755a681db4e8947d28d180bf4dfe08c964916dfe6866b05c9ed27f57f51c8ccc

Sharing

Copy URL

Twitter E-mail

General

Target

755a681db4e8947d28d180bf4dfe08c964916dfe6866b05c9ed27f57f51c8ccc
Size

124KB
MD5

2ecc9754ca631c4dd0c3006ba183142e
SHA1

194270289ab0b4b2408ff579f0ce29f748f441a0
SHA256

755a681db4e8947d28d180bf4dfe08c964916dfe6866b05c9ed27f57f51c8ccc
SHA512

3c7abcb125a92c17c4e5063f6a43cf44ae9b31ebcb6892d423271cafa52e2bf14d1357fa89cd74d4f7d58ebe01cb291ba68f4456702eac27700698b130a4f4db
SSDEEP

3072:tH6Fp8EM+b0qcrIgVyRpNkY/5mutAxzP6TwQBV:sp8EMy0qccQyRpNktusPq/D

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
755a681db4e8947d28d180bf4dfe08c964916dfe6866b05c9ed27f57f51c8ccc

Files

755a681db4e8947d28d180bf4dfe08c964916dfe6866b05c9ed27f57f51c8ccc
.exe windows:5 windows x86 arch:x86

99250b7f2f051041953ad2d17bd56c6f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

WmiApSrv.pdb

Imports

msvcrt

_wcsicmp
wcsrchr
_vsnwprintf
_CxxThrowException
_wtol
realloc
_wtoi
wcslen
wcscmp
_controlfp
_onexit
__dllonexit
??1type_info@@UAE@XZ
_except_handler3
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
wcscspn
wcsspn
iswdigit
wcschr
?terminate@@YAXXZ
vswprintf
memmove
_wcsrev
_wcslwr
_wcsupr
wcsstr
wcspbrk
mbstowcs
wcscoll
_acmdln
exit
_cexit
_XcptFilter
_exit
_c_exit
memset
free
memcpy
__CxxFrameHandler
??2@YAPAXI@Z
??3@YAXPAX@Z
malloc

advapi32

RegCreateKeyExA
RegSetValueExA
RegQueryValueExA
RegDeleteValueA
RegDeleteKeyA
RegEnumValueW
RegEnumKeyA
RegQueryInfoKeyW
RegOpenKeyW
RegQueryValueExW
RegEnumKeyW
RegEnumValueA
RegCloseKey
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegDeleteValueW
RegSetValueExW
RegCreateKeyExW
CloseServiceHandle
QueryServiceStatus
QueryServiceConfigW
OpenServiceW
OpenSCManagerW
ConvertStringSecurityDescriptorToSecurityDescriptorW
InitializeSecurityDescriptor
MakeAbsoluteSD
SetServiceStatus
RegisterServiceCtrlHandlerW
DeleteService
ControlService
StartServiceCtrlDispatcherW
ChangeServiceConfig2W
CreateServiceW
RegOpenCurrentUser
RegQueryInfoKeyA
RegOpenKeyExA

kernel32

lstrlenW
ReleaseSemaphore
WaitForSingleObject
SwitchToThread
GetLastError
GetCurrentProcess
InterlockedIncrement
InterlockedDecrement
InitializeCriticalSection
SetEvent
ResetEvent
EnterCriticalSection
TryEnterCriticalSection
LocalAlloc
lstrcmpiW
GetCommandLineW
CreateMutexW
CreateEventW
DeleteCriticalSection
ReleaseMutex
InterlockedCompareExchange
GetModuleHandleW
GetModuleFileNameW
Sleep
WaitForMultipleObjects
UnmapViewOfFile
lstrcmpW
FlushViewOfFile
MapViewOfFile
CreateFileMappingW
GetExitCodeProcess
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoA
CreateFileW
WriteFile
WideCharToMultiByte
GetSystemDefaultLCID
GetSystemDirectoryW
GetProcAddress
LeaveCriticalSection
CloseHandle
FormatMessageW
FormatMessageA
OpenEventW
SetLastError
OpenProcess
FreeLibrary
LoadLibraryW
ExpandEnvironmentStringsW
RaiseException
MultiByteToWideChar
GetVersionExA
CreateSemaphoreW
CreateDirectoryW
DeleteFileW
MoveFileExW
GetLocaleInfoW
lstrlenA
GetVersionExW
LocalFree

user32

CharNextW
LoadStringW

ntdll

NtQueryObject
RtlGetAce
RtlGetDaclSecurityDescriptor
RtlEqualSid
RtlGetOwnerSecurityDescriptor
NtQuerySecurityObject
iswspace
atol

oleaut32

SysFreeString
SysAllocString
VariantChangeType
SysStringLen
VariantClear
SafeArrayDestroy
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayGetLBound
SafeArrayGetUBound
SysAllocStringLen

ole32

CoInitializeEx
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoFreeUnusedLibraries
CoSetProxyBlanket

