEAA@XZ
??1CRegistry@@QEAA@XZ
??1CRegistrySearch@@QEAA@XZ
??4CHPtrArray@@QEAAAEAV0@AEBV0@@Z
??4CHString@@QEAAAEBV0@AEBV0@@Z
??4CHString@@QEAAAEBV0@D@Z
??4CHString@@QEAAAEBV0@G@Z
??4CHString@@QEAAAEBV0@PEAV0@@Z
??4CHString@@QEAAAEBV0@PEBD@Z
??4CHString@@QEAAAEBV0@PEBE@Z
??4CHString@@QEAAAEBV0@PEBG@Z
??4CHStringArray@@QEAAAEAV0@AEBV0@@Z
??4CRegistry@@QEAAAEAV0@AEBV0@@Z
??4CRegistrySearch@@QEAAAEAV0@AEBV0@@Z
??ACHPtrArray@@QEAAAEAPEAXH@Z
??ACHPtrArray@@QEBAPEAXH@Z
??ACHString@@QEBAGH@Z
??ACHStringArray@@QEAAAEAVCHString@@H@Z
??ACHStringArray@@QEBA?AVCHString@@H@Z
??BCHString@@QEBAPEBGXZ
??H@YA?AVCHString@@AEBV0@0@Z
??H@YA?AVCHString@@AEBV0@G@Z
??H@YA?AVCHString@@AEBV0@PEBG@Z
??H@YA?AVCHString@@GAEBV0@@Z
??H@YA?AVCHString@@PEBGAEBV0@@Z
??YCHString@@QEAAAEBV0@AEBV0@@Z
??YCHString@@QEAAAEBV0@D@Z
??YCHString@@QEAAAEBV0@G@Z
??YCHString@@QEAAAEBV0@PEBG@Z
?Add@CHPtrArray@@QEAAHPEAX@Z
?Add@CHStringArray@@QEAAHPEBG@Z
?AllocBeforeWrite@CHString@@IEAAXH@Z
?AllocBuffer@CHString@@IEAAXH@Z
?AllocCopy@CHString@@IEBAXAEAV1@HHH@Z
?AllocSysString@CHString@@QEBAPEAGXZ
?Append@CHPtrArray@@QEAAHAEBV1@@Z
?Append@CHStringArray@@QEAAHAEBV1@@Z
?AssignCopy@CHString@@IEAAXHPEBG@Z
?CheckAndAddToList@CRegistrySearch@@AEAAXPEAVCRegistry@@VCHString@@1AEAVCHPtrArray@@11H@Z
?Close@CRegistry@@QEAAXXZ
?CloseSubKey@CRegistry@@AEAAXXZ
?Collate@CHString@@QEBAHPEBG@Z
?Compare@CHString@@QEBAHPEBG@Z
?CompareNoCase@CHString@@QEBAHPEBG@Z
?ConcatCopy@CHString@@IEAAXHPEBGH0@Z
?ConcatInPlace@CHString@@IEAAXHPEBG@Z
?Copy@CHPtrArray@@QEAAXAEBV1@@Z
?Copy@CHStringArray@@QEAAXAEBV1@@Z
?CopyBeforeWrite@CHString@@IEAAXXZ
?CreateOpen@CRegistry@@QEAAJPEAUHKEY__@@PEBGPEAGKKPEAU_SECURITY_ATTRIBUTES@@PEAK@Z
?DeleteCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBG@Z
?DeleteCurrentKeyValue@CRegistry@@QEAAKPEBG@Z
?DeleteKey@CRegistry@@QEAAJPEAVCHString@@@Z
?DeleteValue@CRegistry@@QEAAJPEBG@Z
?ElementAt@CHPtrArray@@QEAAAEAPEAXH@Z
?ElementAt@CHStringArray@@QEAAAEAVCHString@@H@Z
?Empty@CHString@@QEAAXXZ
?EnumerateAndGetValues@CRegistry@@QEAAJAEAKAEAPEAGAEAPEAE@Z
?Find@CHString@@QEBAHG@Z
?Find@CHString@@QEBAHPEBG@Z
?FindOneOf@CHString@@QEBAHPEBG@Z
?Format@CHString@@QEAAXIZZ
?Format@CHString@@QEAAXPEBGZZ
?FormatMessageW@CHString@@QEAAXIZZ
?FormatMessageW@CHString@@QEAAXPEBGZZ
?FormatV@CHString@@QEAAXPEBGPEAD@Z
?FreeExtra@CHPtrArray@@QEAAXXZ
?FreeExtra@CHString@@QEAAXXZ
?FreeExtra@CHStringArray@@QEAAXXZ
?FreeSearchList@CRegistrySearch@@QEAAHHAEAVCHPtrArray@@@Z
?GetAllocLength@CHString@@QEBAHXZ
?GetAt@CHPtrArray@@QEBAPEAXH@Z
?GetAt@CHString@@QEBAGH@Z
?GetAt@CHStringArray@@QEBA?AVCHString@@H@Z
?GetBuffer@CHString@@QEAAPEAGH@Z
?GetBufferSetLength@CHString@@QEAAPEAGH@Z
?GetClassNameW@CRegistry@@QEAAPEAGXZ
?GetCurrentBinaryKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGPEAEPEAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QEAAKPEBGPEAEPEAK@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAK@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAK@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHStringArray@@@Z
?GetCurrentRawKeyValue@CRegistry@@AEAAKPEAUHKEY__@@PEBGPEAXPEAK3@Z
?GetCurrentRawSubKeyValue@CRegistry@@AEAAKPEBGPEAXPEAK2@Z
?GetCurrentSubKeyCount@CRegistry@@QEAAKXZ
?GetCurrentSubKeyName@CRegistry@@QEAAKAEAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QEAAKAEAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QEAAKPEBGAEAK@Z
?GetCurrentSubKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QEAAKPEBGPEAXPEAK@Z
?GetData@CHPtrArray@@QEAAPEAPEAXXZ
?GetData@CHPtrArray@@QEBAPEAPEBXXZ
?GetData@CHString@@IEBAPEAUCHStringData@@XZ
?GetData@CHStringArray@@QEAAPEAVCHString@@XZ
?GetData@CHStringArray@@QEBAPEBVCHString@@XZ
?GetLength@CHString@@QEBAHXZ
?GetLongestClassStringSize@CRegistry@@QEAAKXZ
?GetLongestSubKeySize@CRegistry@@QEAAKXZ
?GetLongestValueData@CRegistry@@QEAAKXZ
?GetLongestValueName@CRegistry@@QEAAKXZ
?GetSize@CHPtrArray@@QEBAHXZ
?GetSize@CHStringArray@@QEBAHXZ
?GetUpperBound@CHPtrArray@@QEBAHXZ
?GetUpperBound@CHStringArray@@QEBAHXZ
?GetValueCount@CRegistry@@QEAAKXZ
?GethKey@CRegistry@@QEAAPEAUHKEY__@@XZ
?Init@CHString@@IEAAXXZ
?InsertAt@CHPtrArray@@QEAAXHPEAV1@@Z
?InsertAt@CHPtrArray@@QEAAXHPEAXH@Z
?InsertAt@CHStringArray@@QEAAXHPEAV1@@Z
?InsertAt@CHStringArray@@QEAAXHPEBGH@Z
?IsEmpty@CHString@@QEBAHXZ
?Left@CHString@@QEBA?AV1@H@Z
?LoadStringW@CHString@@IEAAHIPEAGI@Z
?LoadStringW@CHString@@QEAAHI@Z
?LocateKeyByNameOrValueName@CRegistrySearch@@QEAAHPEAUHKEY__@@PEBG1PEAPEBGKAEAVCHString@@3@Z
?LockBuffer@CHString@@QEAAPEAGXZ
?MakeLower@CHString@@QEAAXXZ
?MakeReverse@CHString@@QEAAXXZ
?MakeUpper@CHString@@QEAAXXZ
?Mid@CHString@@QEBA?AV1@H@Z
?Mid@CHString@@QEBA?AV1@HH@Z
?NextSubKey@CRegistry@@QEAAKXZ
?Open@CRegistry@@QEAAJPEAUHKEY__@@PEBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QEAAJPEAUHKEY__@@PEBGK@Z
?OpenCurrentUser@CRegistry@@QEAAKPEBGK@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QEAAJPEBG0AEAVCHString@@@Z
?OpenSubKey@CRegistry@@AEAAKXZ
?PrepareToReOpen@CRegistry@@AEAAXXZ
?Release@CHString@@QEAAXXZ
?Release@CHString@@SAXPEAUCHStringData@@@Z
?ReleaseBuffer@CHString@@QEAAXH@Z
?RemoveAll@CHPtrArray@@QEAAXXZ
?RemoveAll@CHStringArray@@QEAAXXZ
?RemoveAt@CHPtrArray@@QEAAXHH@Z
?RemoveAt@CHStringArray@@QEAAXHH@Z
?ReverseFind@CHString@@QEBAHG@Z
?RewindSubKeys@CRegistry@@QEAAXXZ
?Right@CHString@@QEBA?AV1@H@Z
?SafeStrlen@CHString@@KAHPEBG@Z
