winlogon[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

winlogon.exe
Size

892KB
MD5

3682a2354c4a5efa6d73ec70f94206e3
SHA1

55294df641586bcf91389f919c48b4281e106486
SHA256

28b2296a1d8900e13da12f0fe37ac13748cf67750f1cb1ef3a586a6c46ea0685
SHA512

38649c8416ef7c03b9fd0ed84bdc37a93f39805f1f1ddaa6ce0884c268b3996fc78309dce215a1477efcb48207d077d597a63756cb034a106055ef9b05050555
SSDEEP

12288:Q/zeFHmGqdpNDQl9UIVCjnWAxdAZy/Yqk9k2m5shXpZi8JXOD9xXc:3HmGKw2I7AwcAqk9HhOD9x

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
winlogon.exe

Files

winlogon.exe
.exe windows:10 windows x64 arch:x64

78356cc73f260babfc61a7495fa7eb8f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

winlogon.pdb

Imports

msvcrt

sprintf_s
_vsnprintf_s
iswspace
wcsrchr
_amsg_exit
__getmainargs
_vsnwprintf
wcstok
free
_onexit
__dllonexit
malloc
_CxxThrowException
_local_unwind
memcmp
__CxxFrameHandler3
?terminate@@YAXXZ
memcpy
memset
memmove
rand
_vscwprintf
wcschr
__set_app_type
_XcptFilter
_unlock
exit
_lock
_exit
_cexit
_commode
_ismbblead
_fmode
_acmdln
_initterm
__setusermatherr
wcsstr
_wcsdup
_wcslwr_s
_callnewh
??1type_info@@UEAA@XZ
_get_errno
_set_errno
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
__CxxFrameHandler4
_tolower
wcscpy_s
_wcsicmp
_wtoi
_wcsnicmp
_ultow
__C_specific_handler
memmove_s
_purecall
memcpy_s
wcspbrk
wcscmp

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExA
GetModuleFileNameA
LoadStringW
LoadLibraryExW
FreeLibrary
GetModuleFileNameW
FindResourceExW
GetProcAddress
LoadResource
GetModuleHandleExW
GetModuleHandleW
LockResource

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
SleepConditionVariableSRW
InitOnceComplete
WakeAllConditionVariable
InitOnceBeginInitialize
Sleep

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
InitializeCriticalSectionEx
ReleaseSemaphore
CreateMutexExW
InitializeCriticalSection
EnterCriticalSection
DeleteCriticalSection
SleepEx
ReleaseSRWLockShared
ResetEvent
CreateEventW
CreateSemaphoreExW
OpenSemaphoreW
WaitForSingleObjectEx
OpenEventW
AcquireSRWLockExclusive
SetEvent
TryEnterCriticalSection
WaitForSingleObject
CreateMutexW
ReleaseMutex
ReleaseSRWLockExclusive
AcquireSRWLockShared
TryAcquireSRWLockExclusive

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree
HeapSize
HeapSetInformation

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetErrorMode
SetLastError
GetLastError
SetUnhandledExceptionFilter
RaiseException

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolCleanupGroup
CreateThreadpoolWork
CloseThreadpoolCleanupGroup
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer
TrySubmitThreadpoolCallback
CloseThreadpoolCleanupGroupMembers
CloseThreadpool
SubmitThreadpoolWork
CreateThreadpool
SetThreadpoolThreadMaximum
SetThreadpoolThreadMinimum
CloseThreadpoolWork

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentThreadId
TerminateProcess
DeleteProcThreadAttributeList
UpdateProcThreadAttribute
GetStartupInfoW
InitializeProcThreadAttributeList
OpenProcessToken
GetCurrentProcessId
GetCurrentThread
SetThreadToken
CreateThread
CreateProcessAsUserW
CreateProcessW
GetExitCodeProcess
SetPriorityClass
SetThreadPriority
CreateRemoteThread
GetProcessId
ResumeThread

api-ms-win-core-localization-l1-2-0

GetThreadUILanguage
FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegCreateKeyExW
RegFlushKey
RegNotifyChangeKeyValue
RegDeleteTreeW
RegSetKeySecurity
RegQueryValueExW
RegSetValueExW
RegQueryInfoKeyW
RegEnumValueW
RegDeleteValueW
RegDeleteKeyExW
RegEnumKeyExW
RegCloseKey
RegOpenKeyExW
RegGetValueA

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
OpenProcess

api-ms-win-eventing-controller-l1-1-0

ControlTraceW
EnableTraceEx2
StartTraceW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc
LocalReAlloc

