WFS[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

WFS.exe
Size

944KB
MD5

0027ebe13c0814fdb0389d2a9182aa5a
SHA1

af8decb4d93c8b6a9c38781158b5cdcaecb5ed90
SHA256

c5e2440dd76b81b83a4e25b1b007f5005c37467f20ce5241b15a66d9a4a27a73
SHA512

413b4f6063a67e857e2e31df4ff3ca1ef6d3f0251005ffa6d47b72e2b6e3202b5952a7527df018889ec3cee3dbaca3e5e01da221ab3935a38c095428a058af48
SSDEEP

12288:WQFj6bWNNV7JeCq+R+hDNqLMQbgNgouvc5WqmiuH3w+xt4vFe:GAVgsyabgH5WXGvFe

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
WFS.exe

Files

WFS.exe
.exe windows:10 windows x64 arch:x64

ff5a3013c7d02c2277b6519337642039

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

Wfs.pdb

Imports

advapi32

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
RegCloseKey
EventUnregister
EventRegister
EventSetInformation
EventWriteTransfer
RegQueryValueExW
RegOpenKeyExW
RegSetValueExW
RegEnumKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyW
LogonUserW
DuplicateToken
RegQueryValueW
ImpersonateLoggedOnUser
RevertToSelf

kernel32

MulDiv
InitOnceComplete
GetCurrentProcessId
CreateMutexExW
CreateSemaphoreExW
GetCommandLineW
VirtualQuery
GetSystemInfo
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
LoadLibraryExA
VirtualProtect
ResumeThread
WaitForMultipleObjects
RaiseException
CopyFileExW
GetFileAttributesExW
QueueUserWorkItem
FileTimeToLocalFileTime
MoveFileW
GetFileTime
WakeAllConditionVariable
GetModuleHandleA
CreateThread
InitOnceBeginInitialize
SetEvent
CreateEventW
LeaveCriticalSection
EnterCriticalSection
GetNumberFormatW
GetModuleFileNameW
ReadFile
WriteFile
GetDateFormatW
GetComputerNameW
MultiByteToWideChar
GetLocaleInfoW
CreateDirectoryW
GetVersion
GetSystemDirectoryW
GetVersionExW
CreateProcessW
GetFileType
CopyFileW
SystemTimeToFileTime
FileTimeToSystemTime
GetFileAttributesW
CreateFileW
FindClose
FindNextFileW
GetFullPathNameW
FindFirstFileW
HeapReAlloc
GetTempFileNameW
DeleteFileW
GetTempPathW
ExpandEnvironmentStringsW
GetTimeFormatW
GetUserPreferredUILanguages
EnumUILanguagesW
GetLocaleInfoEx
GetStringTypeExW
GetTickCount
GetSystemTimeAsFileTime
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
OutputDebugStringA
GetStartupInfoW
Sleep
InitializeCriticalSection
OpenSemaphoreW
WaitForSingleObject
LocalAlloc
DeleteCriticalSection
WaitForSingleObjectEx
ReleaseMutex
ReleaseSemaphore
CloseHandle
SetLastError
OutputDebugStringW
IsDebuggerPresent
GetModuleHandleW
DebugBreak
GetModuleFileNameA
GetModuleHandleExW
HeapFree
GetProcessHeap
HeapAlloc
GetCurrentThreadId
FormatMessageW
WideCharToMultiByte
GetProcAddress
LoadLibraryA
LocalFree
FreeLibrary
LoadLibraryW
SleepConditionVariableSRW
FlushFileBuffers
GetSystemTime
lstrlenA
lstrcmpW
GetLastError
HeapSetInformation
SetFileTime

gdi32

CreateFontIndirectW
DeleteObject
GetTextExtentPoint32W
GetViewportOrgEx
GetCurrentObject
GetObjectW
GetDeviceCaps