?SearchAndBuildList@CRegistrySearch@@QEAAHVCHString@@AEAVCHPtrArray@@00HPEAUHKEY__@@@Z
?SetAt@CHPtrArray@@QEAAXHPEAX@Z
?SetAt@CHString@@QEAAXHG@Z
?SetAt@CHStringArray@@QEAAXHPEBG@Z
?SetAtGrow@CHPtrArray@@QEAAXHPEAX@Z
?SetAtGrow@CHStringArray@@QEAAXHPEBG@Z
?SetCHStringResourceHandle@@YAXPEAUHINSTANCE__@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAK@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAK@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QEAAKPEBGAEAVCHStringArray@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QEAAKPEAUHKEY__@@PEBGAEAVCHString@@@Z
?SetDefaultValues@CRegistry@@AEAAXXZ
?SetPlatformID@CRegistry@@CAHXZ
?SetSize@CHPtrArray@@QEAAXHH@Z
?SetSize@CHStringArray@@QEAAXHH@Z
?SpanExcluding@CHString@@QEBA?AV1@PEBG@Z
?SpanIncluding@CHString@@QEBA?AV1@PEBG@Z
?TrimLeft@CHString@@QEAAXXZ
?TrimRight@CHString@@QEAAXXZ
?UnlockBuffer@CHString@@QEAAXXZ
?myRegCreateKeyEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGKPEAGKKQEAU_SECURITY_ATTRIBUTES@@PEAPEAU2@PEAK@Z
?myRegDeleteKey@CRegistry@@AEAAJPEAUHKEY__@@PEBG@Z
?myRegDeleteValue@CRegistry@@AEAAJPEAUHKEY__@@PEBG@Z
?myRegEnumKey@CRegistry@@AEAAJPEAUHKEY__@@KPEAGK@Z
?myRegEnumValue@CRegistry@@AEAAJPEAUHKEY__@@KPEAGPEAK22PEAE2@Z
?myRegOpenKeyEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGKKPEAPEAU2@@Z
?myRegQueryInfoKey@CRegistry@@AEAAJPEAUHKEY__@@PEAGPEAK22222222PEAU_FILETIME@@@Z
?myRegQueryValueEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGPEAK2PEAE2@Z
?myRegSetValueEx@CRegistry@@AEAAJPEAUHKEY__@@PEBGKKPEBEK@Z
?s_dwPlatform@CRegistry@@0KA
?s_fPlatformSet@CRegistry@@0HA

Sections

.text
Size: 111KB - Virtual size: 111KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 70KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 296B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 568KB - Virtual size: 572KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

abc6b16fb24ff75624e2f3bcd6d1e693

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

ntdll

wbemcomn

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-file-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-debug-l1-1-0

Exports

Exports

Sections

.text Size: 111KB - Virtual size: 111KB

.rdata Size: 70KB - Virtual size: 69KB

.data Size: 4KB - Virtual size: 5KB

.pdata Size: 8KB - Virtual size: 7KB

.didat Size: 512B - Virtual size: 296B

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 568KB - Virtual size: 572KB

.text
Size: 111KB - Virtual size: 111KB

.rdata
Size: 70KB - Virtual size: 69KB

.data
Size: 4KB - Virtual size: 5KB

.pdata
Size: 8KB - Virtual size: 7KB

.didat
Size: 512B - Virtual size: 296B

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 568KB - Virtual size: 572KB