wininit[.]7z | Triage

Sharing

Copy URL Twitter E-mail

General

Target

wininit.7z
Size

187KB
MD5

c0303069d3752774dbd0b1d733c937cd
SHA1

3260e5a3bb6319e713d16eb9600a83965a8df66b
SHA256

b2dfd994a2d2feb75d578b5b700fb77b88247bc3cdbe3d3b0af5e744e94a638c
SHA512

de891e4b56ba00f00c7796eef6eacaaf6d74a4b626da3f257f9741694c8d830de51c04d6e5cc16b94099b947f503c61d6baa8a324f257aa9c61c06a154221e21
SSDEEP

3072:Qfv/HgPeUcexQkIUQJz2f/6khsTfMqFfEYmTWzR+7VB76n73gVox+HmBtiazjUmg:mwPcVBJif/BsDdaYeM+R9673gZUianUx

Score

1^/10

Malware Config

Signatures

Files

wininit.7z
.7z

Password: Malware123!!
wininit.exe
.exe windows x64

Password: Malware123!!

0462ef3c39b80f3b31d7423866ed65eb

Code Sign

33:00:00:03:f5:63:96:7a:c8:12:4e:1d:25:00:00:00:00:03:f5
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

13/10/2022, 19:43

Not After

11/10/2023, 19:43

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

41:25:f1:d7:a1:b7:c0:ac:8a:90:3f:84:a0:84:f9:e1:d2:1e:9b:2d:12:19:31:04:b1:43:fe:cd:e1:60:f9:c3
Signer

Actual PE Digest

41:25:f1:d7:a1:b7:c0:ac:8a:90:3f:84:a0:84:f9:e1:d2:1e:9b:2d:12:19:31:04:b1:43:fe:cd:e1:60:f9:c3

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

07/02/2023, 20:40
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

api-ms-win-crt-string-l1-1-0

wcsncmp
wcscmp
memset
strncmp
wcsnlen

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e
_register_thread_local_exe_atexit_callback
_c_exit

api-ms-win-crt-private-l1-1-0

_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__purecall
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__ultow_s
_o__wcsicmp
_o__wcslwr
_o__wcsnicmp
_o__wcsupr
memmove
_o_exit
_o_free
_o_malloc
_o_strcpy_s
_o_terminate
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstoul
__CxxFrameHandler3
__current_exception
__current_exception_context
_CxxThrowException
_o__exit
wcsrchr
wcsstr
_o__errno
_o__crt_atexit
_o__configure_narrow_argv
_o__configthreadlocale
_o__cexit
_o__callnewh
_o___stdio_common_vswscanf
_o___stdio_common_vswprintf_s
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
_o__get_narrow_winmain_command_line
__C_specific_handler
wcschr
memcmp
memcpy

