WsmSvc[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

WsmSvc.dll
Size

1.1MB
MD5

1b91cd34ea3a90ab6a4ef0550174f4cc
SHA1

4ec46bdc903dc6ed657792ef14da828796b91962
SHA256

5b6618615ebfba594c945ad35f5c68da8c6053892b6d12d626bb6120910d80dc
SHA512

cbb0830823c83cb19e537ef0aeae2c01f56cda7d5242a9be257fe3c8226b4451a6b604f8dde892ad755d2dc2303ece336a1b967c84f14df8b6a840e37224c82a
SSDEEP

24576:znVfSFmJQ8k0YwWAYLMEGLLRFmfR4AKaDMxhDyhBPNms13a0Eel6Qyp5D/73/kds:znVfSFeQN0Yz4JFaRRJMxhOhzY0Eel6T

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
WsmSvc.dll

Files

WsmSvc.dll
.dll windows:6 windows x86 arch:x86

caef7291475600ce987647b472857921

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

WsmSvc.pdb

Imports

msvcrt

_scprintf
isspace
strncmp
memmove
isdigit
_wtoi
_wtof
_ftol2
_ultow
wcsrchr
wcsstr
wcscspn
wcstoul
rand
srand
_itow
strchr
_ftol2_sse
_i64tow_s
_vsnprintf
wcspbrk
iswalnum
_wcsrev
_onexit
_lock
__dllonexit
_unlock
_amsg_exit
_initterm
free
malloc
_XcptFilter
??0exception@@QAE@XZ
_CxxThrowException
iswspace
tolower
iswxdigit
iswdigit
_wcsnicmp
wcsncmp
??0exception@@QAE@ABV0@@Z
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABQBD@Z
_strnicmp
_atoi64
_wtoi64
?terminate@@YAXXZ
??1type_info@@UAE@XZ
_except_handler4_common
ldiv
??1exception@@UAE@XZ
memmove_s
memcpy_s
memset
_scwprintf
_vsnwprintf
wcschr
_wcsicmp
__CxxFrameHandler3
_purecall
memcpy
time

ntdll

EtwLogTraceEvent
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
EtwEventActivityIdControl
EtwEventRegister
RtlInitString
NtAllocateLocallyUniqueId
RtlNtStatusToDosError
EtwEventWriteTransfer
EtwEventEnabled
EtwEventProviderEnabled
EtwEventWrite
EtwEventUnregister

kernel32

ReleaseSemaphore
SwitchToThread
OpenProcess
QueryInformationJobObject
OpenJobObjectW
CreateSemaphoreW
K32GetProcessMemoryInfo
LocalFree
LocalAlloc
FreeLibrary
GetProcAddress
LoadLibraryW
GetLastError
CloseHandle
DisableThreadLibraryCalls
SetEvent
SetLastError
UnregisterWait
CreateEventW
WaitForSingleObject
InterlockedIncrement
InterlockedDecrement
HeapSetInformation
HeapCreate
HeapDestroy
GetProcessHeap
HeapAlloc
HeapReAlloc
HeapSize
HeapFree
DelayLoadFailureHook
InterlockedCompareExchange
LoadLibraryExA
InterlockedExchange
Sleep
OutputDebugStringA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
OpenEventW
CreateJobObjectW
SetInformationJobObject
AssignProcessToJobObject
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
MultiByteToWideChar
GetSystemTime
SystemTimeToFileTime
GetCurrentThread
WideCharToMultiByte
RegCloseKey
FindNLSString
CompareStringW
GetVersionExW
GetUserDefaultUILanguage
LoadLibraryA
InterlockedPushEntrySList
LoadLibraryExW
GetSystemDirectoryW
RegQueryValueExW
RegOpenKeyExW
TzSpecificLocalTimeToSystemTime
GetTimeZoneInformation
GetComputerNameExW
GetLocaleInfoW
SetThreadUILanguage
EnumUILanguagesW
FormatMessageW
InterlockedPopEntrySList
ExpandEnvironmentStringsW
InitializeSListHead
InterlockedFlushSList
SetThreadPreferredUILanguages
WaitForMultipleObjects
DeleteTimerQueueTimer
CreateTimerQueueTimer
ResetEvent
UnregisterWaitEx
QueueUserWorkItem
RegNotifyChangeKeyValue
GetThreadLocale
RegDeleteValueW
RegSetValueExW
RegCreateKeyExW
GlobalFree
DebugBreak
GetTickCount64
DuplicateHandle
CreateThread
LocalFileTimeToFileTime
CloseThreadpoolIo
WaitForThreadpoolIoCallbacks
CreateThreadpoolIo
FileTimeToSystemTime
CancelThreadpoolIo
StartThreadpoolIo
GetCommandLineW
InterlockedCompareExchange64
RegEnumKeyExW
RegEnumValueW
CreateFileW
GetFullPathNameW
RegSetKeySecurity
RegisterWaitForSingleObject