user32

GetDlgItem
GetCursorPos
InSendMessage
DrawMenuBar
InsertMenuW
GetWindowRect
IsIconic
GetLastActivePopup
IsWindowVisible
SetWindowPos
GetSubMenu
SetWindowLongPtrW
MessageBoxW
SetProcessDefaultLayout
GetDlgItemTextW
SetDlgItemTextW
LoadStringW
WinHelpW
ShowWindow
MsgWaitForMultipleObjects
GetMessageW
TranslateMessage
GetMenu
SetWindowLongW
DeleteMenu
GetSysColor
GetWindowLongW
LoadImageW
GetDC
ReleaseDC
ClientToScreen
CreateDialogParamW
SendDlgItemMessageW
PeekMessageW
GetWindowLongPtrW
GetMenuStringW
DestroyWindow
GetSystemMenu
EnableMenuItem
SetActiveWindow
ReleaseCapture
SetFocus
SetCapture
FindWindowW
UnregisterClassW
SetForegroundWindow
UpdateWindow
LoadIconW
DefWindowProcW
DialogBoxParamW
GetSystemMetrics
EndDialog
CheckDlgButton
IsDlgButtonChecked
CheckRadioButton
GetActiveWindow
GetMenuItemCount
DestroyMenu
SetMenu
DispatchMessageW
LoadMenuW
SetCursor
GetWindowContextHelpId
ScreenToClient
GetMessagePos
InvalidateRect
GetParent
DestroyIcon
IsWindow
DrawTextW
PostMessageW
PtInRect
SetRect
SendMessageW
LoadCursorW
GetClientRect
EnableWindow
GetFocus
RedrawWindow
CharNextW
PostThreadMessageW

mfc42u

ord1471
ord1430
ord5630
ord1126
ord1284
ord1536
ord6510
ord598
ord3468
ord1337
ord2661
ord2975
ord1520
ord2752
ord2647
ord6351
ord5711
ord337
ord852
ord2384
ord4557
ord1443
ord2517
ord4124
ord6610
ord3916
ord4983
ord6053
ord5730
ord5065
ord4368
ord5724
ord5722
ord2412
ord5615
ord1388
ord4191
ord6071
ord2515
ord2559
ord4836
ord6813
ord3761
ord4771
ord5702
ord1777
ord6437
ord5077
ord5406
ord5245
ord4721
ord5687
ord1821
ord4561
ord351
ord863
ord5213
ord4766
ord4773
ord4984
ord6586
ord6464
ord3282
ord3601
ord4732
ord2414
ord5250
ord5359
ord5988
ord3254
ord5894
ord1752
ord6080
ord5665
ord2547
ord2513
ord6769
ord3146
ord3140
ord5063
ord1848
ord4568
ord2594
ord4946
ord4945
ord5297
ord4712
ord5288
ord4887
ord5496
ord4682
ord4690
ord5090
ord5285
ord4886
ord4901
ord4899
ord4881
ord4884
ord4879
ord5370
ord5367
ord4405
ord4748
ord5662
ord3932
ord1735
ord5675
ord4780
ord1061
ord328
ord4609
ord1838
ord4589
ord4565
ord613
ord1036
ord387
ord890
ord408
ord904
ord647
ord1053
ord571
ord837
ord4806
ord2176
ord4476
ord2124
ord1328
ord2175
ord6379
ord6455
ord6235
ord5839
ord4623
ord4461
ord620
ord3401
ord6255
ord2982
ord6256
ord2268
ord6284
ord5674
ord4454
ord622
ord2629
ord3408
ord1966
ord2846
ord3681
ord3733
ord6841
ord4544
ord2595
ord3820
ord2449
ord1650
ord2466
ord3044
ord1316
ord2903
ord6691
ord4548
ord4774
ord4784
ord1674
ord2671
ord5704
ord5659
ord4364
ord2919
ord2920
ord3536
ord5420
ord3481
ord4633
ord5524
