logoff[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

logoff.exe
Size

20KB
MD5

65d886b9d0f1b75f6c7078d38d21ce0e
SHA1

7a7381d1f2ed4429861b0271db7020a2941c609e
SHA256

0069ef09c0fa4113dd6e4eb62361382f1745d8a5fb9c68d45e2f03378275bf44
SHA512

1d66d632b6a50a8c50201cd0a15960d93dea4b92a592367c19c1dd74d521ffe733c4ef67625b18165c6384b9f4f1106962879033eb4573febf69b56d6883ca22
SSDEEP

384:lkIqdNQ+ltuY9i0gb/qm9rPacXFqwe+Tf/nE8kKW37uWeC99gn:lkImNQ+nz+/NdqeknuCIn

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
logoff.exe

Files

logoff.exe
.exe windows:10 windows x86

e80d23254937881927e5d8bb93e768bd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

winsta

WinStationOpenServerW
LogonIdFromWinStationNameW
WinStationNameFromLogonIdW
WinStationFreeMemory
WinStationOpenServerExW
WinStationReset
WinStationGetAllSessionsW

user32

LoadStringW
ExitWindowsEx

kernel32

GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetModuleHandleA
TerminateProcess
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
GetConsoleOutputCP
SetThreadUILanguage
GetLastError
HeapSetInformation
SetLastError
GetStdHandle
MultiByteToWideChar
FormatMessageW
LoadLibraryW
WriteConsoleW
GetModuleHandleW
FreeLibrary
GetFileType
GetCommandLineW
LocalAlloc
LocalFree
VerSetConditionMask
VerifyVersionInfoW
FindFirstFileW
FindNextFileW
FindClose
GetFileAttributesW
GetCurrentProcessId
QueryPerformanceCounter
Sleep

msvcrt

wcscpy_s
wcscat_s
vswprintf_s
wcschr
free
vfwprintf
fwprintf
malloc
memmove
wcstol
_wcsnicmp
_wcsdup
_wcslwr
_XcptFilter
__p__commode
_amsg_exit
__getmainargs
__set_app_type
exit
_exit
_cexit
__p__fmode
__setusermatherr
_initterm
?terminate@@YAXXZ
_controlfp
_except_handler4_common
_ultoa
_wsetlocale
swprintf_s
fgetwc
wcstoul
setlocale
__iob_func
memcpy
iswctype
memset

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 848B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e80d23254937881927e5d8bb93e768bd

Headers

DLL Characteristics

File Characteristics

Imports

winsta

user32

kernel32

msvcrt

Sections

.text Size: 12KB - Virtual size: 12KB

.data Size: 512B - Virtual size: 5KB

.idata Size: 2KB - Virtual size: 2KB

.rsrc Size: 2KB - Virtual size: 2KB

.reloc Size: 1024B - Virtual size: 848B

.text
Size: 12KB - Virtual size: 12KB

.data
Size: 512B - Virtual size: 5KB

.idata
Size: 2KB - Virtual size: 2KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 1024B - Virtual size: 848B