oleaut32

SysFreeString
SysAllocStringLen
SysAllocString
VariantInit
VariantClear
VarCmp
SysStringLen
GetErrorInfo

ole32

CoTaskMemFree
CoDisconnectObject
CoUninitialize
CoFreeUnusedLibrariesEx
CoInitializeEx
CoCreateInstance
CoSetProxyBlanket
CoRevokeClassObject
CoTaskMemAlloc

rpcrt4

UuidCreate
UuidFromStringW

api-ms-win-security-base-l1-1-0

CreateWellKnownSid
ImpersonateLoggedOnUser
ImpersonateSelf
RevertToSelf
IsWellKnownSid
EqualSid
GetTokenInformation
GetSecurityDescriptorDacl
GetAce
MapGenericMask
AdjustTokenPrivileges
AllocateAndInitializeSid
FreeSid
CopySid
GetLengthSid
GetKernelObjectSecurity
MakeSelfRelativeSD
SetSecurityDescriptorSacl
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
MakeAbsoluteSD
IsValidSid
CheckTokenMembership
SetKernelObjectSecurity
DuplicateTokenEx
AccessCheckAndAuditAlarmW
AddAccessAllowedAceEx
GetSecurityDescriptorLength
InitializeAcl
GetSecurityDescriptorSacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup

