winutils[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

winutils.exe
Size

110KB
MD5

6eeaad1a18291b4d97e3284c47fb7b46
SHA1

62583759a47fbebf5add62294949fbd08ea45a14
SHA256

117f442c78283de1acc8e8f05a84b50f24910aaaea4945226b6eb1389224d36a
SHA512

d99786e2989144d1183a203a5e7563105d6237fc06f779eaa65f56f9c10f2ea442412076084eddadf8755ff0f5cbe83bbf83b568b2e118f50c5cc7fbbab6ea8e
SSDEEP

3072:xWjA1KwsRBHUoISOJcWq9PnVsi9Skz2v1MFX:xyw+SSOJceA

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
winutils.exe

Files

winutils.exe
.exe windows:5 windows x64 arch:x64

013608ea8b9f408c7a818a9326acaf7f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetCurrentDirectoryW
QueryInformationJobObject
GetExitCodeProcess
GetProcessTimes
WaitForSingleObject
CreateJobObjectW
SetEnvironmentVariableW
SetInformationJobObject
CreateHardLinkW
FindNextFileW
FindFirstFileW
GetSystemInfo
GetSystemTimes
CreateSymbolicLinkW
DeviceIoControl
LocalFree
DeleteFileW
CloseHandle
DuplicateHandle
CreatePipe
OpenJobObjectW
FindClose
lstrlenW
GetFileAttributesW
GetSystemTimeAsFileTime
QueryPerformanceCounter
Sleep
EncodePointer
UnhandledExceptionFilter
RtlVirtualUnwind
GetFileInformationByHandle
RtlLookupFunctionEntry
RtlCaptureContext
DecodePointer
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
RemoveDirectoryW
CreateEventW
LocalAlloc
RegisterWaitForSingleObject
GetLastError
CreateFileW
GetModuleFileNameW
TerminateProcess
FormatMessageW
AssignProcessToJobObject
OpenProcess
CompareStringEx
SetEvent
SetHandleInformation
SetUnhandledExceptionFilter
ExitProcess
FileTimeToSystemTime
ResumeThread
TerminateJobObject
OutputDebugStringW
IsDebuggerPresent
CreateDirectoryW
GetCurrentProcess
MoveFileExW
CreateProcessW
CopyFileExW
UnregisterWait

advapi32

GetSecurityDescriptorDacl
AdjustTokenPrivileges
AddAccessDeniedAceEx
GetLengthSid
LsaNtStatusToWinError
IsValidSid
AllocateLocallyUniqueId
MakeAbsoluteSD
LsaClose
SetFileSecurityW
LookupAccountSidW
LookupPrivilegeValueW
SetNamedSecurityInfoW
SetSecurityDescriptorDacl
LookupAccountNameW
BuildSecurityDescriptorW
GetSecurityDescriptorControl
GetTokenInformation
OpenProcessToken
ConvertSecurityDescriptorToStringSecurityDescriptorW
AddAce
SetSecurityInfo
InitializeAcl
GetSecurityInfo
CreateProcessAsUserW
AddAccessAllowedAceEx
GetUserNameW
CreateWellKnownSid
ConvertSidToStringSidW
ReportEventW
RegisterServiceCtrlHandlerW
SetServiceStatus
GetNamedSecurityInfoW
GetAce
DeregisterEventSource
EqualSid
GetAclInformation
StartServiceCtrlDispatcherW
RegisterEventSourceW

msvcr100

_CxxThrowException
?_type_info_dtor_internal_method@type_info@@QEAAXXZ
_onexit
_lock
__dllonexit
_unlock
?terminate@@YAXXZ
__crt_debugger_hook
__set_app_type
_fmode
_commode
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
__winitenv
exit
_cexit
_exit
_XcptFilter
__C_specific_handler
__wgetmainargs
_amsg_exit
??2@YAPEAX_K@Z
memcpy_s
??3@YAXPEAX@Z
_wsplitpath_s
swprintf_s
iswctype
calloc
wcsspn
fclose
wcscat_s
_wfopen_s
wprintf
wcstol
_errno
fwprintf_s
malloc
free
wcschr
_vsnwprintf
__iob_func
wcsnlen
fwprintf
fprintf_s
__CxxFrameHandler3

rpcrt4

RpcServerRegisterIfEx
NdrServerCall2
RpcMgmtStopServerListening
RpcServerListen
RpcServerUseProtseqIfW
RpcFreeAuthorizationContext
RpcGetAuthorizationContextForClient

authz

AuthzAccessCheck
AuthzFreeResourceManager
AuthzFreeContext
AuthzInitializeContextFromToken
AuthzInitializeContextFromSid
AuthzInitializeResourceManager

psapi

GetProcessMemoryInfo
GetPerformanceInfo

powrprof

CallNtPowerInformation

pdh

PdhCloseQuery
PdhGetRawCounterArrayW
PdhAddCounterW
PdhOpenQueryW
PdhCollectQueryData

netapi32

NetApiBufferFree
NetUserGetLocalGroups

secur32

LsaFreeReturnBuffer
LsaLogonUser
LsaLookupAuthenticationPackage
LsaRegisterLogonProcess

userenv

UnloadUserProfile
LoadUserProfileW
DestroyEnvironmentBlock
CreateEnvironmentBlock

ole32

OleRun
CoInitialize
CoUninitialize
CoCreateInstance

oleaut32

GetErrorInfo
SysFreeString
SysStringByteLen
VariantChangeType
SysAllocString
SysStringLen
VariantInit
SysAllocStringByteLen
VariantCopy
VariantClear

Sections

.text
Size: 65KB - Virtual size: 65KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 454B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

013608ea8b9f408c7a818a9326acaf7f

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

advapi32

msvcr100

rpcrt4

authz

psapi

powrprof

pdh

netapi32

secur32

userenv

ole32

oleaut32

Sections

.text Size: 65KB - Virtual size: 65KB

.rdata Size: 12KB - Virtual size: 12KB

.data Size: 26KB - Virtual size: 28KB

.pdata Size: 3KB - Virtual size: 2KB

.rsrc Size: 1024B - Virtual size: 832B

.reloc Size: 512B - Virtual size: 454B

.text
Size: 65KB - Virtual size: 65KB

.rdata
Size: 12KB - Virtual size: 12KB

.data
Size: 26KB - Virtual size: 28KB

.pdata
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 1024B - Virtual size: 832B

.reloc
Size: 512B - Virtual size: 454B