wmp9.exe

First submission 2024-10-16 20:09:03

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
Mime type:	application/x-dosexec
File size:	12789.13 KB (13096072 bytes)
Compile time:	2001-08-18 03:42:57
MD5:	10529c0d8a84161a1f806fad4d58e40f
SHA1:	bebf458e7c473f4f7a80f04196570a3ddead1075
SHA256:	0118a308c8713dcc7b23cad9018e76ba08aa45f9bce7d7299a90006ec8d91502
Import Hash :	1494de9b53e05fc1f40cb92afbdd6ce4
Sections 3	.text .data .rsrc
Directories 4	import resource debug security

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	0/77 VT report date: 2024-10-13 13:18:38

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://www.neklatek.com/indirmeler/wmp9.exe	www.neklatek.com	2024-10-16 20:09:03

PE Sections 1 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x861a	34816	03418ebc42b91a08a6b42629c02703d9d905e7a2	43984be5cb414e4634db17caa4d1c30b
.data	0xa000	0x1be4	1024	8d38660485ad9cbae834e4aa747167ff99f25bae	730893b14fc930a187215e7fb53bc0a5
.rsrc	0xc000	0xc73000	13052416	271cb0988cbf2cef83a1c2af186f1a52b9aca9ae	1b7016823d5039624b9a915d2323bd6f

PE Resources 7

Name	Language	Sublanguage	Offset	Size	Data
AVI	LANG_TURKISH	SUBLANG_DEFAULT	0xc7e0	11802	PE Resource: AVI - Data RIFF.AVI LISThdrlavih8G\AN<H3XLISTstrlstrh8vidsRLE @B('strfh(<?vedtJUNKLISTv$movi00dc( ! " ! 00dc$## % %$# 00dc$$$$$$%%"& 00dcR$$ $ $ #))("" &&&00dc' & # # # # " " # $ $ $ % % % & & & 00dc\. , * ( ' ' ) * * + + + , , , - - - 77700dc$6 4 2 1 1 3 4 4 5 5 5 6 6 6 7 7 7 CC00dc&= < > ? @ @ A A A B B B C C C RRR00dc$L K M N O O P P P Q Q Q R R R ```00dc Z Y [ \ ] ] ] ^ ^ _ _ _ ` ` ` nn00dc$h" g i j j j k k k m m m n n n ~00dcv# v v v v v w w x x y } ~ ~ ~ 00dc{# { { { \| \| \| } } } ~ 00dc $ 00dc<# 00dcX" 00dc 00dc 00dcz 00dcr 00dcb 00dc8 00dc 00dc 00dc00dcidx100dc(00dc400dcR00dc` R00dc 00dcB\00dc $00dc&00dc$00dc, 00dcT$00dc00dc00dc 00dc<00dcX00dcn00dc00dcz00dcr00dcb00dc 800dc8"00dcL#00dcb$00dcl$
RT_ICON	LANG_TURKISH	SUBLANG_DEFAULT	0xf8e4	296
RT_DIALOG	LANG_TURKISH	SUBLANG_DEFAULT	0x10320	284
RT_STRING	LANG_TURKISH	SUBLANG_DEFAULT	0x11914	818	PE Resource: RT_STRING - Data vBu makinede ynetici ayr1cal1klar1n1z yok. Baz1 yklemeler ynetici taraf1ndan yap1lmazsa dzgn biimde tamamlanamaz.-'%s' klasr yok. Olu_turmak istiyor musunuz?jSisteminizde '%s' paketinin bir kopyas1 zaten al1_1yor. Ayn1 anda yaln1zca bir kopya al1_t1rabilirsiniz.<'%s' paketi al1_t1rd11n1z Windows srm ile uyumlu deil.@'%s' paketi sisteminizdeki %s dosyas1n1n srmyle uyumlu deil.
RT_RCDATA	LANG_ENGLISH	SUBLANG_ENGLISH_US	0xc7e390	394
RT_GROUP_ICON	LANG_TURKISH	SUBLANG_DEFAULT	0xc7e51c	34
RT_VERSION	LANG_TURKISH	SUBLANG_DEFAULT	0xc7e540	968	PE Resource: RT_VERSION - Data 4VS_VERSION_INFO( ( ?(StringFileInfo041F04B0LCompanyNameMicrosoft Corporation\|FileDescriptionWindows Media Component Setup Application: FileVersion9.00.00.2980RInternalNameWextract 0LegalCopyright(C) Microsoft Corporation. All rights reserved.ZOriginalFilenameWEXTRACT.EXE tProductNameWindows Media Component Setup Application> ProductVersion9.00.00.2980DVarFileInfo$Translation