ord5521
ord3141
ord2405
ord2750
ord3895
ord2455
ord5680
ord5701
ord6806
ord5656
ord4749
ord1723
ord1716
ord5506
ord2404
ord4422
ord5838
ord4345
ord4706
ord2535
ord6556
ord2596
ord624
ord2784
ord2782
ord1122
ord4601
ord6225
ord6880
ord1505
ord996
ord6328
ord1949
ord4550
ord663
ord6054
ord5066
ord2753
ord5725
ord1066
ord1124
ord1405
ord2095
ord4558
ord1813
ord340
ord853
ord5670
ord6438
ord1720
ord5502
ord4705
ord899
ord3794
ord4745
ord2591
ord4596
ord2461
ord6133
ord1647
ord2900
ord1646
ord851
ord336
ord4892
ord2178
ord4597
ord1946
ord657
ord826
ord310
ord1537
ord5059
ord5568
ord3940
ord1978
ord1262
ord3182
ord4436
ord6326
ord3180
ord2979
ord4131
ord1812
ord6179
ord3899
ord3410
ord6708
ord6705
ord2781
ord4523
ord3413
ord4429
ord4014
ord4595
ord1056
ord3911
ord2121
ord2876
ord1254
ord1099
ord2783
ord3257
ord3652
ord2845
ord2518
ord372
ord4177
ord4214
ord6544
ord318
ord834
ord3830
ord6216
ord621
ord5636
ord627
ord1041
ord5632
ord3441
ord3263
ord1063
ord659
ord4972
ord4970
ord4598
ord6612
ord2393
ord2087
ord4473
ord1040
ord626
ord2177
ord1463
ord1441
ord4599
ord822
ord3743
ord3535
ord4789
ord5229
ord4741
ord2586
ord1067
ord665
ord1950
ord5450
ord6512
ord4588
ord6653
ord6651
ord6548
ord2575
ord6689
ord6692
ord3326
ord3360
ord4179
ord2549
ord2548
ord2514
ord1320
ord1740
ord2413
ord2429
ord6643
ord6645
ord2440
ord2265
ord5103
ord4897
ord6440
ord4365
ord1778
ord4752
ord5663
ord2399
ord5586
ord6812
ord4694
ord5712
ord4017
ord5228
ord4788
ord2670
ord2060
ord6814
ord3933
ord5484
ord1736
ord5683
ord2457
ord2140
ord5699
ord3049
ord3243
ord3362
ord4815
ord3231
ord3366
ord3052
ord3166
ord3046
ord3524
ord4082
ord4083
ord4077
ord3164
ord4371
ord4988
ord4770
ord3893
ord6886
ord6201
ord2924
ord3177
ord2906
ord2925
ord3647
ord6632
ord4183
ord6324
ord5844
ord3637
ord2277
ord6887
ord1034
ord611
ord1584
ord4348
ord2798
ord4602
ord2789
ord1259
ord880
ord374
ord5887
ord4813
ord2639
ord6832
ord5815
ord6821
ord5804
ord6385
ord5284
ord5369
ord5366
ord1734
ord2533
ord5449
ord2139
ord6706
ord6634
ord6525
ord5682
ord1023
ord594
ord4586
ord1921
ord4582
ord549
ord1906
ord2667
ord551
ord999
ord5382
ord5227
ord5709
ord5246
ord4722
ord4699
ord5352
ord5114
ord5304
ord5583
ord2408
ord1648
ord1533
ord1499
ord1498
ord1287
ord3682
ord1286
ord1035
ord5425
ord912
ord4759
ord1442
ord4232
ord4375
ord1943
ord2427
ord1574
ord286
ord3790
ord3783
ord5681
ord2464
ord2902
ord4267
ord6386
ord3419
ord4181
ord6393
ord4257
ord3319
ord6395
ord6661
ord3396
ord6021
ord6050
ord1677
ord2676
ord911
ord6285
ord2898
ord3417
ord2948
ord5979
ord1195
ord5912

