winlogon[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

winlogon.exe
Size

185KB
MD5

53200c5739e3e309f04a139c53e29c2f
SHA1

8b7b69fb353dd20c8221656704488ddb69c16fea
SHA256

3ef8e012f5a5d9bac023c8c16f9e78bb3e164f2c8d55e9b2ab1b4dc46717e459
SHA512

d2cf6146216f7cdae1dd1356a6aecbff2063a170cd4d5215c6def9bfed627a61285b5c2aa55039b9090480c2be53602adb9ff7b9ed0af7c2051493c07ed6ca35
SSDEEP

3072:u1aByt4+N7XJy5P+F1nKLrroRBoyPPbXIZ+I9jSFsOwdawv:u1ai4+N7ZU2krk/3bX+0y

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
winlogon.exe

Files

winlogon.exe
.exe windows:6 windows x64

23ba8b8701af191ce67b247bf3a0358d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetConsoleWindow
VirtualAlloc
GetLastError
CreateThread
WaitForSingleObject
CloseHandle
ReleaseSRWLockExclusive
ReleaseMutex
ReleaseSRWLockShared
AddVectoredExceptionHandler
SetThreadStackGuarantee
AcquireSRWLockExclusive
GetCurrentProcess
GetCurrentThread
RtlCaptureContext
GetProcAddress
RtlLookupFunctionEntry
SetLastError
GetCurrentDirectoryW
GetEnvironmentVariableW
GetStdHandle
GetCurrentProcessId
TryAcquireSRWLockExclusive
QueryPerformanceCounter
HeapAlloc
GetProcessHeap
HeapFree
HeapReAlloc
AcquireSRWLockShared
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
GetModuleHandleA
CreateFileW
GetFileInformationByHandle
GetFileInformationByHandleEx
GetConsoleMode
GetModuleHandleW
FormatMessageW
GetFullPathNameW
MultiByteToWideChar
WriteConsoleW
TlsGetValue
TlsSetValue
GetSystemTimeAsFileTime
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
InitializeSListHead
GetCurrentThreadId
IsProcessorFeaturePresent

ntdll

NtWriteFile
NtReadFile
RtlNtStatusToDosError

user32

ShowWindow

vcruntime140

memmove
__C_specific_handler
__CxxFrameHandler3
memset
memcmp
memcpy
__current_exception_context
__current_exception

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e
_get_initial_narrow_environment
_exit
_initialize_narrow_environment
_configure_narrow_argv
__p___argc
__p___argv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_set_app_type
_seh_filter_exe
exit
_initialize_onexit_table
_register_onexit_function
_crt_atexit
terminate

api-ms-win-crt-math-l1-1-0

__setusermatherr

api-ms-win-crt-stdio-l1-1-0

_set_fmode
__p__commode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

api-ms-win-crt-heap-l1-1-0

_set_new_mode
free

Sections

.text
Size: 137KB - Virtual size: 137KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 39KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 696B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

23ba8b8701af191ce67b247bf3a0358d

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ntdll

user32

vcruntime140

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-heap-l1-1-0

Sections

.text Size: 137KB - Virtual size: 137KB

.rdata Size: 39KB - Virtual size: 39KB

.data Size: 512B - Virtual size: 696B

.pdata Size: 5KB - Virtual size: 5KB

.reloc Size: 1KB - Virtual size: 1KB

.text
Size: 137KB - Virtual size: 137KB

.rdata
Size: 39KB - Virtual size: 39KB

.data
Size: 512B - Virtual size: 696B

.pdata
Size: 5KB - Virtual size: 5KB

.reloc
Size: 1KB - Virtual size: 1KB