WmiPrvSE.exe

  • File Path: C:\Windows\system32\wbem\WmiPrvSE.exe
  • Description: WMI Provider Host

Hashes

Type Hash
MD5 06C66FF5CCDC2D22344A3EB761A4D38A
SHA1 67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0
SHA256 B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15
SHA384 17849BDEBC360BDD488958A7A7B322ADE0B507DB1C0C15731243AC378426310FA81C196A480E28B873093B28E53471B3
SHA512 DF9E47A007CC831AB396C83806A3F92F837522759D11FBFC8B069EA513832252CB9C0DDD713AA09A2BA7762B57CFB18CDB13E74B166338EFAA616CD2BD13CDE9
SSDEEP 6144:n55U8ziMJNIlFZVLizDI38GbSgHneOx3sZTSvq4rjyzuJDeP:53+qelFLLiYsGbSgHnD6cvqicuB8
IMP CFECEDC01015A4FD1BAACAC9E592D88B
PESHA1 FF50ABF7CC185C0BDE3E41E96EC3656D00AAFE87
PE256 396DDF55D2A25F460AA96436859A9B82FFC581F1DE9DE425E6168F1D73D03AA5

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\user32.dll.mui File
(RW-) C:\Users\user File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\RPC Control\DSEC6F4 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\clbcatq.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\System32\CRYPTSP.dll
C:\Windows\system32\dwmapi.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\MSASN1.dll
C:\Windows\System32\MSCTF.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\NCObjAPI.DLL
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\user32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\system32\wbem\FastProx.dll
C:\Windows\system32\wbem\wbemprox.dll
C:\Windows\system32\wbem\wbemsvc.dll
C:\Windows\system32\wbem\WmiPrvSE.exe
C:\Windows\SYSTEM32\wbemcomn.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\WS2_32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Wmiprvse.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15/detection/

Possible Misuse

The following table contains possible examples of WmiPrvSE.exe being misused. While WmiPrvSE.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wmiprvse.exe' DRL 1.0
sigma win_susp_wmi_login.yml ProcessName\|endswith: '\WmiPrvSE.exe' DRL 1.0
sigma win_wmiprvse_wbemcomn_dll_hijack.yml title: T1047 Wmiprvse Wbemcomn DLL Hijack DRL 1.0
sigma win_alert_lsass_access.yml - 'C:\Windows\System32\wbem\WmiPrvSE.exe' DRL 1.0
sigma win_defender_psexec_wmi_asr.yml - '\wmiprvse.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\Windows\System32\wbem\WmiPrvSE.exe' DRL 1.0
sigma file_event_win_wmiprvse_wbemcomn_dll_hijack.yml title: Wmiprvse Wbemcomn DLL Hijack DRL 1.0
sigma image_load_wmiprvse_wbemcomn_dll_hijack.yml title: Wmiprvse Wbemcomn DLL Hijack DRL 1.0
sigma image_load_wmiprvse_wbemcomn_dll_hijack.yml Image\|endswith: '\wmiprvse.exe' DRL 1.0
sigma image_load_wmi_module_load.yml description: Detects non wmiprvse loading WMI modules DRL 1.0
sigma image_load_wmi_module_load.yml - '\WmiPrvSE.exe' DRL 1.0
sigma image_load_wmi_persistence_commandline_event_consumer.yml Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\Windows\system32\wbem\wmiprvse.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\WINDOWS\system32\wbem\wmiprvse.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\wmiprvse.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml SourceImage: 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' DRL 1.0
sigma proc_creation_win_apt_lazarus_activity_apr21.yml - 'C:\Windows\System32\wbem\wmiprvse.exe' DRL 1.0
sigma proc_creation_win_apt_ta505_dropper.yml description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents DRL 1.0
sigma proc_creation_win_apt_ta505_dropper.yml ParentImage\|endswith: '\wmiprvse.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # parent is wmiprvse.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml - '\wmiprvse.exe' # wmiexec DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml title: Lolbins Process Creation with WmiPrvse DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml ParentImage\|endswith: \wbem\WmiPrvSE.exe DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\wmiprvse.exe' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\wmiprvse.exe' DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml title: Wmiprvse Spawning Process DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml description: Detects wmiprvse spawning processes DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml ParentImage\|endswith: '\WmiPrvSe.exe' DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml - '\WmiPrvSE.exe' DRL 1.0
sigma proc_creation_win_wmi_spwns_powershell.yml - '\wmiprvse.exe' DRL 1.0
malware-ioc nukesped_lazarus .WmiPrvse.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc nukesped_lazarus .Wmiprvse.exe``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team T1546.003.md WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.</blockquote> MIT License. © 2018 Red Canary
signature-base crime_cn_campaign_njrat.yar $s4 = “WmiPrvSE.exe” fullword wide CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $a1 = “WmiPrvSE.exe” fullword wide CC BY-NC 4.0
signature-base crime_cn_campaign_njrat.yar $s2 = “Temporary Projects\WmiPrvSE\” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s8 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s10 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s8 = “wmiprvse.exe” ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s5 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s6 = “wmiprvse.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.