Meta infos 9

LegalCopyright:	(C) Microsoft Corporation. All rights reserved.
InternalName:	Wextract
FileVersion:	9.00.00.2980
CompanyName:	Microsoft Corporation
ProductVersion:	9.00.00.2980
FileDescription:	Windows Media Component Setup Application
Translation:	0x041f 0x04b0
OriginalFilename:	WEXTRACT.EXE
ProductName:	Windows Media Component Setup Application

Packers detected 2

Borland Delphi 3.0 (???)
Microsoft Visual C++ v6.0

Anti debug functions 1

GetLastError

File signature

MD5	SHA1	Block size	Virtual Address
8e4b9dcad1a66fdb67fea8b72b5aae3b	9e78c1a51fe8281ace34a33bf11469a0bbe730cc	6792	13089280

Strings analysis - File found

Temporary
IXP%03d.TMP
msdownld.tmp
TMP4351$.TMP
Object
wmp.ocx
Archive Java
wmpns.jar
Compressed
npdrmv2.zip
XML
control.xml
Text
eula.txt
Library
SHELL32.dll
wmpdxm.dll
wmpband.dll
wmp.dll
WMDMPS.dll
blackbox.dll
mpg4dmod.dll
migrate.dll
wmpcd.dll
wmpasf.dll
wmerror.dll
9xmigrat.dll
wmidx.dll
setupx.dll
dwintl.dll
WMVDMOD.DLL
npdrmv2.dll
WMADMOD.DLL
mpvis.DLL
msoobci.dll
wmpcore.dll
WMDMLOG.dll
WMNetMgr.dll
MEDIAPLAYERV2.DLL
MsPMSP.dll
WMASF.DLL
custsat.dll
WMSDMOE2.DLL
CDENGINE.DLL
wmpui.dll
rsl.dll
drmstor.dll
W95INF32.DLL
CDDATAPS.DLL
SETUPAPI.dll
NPWMSDrm.dll
LAPRXY.DLL
pidgen.dll
WMPNS.dll
GDI32.dll
drmv2clt.dll
MP43DMOD.DLL
ADVAPI32.dll
#S\KERNEL32.DLL
ISO9660.DLL
unicows.dll
KERNEL32.dll
WMADMOE.DLL
wmvcore.dll
COMCTL32.dll
qasf.dll
DRMClien.dll
msscp.dll
MsPMSNSv.dll
asferror.dll
JOLIET.DLL
WMVDMOE2.DLL
wmpshell.dll
MSWMDM.dll
msnetobj.dll
advpack.dll
USER32.dll
msdmo.dll
VERSION.dll
WMSPDMOD.DLL
WMSDMOD.DLL
W95INF16.DLL
MP4SDMOD.DLL
WMSPDMOE.DLL
CEWMDM.dll
wmploc.DLL

Strings analysis - Possible URLs found 5

https://www.verisign.com/rpa
https://www.verisign.com/rpa0
http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
http://www.microsoft.com/windows/windowsmedia
http://ocsp.verisign.com/ocsp/status0

Import functions

VERSION.dll 3 GDI32.dll 1 KERNEL32.dll 76 ADVAPI32.dll 14 USER32.dll 31 COMCTL32.dll 1

Function	Address	Souspicious	Anti Debug
GetFileVersionInfoA	0x1001200
VerQueryValueA	0x1001204
GetFileVersionInfoSizeA	0x1001208