wbemcomn

?Enter@CStaticCritSec@@QAEXXZ
?Leave@CStaticCritSec@@QAEXXZ
?Throttle@@YGJKKKKK@Z
??1CStaticCritSec@@QAE@XZ
??0CStaticCritSec@@QAE@XZ
?anyFailure@CStaticCritSec@@SGHXZ

loadperf

LoadPerfCounterTextStringsW
UnloadPerfCounterTextStringsW

Exports

Exports

??0CHPtrArray@@QAE@XZ
??0CHString@@QAE@ABV0@@Z
??0CHString@@QAE@GH@Z
??0CHString@@QAE@PBD@Z
??0CHString@@QAE@PBE@Z
??0CHString@@QAE@PBG@Z
??0CHString@@QAE@PBGH@Z
??0CHString@@QAE@XZ
??0CHStringArray@@QAE@XZ
??0CRegistry@@QAE@ABV0@@Z
??0CRegistry@@QAE@XZ
??0CRegistrySearch@@QAE@ABV0@@Z
??0CRegistrySearch@@QAE@XZ
??1CHPtrArray@@QAE@XZ
??1CHString@@QAE@XZ
??1CHStringArray@@QAE@XZ
??1CRegistry@@QAE@XZ
??1CRegistrySearch@@QAE@XZ
??4CHPtrArray@@QAEAAV0@ABV0@@Z
??4CHString@@QAEABV0@ABV0@@Z
??4CHString@@QAEABV0@D@Z
??4CHString@@QAEABV0@G@Z
??4CHString@@QAEABV0@PAV0@@Z
??4CHString@@QAEABV0@PBD@Z
??4CHString@@QAEABV0@PBE@Z
??4CHString@@QAEABV0@PBG@Z
??4CHStringArray@@QAEAAV0@ABV0@@Z
??4CRegistry@@QAEAAV0@ABV0@@Z
??4CRegistrySearch@@QAEAAV0@ABV0@@Z
??ACHPtrArray@@QAEAAPAXH@Z
??ACHPtrArray@@QBEPAXH@Z
??ACHString@@QBEGH@Z
??ACHStringArray@@QAEAAVCHString@@H@Z
??ACHStringArray@@QBE?AVCHString@@H@Z
??BCHString@@QBEPBGXZ
??H@YG?AVCHString@@ABV0@0@Z
??H@YG?AVCHString@@ABV0@G@Z
??H@YG?AVCHString@@ABV0@PBG@Z
??H@YG?AVCHString@@GABV0@@Z
??H@YG?AVCHString@@PBGABV0@@Z
??YCHString@@QAEABV0@ABV0@@Z
??YCHString@@QAEABV0@D@Z
??YCHString@@QAEABV0@G@Z
??YCHString@@QAEABV0@PBG@Z
?Add@CHPtrArray@@QAEHPAX@Z
?Add@CHStringArray@@QAEHPBG@Z
?AllocBeforeWrite@CHString@@IAEXH@Z
?AllocBuffer@CHString@@IAEXH@Z
?AllocCopy@CHString@@IBEXAAV1@HHH@Z
?AllocSysString@CHString@@QBEPAGXZ
?Append@CHPtrArray@@QAEHABV1@@Z
?Append@CHStringArray@@QAEHABV1@@Z
?AssignCopy@CHString@@IAEXHPBG@Z
?CheckAndAddToList@CRegistrySearch@@AAEXPAVCRegistry@@VCHString@@1AAVCHPtrArray@@11H@Z
?Close@CRegistry@@QAEXXZ
?CloseSubKey@CRegistry@@AAEXXZ
?Collate@CHString@@QBEHPBG@Z
?Compare@CHString@@QBEHPBG@Z
?CompareNoCase@CHString@@QBEHPBG@Z
?ConcatCopy@CHString@@IAEXHPBGH0@Z
?ConcatInPlace@CHString@@IAEXHPBG@Z
?Copy@CHPtrArray@@QAEXABV1@@Z
?Copy@CHStringArray@@QAEXABV1@@Z
?CopyBeforeWrite@CHString@@IAEXXZ
?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z
?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z
?DeleteValue@CRegistry@@QAEJPBG@Z
?ElementAt@CHPtrArray@@QAEAAPAXH@Z
?ElementAt@CHStringArray@@QAEAAVCHString@@H@Z
?Empty@CHString@@QAEXXZ
?EnumerateAndGetValues@CRegistry@@QAEJAAKAAPAGAAPAE@Z
?Find@CHString@@QBEHG@Z
?Find@CHString@@QBEHPBG@Z
?FindOneOf@CHString@@QBEHPBG@Z
?Format@CHString@@QAAXIZZ
?Format@CHString@@QAAXPBGZZ
?FormatMessageW@CHString@@QAAXIZZ
?FormatMessageW@CHString@@QAAXPBGZZ
?FormatV@CHString@@QAEXPBGPAD@Z
?FreeExtra@CHPtrArray@@QAEXXZ
?FreeExtra@CHString@@QAEXXZ
?FreeExtra@CHStringArray@@QAEXXZ
?FreeSearchList@CRegistrySearch@@QAEHHAAVCHPtrArray@@@Z
?GetAllocLength@CHString@@QBEHXZ
?GetAt@CHPtrArray@@QBEPAXH@Z
?GetAt@CHString@@QBEGH@Z
?GetAt@CHStringArray@@QBE?AVCHString@@H@Z
?GetBuffer@CHString@@QAEPAGH@Z
?GetBufferSetLength@CHString@@QAEPAGH@Z
?GetClassNameW@CRegistry@@QAEPAGXZ
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z
?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z
?GetCurrentSubKeyCount@CRegistry@@QAEKXZ
?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z
?GetData@CHPtrArray@@QAEPAPAXXZ
