Windows Analysis Report
wsmprovhost.exe

Overview

General Information

Sample name: wsmprovhost.exe
Analysis ID: 1544359
MD5: f71da90302d91734921fdefeb312dc47
SHA1: dd7e12465bbe667554f977503ea44bfffc59cbd7
SHA256: 2330ad427ec48dfe1abe51747d900a334bac7b8599388387ad7c64234964ab58
Infos:

Detection

Score: 21
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Sigma detected: System File Execution Location Anomaly
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

Source: wsmprovhost.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wsmprovhost.pdb source: wsmprovhost.exe
Source: Binary string: wsmprovhost.pdbGCTL source: wsmprovhost.exe
Source: classification engine Classification label: sus21.winEXE@1/0@0/0
Source: wsmprovhost.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\wsmprovhost.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\wsmprovhost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\wsmprovhost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Users\user\Desktop\wsmprovhost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\user\Desktop\wsmprovhost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Users\user\Desktop\wsmprovhost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Users\user\Desktop\wsmprovhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\wsmprovhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: wsmprovhost.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: wsmprovhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wsmprovhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wsmprovhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wsmprovhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wsmprovhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wsmprovhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: wsmprovhost.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: wsmprovhost.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wsmprovhost.pdb source: wsmprovhost.exe
Source: Binary string: wsmprovhost.pdbGCTL source: wsmprovhost.exe
Source: wsmprovhost.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wsmprovhost.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wsmprovhost.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wsmprovhost.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wsmprovhost.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: wsmprovhost.exe Static PE information: section name: .didat
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544359 Sample: wsmprovhost.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 21 7 Sigma detected: System File Execution Location Anomaly 2->7 5 wsmprovhost.exe 2->5         started        process3
No contacted IP infos