ntdll

RtlEnterCriticalSection
RtlLeaveCriticalSection
RtlAllocateAndInitializeSid
RtlInitializeCriticalSection
NtQueryInformationToken
NtPrivilegeObjectAuditAlarm
RtlSubscribeWnfStateChangeNotification
NtDeleteWnfStateName
NtCreateWnfStateName
NtPrivilegeCheck
NtOpenThreadToken
RtlCapabilityCheckForSingleSessionSku
RtlIsMultiSessionSku
RtlRemovePrivileges
NtOpenProcessToken
NtShutdownSystem
NtSetThreadExecutionState
CsrClientCallServer
EtwEventWriteStartScenario
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlDeregisterWaitEx
NtQueryInformationProcess
RtlDestroyEnvironment
RtlGetCurrentServiceSessionId
NtSetValueKey
NtCreateKey
RtlRegisterWait
NtClose
NtCreateUserProcess
NtAllocateLocallyUniqueId
RtlCreateProcessParametersEx
RtlDosPathNameToNtPathName_U_WithStatus
NtCreateEvent
NtQuerySystemEnvironmentValueEx
RtlInitUnicodeString
RtlUnhandledExceptionFilter
RtlAllocateHeap
RtlFreeHeap
EtwEventActivityIdControl
RtlPublishWnfStateData
RtlCreateSecurityDescriptor
RtlCreateAcl
RtlFreeSid
RtlGetActiveConsoleId
RtlSetDaclSecurityDescriptor
RtlLengthSid
NtAdjustPrivilegesToken
RtlAdjustPrivilege
RtlGetSystemBootStatus
RtlNtStatusToDosError
NtPowerInformation
RtlCompareUnicodeString
RtlInitUnicodeStringEx
EtwEventEnabled
EtwEventWrite
NtQuerySystemInformation
RtlQueryEnvironmentVariable_U
NtOpenEvent
RtlSetEnvironmentVariable
NtSetEvent
ZwQuerySystemInformation
RtlInitializeSid
RtlCreateEnvironment
RtlSubAuthoritySid
RtlAppendUnicodeToString
RtlFreeUnicodeString
RtlGetCurrentDirectory_U
RtlLengthRequiredSid
RtlAddAccessAllowedAce
ZwSetSystemInformation
NtCreateMutant
RtlUnlockBootStatusData
ZwClose
NtWaitForSingleObject
ZwDeviceIoControlFile
ZwCreateFile
ZwOpenFile
RtlAppendUnicodeStringToString
ZwReadFile
RtlIsStateSeparationEnabled
ZwSetInformationFile
ZwQueryInformationFile
RtlWriteRegistryValue
ZwUnloadDriver
ZwLoadDriver
ZwCreateKey
ZwDeleteKey
ZwOpenKey
EtwEventWriteTransfer
EtwEventUnregister
EtwEventRegister
EtwEventSetInformation
NtSetInformationProcess
RtlSetThreadIsCritical
RtlSetProcessIsCritical
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
RtlIsMultiUsersInSessionSku
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwTraceMessage
WinSqmIsOptedIn
WinSqmAddToStream
NtSystemDebugControl
RtlCaptureContext
RtlGUIDFromString
RtlStringFromGUID
ZwQueryAttributesFile
ZwWaitForSingleObject
ZwQueryKey
ZwReleaseMutant
ZwOpenMutant
ZwQuerySymbolicLinkObject
ZwQueryDirectoryObject
ZwOpenSymbolicLinkObject
ZwOpenDirectoryObject
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
ZwLoadKey
RtlAddAccessAllowedAceEx
ZwDeleteValueKey
ZwSaveKey
ZwEnumerateKey
ZwQueryValueKey
ZwSetSecurityObject
ZwUnloadKey
ZwSetValueKey
LdrGetProcedureAddress
LdrGetDllHandle
ZwQueryInformationProcess
RtlInitAnsiString
ZwDeleteFile
ZwOpenProcess
ZwAllocateUuids
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
RtlImpersonateSelf
RtlLookupFunctionEntry
NtOpenSymbolicLinkObject
NtOpenKey
NtQuerySymbolicLinkObject
NtDeviceIoControlFile
NtOpenFile
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
RtlVirtualUnwind
NtReleaseMutant

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
LoadLibraryExW
LoadResource
LoadLibraryExA
GetModuleFileNameA
GetModuleHandleExW
GetModuleFileNameW
FindResourceExW
GetModuleHandleW
GetProcAddress
GetModuleHandleExA
LockResource

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockExclusive
AcquireSRWLockExclusive
DeleteCriticalSection
ReleaseSRWLockShared
ResetEvent
InitializeCriticalSectionEx
WaitForMultipleObjectsEx
LeaveCriticalSection
InitializeCriticalSection
AcquireSRWLockShared
CreateEventExW
EnterCriticalSection
CreateSemaphoreExW
ReleaseSemaphore
SetEvent
CreateEventW
SleepEx
WaitForSingleObject
CreateMutexExW
OpenSemaphoreW
WaitForSingleObjectEx
ReleaseMutex

api-ms-win-core-heap-l1-1-0

HeapSetInformation
HeapFree
HeapDestroy
GetProcessHeap
HeapCreate
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter
GetLastError
SetErrorMode

api-ms-win-core-processthreads-l1-1-0

CreateProcessAsUserW
OpenProcessToken
GetCurrentThread
SetThreadPriority
CreateRemoteThread
GetCurrentProcess
SetPriorityClass
CreateThread
GetExitCodeProcess
CreateProcessW
DeleteProcThreadAttributeList
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
TerminateProcess
ResumeThread
GetCurrentThreadId
GetCurrentProcessId
GetStartupInfoW

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-2-0

WaitOnAddress
Sleep
InitOnceBeginInitialize
InitOnceComplete
WakeByAddressAll

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegGetValueW
RegCloseKey
RegDeleteValueW
RegQueryValueExA
RegDeleteTreeW
RegQueryValueExW
RegSetValueExW
RegEnumValueW
RegQueryInfoKeyW
RegCreateKeyExW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetWindowsDirectoryW
GetVersionExW
GetComputerNameExW
GetLocalTime
GetSystemTimeAsFileTime

api-ms-win-core-file-l1-1-0

FindClose
FindFirstFileW
FindNextVolumeW
FindVolumeClose
DeleteFileW
GetDriveTypeW
FindFirstVolumeW
ReadFile
GetFileAttributesW
CreateFileW
CreateDirectoryW
GetShortPathNameW

api-ms-win-core-processenvironment-l1-1-0

SetEnvironmentVariableW
ExpandEnvironmentStringsW

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorControl
EqualSid
GetSecurityDescriptorOwner
ImpersonateLoggedOnUser
RevertToSelf
GetTokenInformation
CheckTokenMembership
GetSecurityDescriptorGroup
SetTokenInformation
DuplicateTokenEx
GetSecurityDescriptorDacl
SetFileSecurityW
SetKernelObjectSecurity
GetSecurityDescriptorSacl
CreateWellKnownSid