?GetData@CHPtrArray@@QBEPAPBXXZ
?GetData@CHString@@IBEPAUCHStringData@@XZ
?GetData@CHStringArray@@QAEPAVCHString@@XZ
?GetData@CHStringArray@@QBEPBVCHString@@XZ
?GetLength@CHString@@QBEHXZ
?GetLongestClassStringSize@CRegistry@@QAEKXZ
?GetLongestSubKeySize@CRegistry@@QAEKXZ
?GetLongestValueData@CRegistry@@QAEKXZ
?GetLongestValueName@CRegistry@@QAEKXZ
?GetSize@CHPtrArray@@QBEHXZ
?GetSize@CHStringArray@@QBEHXZ
?GetUpperBound@CHPtrArray@@QBEHXZ
?GetUpperBound@CHStringArray@@QBEHXZ
?GetValueCount@CRegistry@@QAEKXZ
?GethKey@CRegistry@@QAEPAUHKEY__@@XZ
?Init@CHString@@IAEXXZ
?InsertAt@CHPtrArray@@QAEXHPAV1@@Z
?InsertAt@CHPtrArray@@QAEXHPAXH@Z
?InsertAt@CHStringArray@@QAEXHPAV1@@Z
?InsertAt@CHStringArray@@QAEXHPBGH@Z
?IsEmpty@CHString@@QBEHXZ
?Left@CHString@@QBE?AV1@H@Z
?LoadStringW@CHString@@IAEHIPAGI@Z
?LoadStringW@CHString@@QAEHI@Z
?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z
?LockBuffer@CHString@@QAEPAGXZ
?MakeLower@CHString@@QAEXXZ
?MakeReverse@CHString@@QAEXXZ
?MakeUpper@CHString@@QAEXXZ
?Mid@CHString@@QBE?AV1@H@Z
?Mid@CHString@@QBE?AV1@HH@Z
?NextSubKey@CRegistry@@QAEKXZ
?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenCurrentUser@CRegistry@@QAEKPBGK@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z
?OpenSubKey@CRegistry@@AAEKXZ
?PrepareToReOpen@CRegistry@@AAEXXZ
?Release@CHString@@IAEXXZ
?Release@CHString@@KGXPAUCHStringData@@@Z
?ReleaseBuffer@CHString@@QAEXH@Z
?RemoveAll@CHPtrArray@@QAEXXZ
?RemoveAll@CHStringArray@@QAEXXZ
?RemoveAt@CHPtrArray@@QAEXHH@Z
?RemoveAt@CHStringArray@@QAEXHH@Z
?ReverseFind@CHString@@QBEHG@Z
?RewindSubKeys@CRegistry@@QAEXXZ
?Right@CHString@@QBE?AV1@H@Z
?SafeStrlen@CHString@@KGHPBG@Z
?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z
?SetAt@CHPtrArray@@QAEXHPAX@Z
?SetAt@CHString@@QAEXHG@Z
?SetAt@CHStringArray@@QAEXHPBG@Z
?SetAtGrow@CHPtrArray@@QAEXHPAX@Z
?SetAtGrow@CHStringArray@@QAEXHPBG@Z
?SetCHStringResourceHandle@@YGXPAUHINSTANCE__@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetDefaultValues@CRegistry@@AAEXXZ
?SetPlatformID@CRegistry@@CGHXZ
?SetSize@CHPtrArray@@QAEXHH@Z
?SetSize@CHStringArray@@QAEXHH@Z
?SpanExcluding@CHString@@QBE?AV1@PBG@Z
?SpanIncluding@CHString@@QBE?AV1@PBG@Z
?TrimLeft@CHString@@QAEXXZ
?TrimRight@CHString@@QAEXXZ
?UnlockBuffer@CHString@@QAEXXZ
?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKPAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z
?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z
?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z
?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z
?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z
?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z
?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z
?s_dwPlatform@CRegistry@@0KA
?s_fPlatformSet@CRegistry@@0HA

Sections

.text
Size: 117KB - Virtual size: 116KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

99250b7f2f051041953ad2d17bd56c6f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

advapi32

kernel32

user32

ntdll

oleaut32

ole32

wbemcomn

loadperf

Exports

Exports

Sections

.text Size: 117KB - Virtual size: 116KB

.data Size: 4KB - Virtual size: 6KB

.rsrc Size: 1KB - Virtual size: 33KB

.text
Size: 117KB - Virtual size: 116KB

.data
Size: 4KB - Virtual size: 6KB

.rsrc
Size: 1KB - Virtual size: 33KB