WmiPrvSE[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

WmiPrvSE.exe
Size

504KB
MD5

7528ccabaccd5c1748e63e192097472a
SHA1

91180ed89976d16353404ac982a422a707f2ae37
SHA256

196cabed59111b6c4bbf78c84a56846d96cbbc4f06935a4fd4e6432ef0ae4083
SHA512

dce2184c48515127905b0d70fa2c20ef27eddfa5e97a1224a36a62f4dd61b45073bc3079671a7126f593108e684fafc5a5f4fbd53d6ee020c3e74dd930bafad3
SSDEEP

12288:1J79n30h0YraF+5rU0TeHTiWe2qRgiDQp2UUMcR1XTrvAfzZyvw2Th2PFKCpuKki:1J79n30h0Y2F+5rU0qHTk2ZiDQcccRZn

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
WmiPrvSE.exe

Files

WmiPrvSE.exe
.exe windows:10 windows x64 arch:x64

144c0dfa3875d7237b37631c52d608cb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

WmiPrvSE.pdb

Imports

msvcrt

_commode
?terminate@@YAXXZ
??1type_info@@UEAA@XZ
_acmdln
__setusermatherr
wcstok
_ismbblead
_cexit
_initterm
_exit
exit
__set_app_type
_lock
__getmainargs
_unlock
_amsg_exit
_XcptFilter
??8type_info@@QEBAHAEBV0@@Z
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
__dllonexit
_onexit
memcmp
??0exception@@QEAA@AEBQEBD@Z
memmove
memcpy
__CxxFrameHandler4
__CxxFrameHandler3
_CxxThrowException
__C_specific_handler
_purecall
_itow
_vsnwprintf
_fmode
_ui64tow
memset

ntdll

RtlNtStatusToDosError
RtlAddAccessAllowedAce
RtlLengthSid
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwGetTraceEnableFlags
NtQuerySystemInformation
RtlCreateAcl
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
EtwTraceMessage

api-ms-win-core-synch-l1-1-0

EnterCriticalSection
CreateEventW
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
WaitForSingleObject
WaitForMultipleObjectsEx
SetEvent
DeleteCriticalSection

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-security-base-l1-1-0

ImpersonateLoggedOnUser
GetAclInformation
GetTokenInformation
SetSecurityDescriptorDacl
RevertToSelf
SetSecurityDescriptorGroup
MapGenericMask
AccessCheck
MakeAbsoluteSD
SetSecurityDescriptorOwner
FreeSid
GetLengthSid
InitializeSecurityDescriptor
GetSecurityDescriptorLength
MakeSelfRelativeSD
AllocateAndInitializeSid
InitializeAcl
CopySid
AddAce

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
SetUnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
FreeLibrary
GetModuleHandleExW
GetModuleHandleW
GetModuleFileNameW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-processthreads-l1-1-0

TlsAlloc
TlsFree
SetThreadToken
OpenThreadToken
TerminateProcess
GetCurrentProcessId
GetCurrentThread
CreateThread
GetCurrentProcess
GetCurrentThreadId
SwitchToThread
GetStartupInfoW
OpenProcessToken

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW

api-ms-win-core-string-l1-1-0

GetStringTypeExW
CompareStringW

api-ms-win-core-heap-l1-1-0

HeapDestroy
HeapCreate
HeapFree
GetProcessHeap
HeapSetInformation
HeapAlloc

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegDeleteKeyExW
RegCreateKeyExW
RegSetValueExW

api-ms-win-eventing-provider-l1-1-0

EventWrite
EventRegister
EventUnregister

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-memory-l1-1-0

MapViewOfFile
OpenFileMappingW
CreateFileMappingW
UnmapViewOfFile

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-localization-l1-2-0

LCMapStringW

api-ms-win-core-threadpool-legacy-l1-1-0

ChangeTimerQueueTimer

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

fastprox

?AddRef@CWbemCallSecurity@@UEAAKXZ
?QueryInterface@CWbemCallSecurity@@UEAAJAEBU_GUID@@PEAPEAX@Z
?SetThreadSecurity@CWbemCallSecurity@@UEAAJPEAU_IWmiThreadSecHandle@@@Z
?GetThreadSecurity@CWbemCallSecurity@@UEAAJW4tag_WMI_THREAD_SECURITY_ORIGIN@@PEAPEAU_IWmiThreadSecHandle@@@Z
?New@CWbemCallSecurity@@SAPEAV1@XZ
?Release@CWbemCallSecurity@@UEAAKXZ

ncobjapi

WmiCreateObjectWithFormat
WmiDestroyObject
WmiEventSourceDisconnect
WmiSetAndCommitObject
WmiEventSourceConnect

wbemcomn

BreakOnDbgAndRenterLoop
GetMemLogObject
?Write@CMemoryLog@@QEAAXJ@Z
_ThrowMemoryException_
?GetPreferredLanguages@CMUILocale@@SAJKPEAPEAGPEAK@Z
?_Free@CMUILocale@@SAHPEAX@Z
?SetPreferredLanguages@CMUILocale@@SAJKPEBGPEAK@Z
?PublishProviderStarted@CPublishWMIOperationEvent@@SAJPEAGJ0K0@Z
?Init@CPublishWMIOperationEvent@@SAJXZ

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 312KB - Virtual size: 309KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 92KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 472B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 64KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

144c0dfa3875d7237b37631c52d608cb

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-apiquery-l1-1-0

fastprox

ncobjapi

wbemcomn

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 312KB - Virtual size: 309KB

.rdata Size: 92KB - Virtual size: 90KB

.data Size: 8KB - Virtual size: 9KB

.pdata Size: 16KB - Virtual size: 13KB

.didat Size: 4KB - Virtual size: 472B

.rsrc Size: 64KB - Virtual size: 62KB

.reloc Size: 4KB - Virtual size: 3KB

.text
Size: 312KB - Virtual size: 309KB

.rdata
Size: 92KB - Virtual size: 90KB

.data
Size: 8KB - Virtual size: 9KB

.pdata
Size: 16KB - Virtual size: 13KB

.didat
Size: 4KB - Virtual size: 472B

.rsrc
Size: 64KB - Virtual size: 62KB

.reloc
Size: 4KB - Virtual size: 3KB