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
SetThreadpoolTimer

rpcrt4

RpcServerRegisterIfEx
RpcServerUseProtseqEpW
RpcRevertToSelf
RpcServerInqBindings
RpcServerListen
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcServerInqCallAttributesW
RpcStringFreeW
RpcServerRegisterIf3
RpcServerUnregisterIf
NdrServerCallAll
NdrServerCall2
RpcBindingFromStringBindingW
RpcStringBindingComposeW
I_RpcExceptionFilter
RpcBindingSetAuthInfoExW
RpcMgmtIsServerListening
NdrClientCall3
RpcBindingCreateW
RpcAsyncInitializeHandle
Ndr64AsyncServerCallAll
RpcBindingBind
NdrAsyncServerCall
RpcAsyncCompleteCall
RpcServerTestCancel
I_RpcBindingIsClientLocal
RpcAsyncAbortCall
Ndr64AsyncClientCall
RpcBindingUnbind
RpcBindingFree
RpcBindingServerFromClient
RpcExceptionFilter
RpcEpUnregister
RpcBindingVectorFree
RpcAsyncCancelCall
RpcBindingCopy
RpcServerUseProtseqW
RpcEpRegisterW
UuidFromStringW
RpcServerInqDefaultPrincNameW
RpcServerRegisterAuthInfoW
RpcImpersonateClient

api-ms-win-core-datetime-l1-1-1

GetTimeFormatEx
GetDateFormatEx

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc
LocalReAlloc

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-version-l1-1-0

VerQueryValueW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW

api-ms-win-core-psapi-l1-1-0

K32GetModuleFileNameExW

api-ms-win-eventing-controller-l1-1-0

StartTraceW
ControlTraceW
EnableTraceEx2

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-threadpool-legacy-l1-1-0

CreateTimerQueueTimer
DeleteTimerQueueTimer
QueueUserWorkItem

api-ms-win-core-kernel32-legacy-l1-1-0

WTSGetActiveConsoleSessionId

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

profapi

ord102
ord101
ord104

kernelbase

WTSGetServiceSessionId

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-core-apiquery-l2-1-0

IsApiSetImplemented

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-file-l1-2-4

GetTempPath2W

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-rtlsupport-l1-1-0

RtlCompareMemory

Sections

.text
Size: 376KB - Virtual size: 374KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 112KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 672B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: Malware123!!

Password: Malware123!!

0462ef3c39b80f3b31d7423866ed65eb

Code Sign

33:00:00:03:f5:63:96:7a:c8:12:4e:1d:25:00:00:00:00:03:f5Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

41:25:f1:d7:a1:b7:c0:ac:8a:90:3f:84:a0:84:f9:e1:d2:1e:9b:2d:12:19:31:04:b1:43:fe:cd:e1:60:f9:c3Signer

Signature Validations

Verification

07/02/2023, 20:40 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-threadpool-l1-2-0

rpcrt4

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-version-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

profapi

kernelbase

api-ms-win-stateseparation-helpers-l1-1-0

api-ms-win-core-apiquery-l2-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-file-l1-2-4

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

Sections

.text Size: 376KB - Virtual size: 374KB

.rdata Size: 112KB - Virtual size: 108KB

.data Size: 4KB - Virtual size: 6KB

.pdata Size: 12KB - Virtual size: 10KB

.didat Size: 4KB - Virtual size: 672B

.rsrc Size: 12KB - Virtual size: 8KB

.reloc Size: 4KB - Virtual size: 1KB

33:00:00:03:f5:63:96:7a:c8:12:4e:1d:25:00:00:00:00:03:f5
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

41:25:f1:d7:a1:b7:c0:ac:8a:90:3f:84:a0:84:f9:e1:d2:1e:9b:2d:12:19:31:04:b1:43:fe:cd:e1:60:f9:c3
Signer

07/02/2023, 20:40
Valid: false

.text
Size: 376KB - Virtual size: 374KB

.rdata
Size: 112KB - Virtual size: 108KB

.data
Size: 4KB - Virtual size: 6KB

.pdata
Size: 12KB - Virtual size: 10KB

.didat
Size: 4KB - Virtual size: 672B

.rsrc
Size: 12KB - Virtual size: 8KB

.reloc
Size: 4KB - Virtual size: 1KB