Function	Address	Souspicious	Anti Debug
GetDeviceCaps	0x1001044

Function	Address	Souspicious	Anti Debug
LocalFree	0x100104c
LocalAlloc	0x1001050
GetLastError	0x1001054
GetCurrentProcess	0x1001058
GetModuleFileNameA	0x100105c
lstrlenA	0x1001060
GetSystemDirectoryA	0x1001064
RemoveDirectoryA	0x1001068
FindClose	0x100106c
FindNextFileA	0x1001070
DeleteFileA	0x1001074
SetFileAttributesA	0x1001078
lstrcmpA	0x100107c
FindFirstFileA	0x1001080
lstrcatA	0x1001084
lstrcpyA	0x1001088
_lclose	0x100108c
_llseek	0x1001090
_lopen	0x1001094
WritePrivateProfileStringA	0x1001098
GetWindowsDirectoryA	0x100109c
CreateDirectoryA	0x10010a0
GetFileAttributesA	0x10010a4
ExpandEnvironmentStringsA	0x10010a8
IsDBCSLeadByte	0x10010ac
GetShortPathNameA	0x10010b0
GetPrivateProfileStringA	0x10010b4
GetPrivateProfileIntA	0x10010b8
lstrcmpiA	0x10010bc
GetProcAddress	0x10010c0
GlobalUnlock	0x10010c4
GlobalLock	0x10010c8
GlobalAlloc	0x10010cc
FreeResource	0x10010d0
CloseHandle	0x10010d4
LoadResource	0x10010d8
SizeofResource	0x10010dc
FindResourceA	0x10010e0
ReadFile	0x10010e4
WriteFile	0x10010e8
SetFilePointer	0x10010ec
SetFileTime	0x10010f0
LocalFileTimeToFileTime	0x10010f4
DosDateTimeToFileTime	0x10010f8
SetCurrentDirectoryA	0x10010fc
GetTempFileNameA	0x1001100
ExitProcess	0x1001104
CreateFileA	0x1001108
LoadLibraryExA	0x100110c
lstrcpynA	0x1001110
GetVolumeInformationA	0x1001114
FormatMessageA	0x1001118
GetCurrentDirectoryA	0x100111c
GetVersionExA	0x1001120
GetExitCodeProcess	0x1001124
WaitForSingleObject	0x1001128
CreateProcessA	0x100112c
GetTempPathA	0x1001130
GetSystemInfo	0x1001134
CreateMutexA	0x1001138
SetEvent	0x100113c
CreateEventA	0x1001140
CreateThread	0x1001144
ResetEvent	0x1001148
TerminateThread	0x100114c
GetDriveTypeA	0x1001150
GetModuleHandleA	0x1001154
GetStartupInfoA	0x1001158
GetCommandLineA	0x100115c
LockResource	0x1001160
LoadLibraryA	0x1001164
GetDiskFreeSpaceA	0x1001168
MulDiv	0x100116c
EnumResourceLanguagesA	0x1001170
FreeLibrary	0x1001174
GlobalFree	0x1001178

Function	Address	Souspicious	Anti Debug
FreeSid	0x1001000
AllocateAndInitializeSid	0x1001004
EqualSid	0x1001008
GetTokenInformation	0x100100c
OpenProcessToken	0x1001010
AdjustTokenPrivileges	0x1001014
LookupPrivilegeValueA	0x1001018
RegCloseKey	0x100101c
RegDeleteValueA	0x1001020
RegOpenKeyExA	0x1001024
RegSetValueExA	0x1001028
RegQueryValueExA	0x100102c
RegCreateKeyExA	0x1001030
RegQueryInfoKeyA	0x1001034

Function	Address	Souspicious	Anti Debug
ExitWindowsEx	0x1001180
wsprintfA	0x1001184
CharNextA	0x1001188
CharUpperA	0x100118c
CharPrevA	0x1001190
SetWindowLongA	0x1001194
GetWindowLongA	0x1001198
CallWindowProcA	0x100119c
DispatchMessageA	0x10011a0
MsgWaitForMultipleObjects	0x10011a4
PeekMessageA	0x10011a8
SendMessageA	0x10011ac
SetWindowPos	0x10011b0
ReleaseDC	0x10011b4
GetDC	0x10011b8
GetWindowRect	0x10011bc
SendDlgItemMessageA	0x10011c0
GetDlgItem	0x10011c4
SetForegroundWindow	0x10011c8
SetWindowTextA	0x10011cc
MessageBoxA	0x10011d0
DialogBoxIndirectParamA	0x10011d4
ShowWindow	0x10011d8
EnableWindow	0x10011dc
GetDlgItemTextA	0x10011e0
EndDialog	0x10011e4
GetDesktopWindow	0x10011e8
MessageBeep	0x10011ec
SetDlgItemTextA	0x10011f0
LoadStringA	0x10011f4
GetSystemMetrics	0x10011f8

Function	Address	Souspicious	Anti Debug
None	0x100103c