msvcrt

memset
memcpy
__RTDynamicCast
_wsplitpath_s
__CxxFrameHandler3
??0exception@@QEAA@AEBV0@@Z
memcpy_s
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBQEBD@Z
memmove_s
??0exception@@QEAA@XZ
_vsnwprintf
srand
_errno
_callnewh
??0exception@@QEAA@AEBQEBDH@Z
realloc
_wcsupr
_wcsicoll
_itow
wcscat_s
wcscpy_s
_vscwprintf
wcsstr
rand
_onexit
_wtoi
wcsncmp
wcsspn
iswalpha
malloc
wcsrchr
_wcstoui64
_wcsnicmp
wcschr
_wcsnset
time
free
_wcsdup
_vsnprintf_s
swscanf
wcscmp
__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_commode
_fmode
_wcmdln
__C_specific_handler
_initterm
wcstok
_purecall
_wcsicmp
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
_CxxThrowException

ntdll

RtlInitUnicodeString
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
WinSqmIncrementDWORD
RtlEqualDomainName

shlwapi

StrTrimW
PathIsContentTypeW
PathIsUNCServerShareW
PathAppendW
StrChrW
SHSetValueW
SHGetValueW
PathRemoveFileSpecW
PathFileExistsW

ole32

OleInitialize
OleUninitialize
PropVariantClear
CoTaskMemFree
StgOpenStorageEx
FreePropVariantArray
OleRun
CoUninitialize
CoGetObject
CoCreateInstance
StringFromGUID2
CoInitializeEx
CoInitialize

shell32

CommandLineToArgvW
ShellAboutW
SHGetMalloc
SHBrowseForFolderW
ShellExecuteExW
SHGetPathFromIDListW
SHGetFolderPathAndSubDirW
ShellExecuteW
SHGetFolderPathW
SHSetLocalizedName
SHChangeNotify
SHGetSpecialFolderLocation
SHFileOperationW
ord165
SHGetFileInfoW
SHGetDesktopFolder

winspool.drv

DeletePrinter
ClosePrinter
OpenPrinterW
EnumPrintersW
AddPrinterConnectionW
DeletePrinterConnectionW
GetPrinterW
AddPrinterW
SetPrinterW

comctl32

PropertySheetW
CreatePropertySheetPageW
ImageList_Create
ImageList_LoadImageW
InitCommonControlsEx
ord17
ImageList_GetIcon
ImageList_Destroy
ImageList_ReplaceIcon

uxtheme

GetThemeSysFont
SetWindowTheme

crypt32

CryptProtectData
CryptUnprotectData

comdlg32

GetOpenFileNameW
GetSaveFileNameW
ChooseFontW
CommDlgExtendedError

oleaut32

SysAllocStringLen
VariantInit
SysFreeString
GetErrorInfo
VariantChangeType
VariantClear
SysStringLen
SysAllocString

gdiplus

GdipGetImagePixelFormat
GdipCreateBitmapFromScan0
GdipGetImageGraphicsContext
GdipImageSelectActiveFrame
GdipDrawImageRect
GdipSaveAdd
GdipSaveAddImage
GdipGetDpiY
GdipGetDpiX
GdipCreateSolidFill
GdipGetImageHorizontalResolution
GdipGetImageHeight
GdipGetImageWidth
GdipCreateBitmapFromFile
GdipDeleteBrush
GdipCloneBrush
GdipGetDC
GdipReleaseDC
GdipDeleteGraphics
GdipCreateFromHDC
GdipSaveImageToFile
GdipGetImageRawFormat
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipSetPropertyItem
GdipDisposeImage
GdipFillRectangle
GdipGetImageVerticalResolution
GdipDrawImageRectRect
GdiplusShutdown
GdiplusStartup
GdipLoadImageFromFile
GdipFree
GdipAlloc
GdipCloneImage
GdipGetPropertyItemSize
GdipGetPropertyItem
GdipImageGetFrameDimensionsCount
GdipImageGetFrameDimensionsList
GdipImageGetFrameCount

winmm

PlaySoundW

ws2_32

GetNameInfoW
WSAStringToAddressW
WSACleanup
FreeAddrInfoW
WSAAddressToStringW
WSAGetLastError
WSAStartup
GetAddrInfoW

credui

CredUIParseUserNameW

atl

ord31

Sections

.text
Size: 465KB - Virtual size: 464KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 178KB - Virtual size: 178KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 448B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 265KB - Virtual size: 265KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ff5a3013c7d02c2277b6519337642039

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

gdi32

user32

mfc42u

msvcrt

ntdll

shlwapi

ole32

shell32

winspool.drv

comctl32

uxtheme

crypt32

comdlg32

oleaut32

gdiplus

winmm

ws2_32

credui

atl

Sections

.text Size: 465KB - Virtual size: 464KB

.rdata Size: 178KB - Virtual size: 178KB

.data Size: 8KB - Virtual size: 11KB

.pdata Size: 17KB - Virtual size: 16KB

.didat Size: 512B - Virtual size: 448B

.rsrc Size: 265KB - Virtual size: 265KB

.reloc Size: 8KB - Virtual size: 8KB

.text
Size: 465KB - Virtual size: 464KB

.rdata
Size: 178KB - Virtual size: 178KB

.data
Size: 8KB - Virtual size: 11KB

.pdata
Size: 17KB - Virtual size: 16KB

.didat
Size: 512B - Virtual size: 448B

.rsrc
Size: 265KB - Virtual size: 265KB

.reloc
Size: 8KB - Virtual size: 8KB