Exports

Exports

??0CWSManEnumerator@@QAE@XZ
??1CWSManEnumerator@@UAE@XZ
?AddEvent@CWSManEnumerator@@QAEKPAUWSMAN_OBJECT@@0@Z
?AddObject@CWSManEnumerator@@QAEKPAUWSMAN_OBJECT@@0@Z
?Alloc@WSManMemory@@SGPAXIABVCallSite@TestSystem@@W4Mode@3@@Z
?AllocBstr@WSManMemory@@SGPAGPBGHABVCallSite@TestSystem@@@Z
?AllocBstrLen@WSManMemory@@SGPAGPBGIHABVCallSite@TestSystem@@@Z
?Close@CWSManEnumerator@@QAEKXZ
?Free@WSManMemory@@SGXPAXABVCallSite@TestSystem@@@Z
?FreeBstr@WSManMemory@@SGXPAGHABVCallSite@TestSystem@@@Z
?Freeze@CWSManEnumerator@@QAEXXZ
?GetHeap@WSManMemory@@SGPAXXZ
?GetNext@CWSManEnumerator@@QAEKPAPAUWSMAN_OBJECT@@H@Z
?GetTotalObjectByteSize@CWSManEnumerator@@QAEHPAK@Z
?Initialize@CWSManEnumerator@@QAEKKKKK@Z
?Initialize@CWSManEnumerator@@QAEKPAX@Z
?ReAlloc@WSManMemory@@SGPAXPAXIABVCallSite@TestSystem@@W4Mode@3@@Z
CreateProvHost
EnumServiceUserResources
FwGetParsedDocument
FwGetRootElement
FwIsXmlEscapedProperly
FwXmlCloseParser
FwXmlCompareAttributeName
FwXmlCompareAttributeNameEx
FwXmlCompareElementName
FwXmlCompareElementNameEx
FwXmlCompareElementNameLen
FwXmlCompareElementNameSpace
FwXmlCompareName
FwXmlCreateXmlFromElement
FwXmlDecodeXmlEscapes
FwXmlEncodeXmlEscapes
FwXmlFindAttribute
FwXmlFindAttributeEx
FwXmlFindChildElement
FwXmlFindChildElementEx
FwXmlGetAttribute
FwXmlGetAttributeNameEx
FwXmlGetAttributeNamespacePrefix
FwXmlGetAttributeValue
FwXmlGetAttributeValueDWord
FwXmlGetBooleanValue
FwXmlGetBuffer
FwXmlGetChild
FwXmlGetElementName
FwXmlGetElementNameEx
FwXmlGetElementNamespacePrefix
FwXmlGetElementNamespaceUrl
FwXmlGetEntryNameEx
FwXmlGetNamespaceForPrefix
FwXmlGetNormalizedString
FwXmlGetReferenceXmlFromElement
FwXmlGetSimpleContent
FwXmlGetSimpleContentEx
FwXmlGetSimpleContentEx2
FwXmlHasText
FwXmlIsEmpty
FwXmlIsMustUnderstand
FwXmlIsNull
FwXmlIsSimpleContent
FwXmlIsSimpleContentOrEmpty
FwXmlIsTrueValue
FwXmlNumAttributes
FwXmlNumChildren
FwXmlNumChildrenWithName
FwXmlNumConsecutiveChildrenWithName
FwXmlParsePrefixedXML
FwXmlParseText
FwXmlParserCreate
FwXmlUpdatePrefixes
GetServiceSecurity
RegisterModule
ServiceMain
SetServiceSecurity
StartSoapProcessor
StopSoapProcessor
SubscriptionsProvEndEnumerate
SubscriptionsProvEnumerate
SubscriptionsProvPullEnumerate
SvchostPushServiceGlobals
WSManAckEvents
WSManAddSubscriptionManagerInternal
WSManCloseCommand
WSManCloseEnumerationHandle
WSManCloseEnumeratorHandle
WSManCloseObjectHandle
WSManCloseOperation
WSManClosePublisherHandle
WSManCloseSession
WSManCloseSessionHandle
WSManCloseShell
WSManCloseSubscriptionHandle
WSManConstructError
WSManCreateEnumeratorInternal
WSManCreateInternal
WSManCreateInternalEx
WSManCreatePullSubscription
WSManCreatePushSubscription
WSManCreateSession
WSManCreateSessionInternal
WSManCreateShell
WSManDecodeObject
WSManDeinitialize
WSManDeleteInternal
WSManDeleteInternalEx
WSManDeliverEndSubscriptionNotification
WSManDeliverEvent
WSManEncodeObject
WSManEncodeObjectEx
WSManEncodeObjectInternal
WSManEnumerateInternal
WSManEnumerateInternalEx
WSManEnumeratorAddEvent
WSManEnumeratorAddObject
WSManEnumeratorBatchPolicyViolated
WSManEnumeratorNextObject
WSManEnumeratorObjectCount
WSManGetErrorMessage
WSManGetInternal
WSManGetInternalEx
WSManGetSessionOptionAsDword
WSManGetSessionOptionAsString
WSManIdentifyInternal
WSManInitialize
WSManInvokeInternal
WSManInvokeInternalEx
WSManPluginAuthzOperationComplete
WSManPluginAuthzQueryQuotaComplete
WSManPluginAuthzUserComplete
WSManPluginFreeRequestDetails
WSManPluginGetOperationParameters
WSManPluginObjectAndBookmarkResult
WSManPluginObjectAndEprResult
WSManPluginObjectResult
WSManPluginOperationComplete
WSManPluginReceiveResult
WSManPluginReportContext
WSManPluginShutdown
WSManPluginStartup
WSManProvCreate
WSManProvDelete
WSManProvEndEnumerate
WSManProvEnumerate
WSManProvGet
WSManProvInvoke
WSManProvPullEnumerate
WSManProvPut
WSManPull
WSManPullEvents
WSManPutInternal
WSManPutInternalEx
WSManReceiveShellOutput
WSManRemoveSubscriptionManagerInternal
WSManRunShellCommand
WSManSendShellInput
WSManSetSessionOption
WSManShellProvEndEnumerate
WSManShellProvPullEnumerate
WSManSignalShell

Sections

.text
Size: 1.0MB - Virtual size: 1.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

caef7291475600ce987647b472857921

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

kernel32

oleaut32

ole32

rpcrt4

api-ms-win-security-base-l1-1-0

Exports

Exports

Sections

.text Size: 1.0MB - Virtual size: 1.0MB

.data Size: 11KB - Virtual size: 13KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 73KB - Virtual size: 73KB

.text
Size: 1.0MB - Virtual size: 1.0MB

.data
Size: 11KB - Virtual size: 13KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 73KB - Virtual size: 73KB