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-string-l1-1-0

CompareStringOrdinal
WideCharToMultiByte
CompareStringW

api-ms-win-core-memory-l1-1-0

VirtualFree
VirtualAlloc

api-ms-win-core-memory-l1-1-1

GetProcessWorkingSetSizeEx
VirtualLock
VirtualUnlock
SetProcessWorkingSetSizeEx

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
SetEnvironmentVariableW
SearchPathW
ExpandEnvironmentStringsW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetLocalTime
GetVersionExW
GetSystemWindowsDirectoryW
GetSystemTimeAsFileTime
GetSystemTime
GetTickCount

api-ms-win-security-base-l1-1-0

EqualSid
DuplicateToken
CheckTokenMembership
GetSecurityDescriptorDacl
FreeSid
AdjustTokenPrivileges
IsValidSid
CreateWellKnownSid
AllocateLocallyUniqueId
GetSidIdentifierAuthority
CopySid
GetLengthSid
ImpersonateLoggedOnUser
RevertToSelf
SetTokenInformation
GetTokenInformation
DuplicateTokenEx
CreateRestrictedToken

rpcrt4

RpcMgmtIsServerListening
RpcStringFreeW
RpcBindingCopy
RpcAsyncCancelCall
Ndr64AsyncClientCall
RpcBindingSetAuthInfoExW
RpcBindingFromStringBindingW
RpcAsyncInitializeHandle
RpcBindingFree
RpcServerInqCallAttributesW
RpcServerTestCancel
RpcServerUseProtseqEpW
NdrServerCall2
Ndr64AsyncServerCallAll
NdrServerCallAll
NdrAsyncServerCall
RpcRaiseException
RpcServerInqBindings
RpcEpRegisterW
RpcEpUnregister
RpcServerListen
RpcServerRegisterIfEx
RpcServerUnregisterIf
RpcServerUseProtseqW
I_RpcBindingIsClientLocal
RpcBindingVectorFree
RpcServerUnsubscribeForNotification
RpcServerSubscribeForNotification
NdrClientCall3
RpcBindingUnbind
RpcStringBindingComposeW
I_RpcExceptionFilter
RpcBindingBind
UuidFromStringW
RpcBindingCreateW
RpcRevertToSelf
RpcImpersonateClient
I_RpcBindingInqLocalClientPID
UuidCreate
UuidToStringW
RpcAsyncAbortCall
I_RpcMapWin32Status
RpcAsyncCompleteCall

api-ms-win-core-com-l1-1-0

CoTaskMemRealloc
CoCreateInstance
CoTaskMemFree
CoGetMalloc
CoUninitialize
CoInitializeEx
StringFromGUID2
CoCreateGuid
CoTaskMemAlloc

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW
RegDeleteKeyValueW

api-ms-win-power-base-l1-1-0

PowerDeterminePlatformRoleEx

api-ms-win-core-file-l1-1-0

GetShortPathNameW
CreateFileW
CompareFileTime
GetFileAttributesW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime

api-ms-win-core-datetime-l1-1-0

GetTimeFormatW
GetDateFormatW

api-ms-win-power-setting-l1-1-0

PowerSettingRegisterNotification
PowerSettingUnregisterNotification

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-shutdown-l1-1-1

InitiateShutdownW

api-ms-win-service-management-l1-1-0

StartServiceW
OpenServiceW
OpenSCManagerW
CloseServiceHandle

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
QueryServiceStatusEx
NotifyServiceStatusChangeW

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCompareMemory
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW
GetTraceLoggerHandle
UnregisterTraceGuids

api-ms-win-security-credentials-l1-1-0

CredFree
CredUnmarshalCredentialW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW
LookupAccountSidW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus

api-ms-win-core-job-l2-1-0

SetInformationJobObject
AssignProcessToJobObject
TerminateJobObject
QueryInformationJobObject
CreateJobObjectW

api-ms-win-security-lsapolicy-l1-1-0

LsaOpenPolicy
LsaFreeMemory
LsaClose
LsaStorePrivateData
LsaQueryInformationPolicy

api-ms-win-core-appcompat-l1-1-0

BaseInitAppcompatCacheSupport

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-security-credentials-l2-1-0

CredReadByTokenHandle

api-ms-win-base-bootconfig-l1-1-0

NotifyBootConfigStatus

api-ms-win-eventlog-legacy-l1-1-0

GetEventLogInformation
DeregisterEventSource
RegisterEventSourceW
ReportEventW

api-ms-win-core-threadpool-legacy-l1-1-0

DeleteTimerQueueTimer
CreateTimerQueueTimer
QueueUserWorkItem
UnregisterWaitEx

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject
GetComputerNameW
UnregisterWait

api-ms-win-core-shlwapi-legacy-l1-1-0

PathIsRelativeW

api-ms-win-core-registry-l2-1-0

RegOpenKeyW
RegCreateKeyW

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

kernelbase

CreateProcessInternalW
AppContainerDeriveSidFromMoniker

ntdll

WinSqmEndSession
WinSqmIsOptedIn
NtCreateEvent
RtlAddAce
RtlSetDaclSecurityDescriptor
RtlGetDaclSecurityDescriptor
NtAdjustPrivilegesToken
NtDuplicateToken
RtlUnhandledExceptionFilter
NtQueryInformationProcess
NtSetInformationThread
NtDeviceIoControlFile
WinSqmStartSession
RtlInitializeResource
RtlAcquireResourceExclusive
RtlReleaseResource
RtlDeleteResource
NtGetCachedSigningLevel
WinSqmSetString
NtOpenEvent
NtSetEvent
RtlGetCurrentServiceSessionId
NtDeleteWnfStateName
NtCreateWnfStateName
RtlQueryResourcePolicy
__isascii
isupper
wcstok_s
_vsnprintf
RtlSetSystemBootStatus
RtlRemovePrivileges
RtlpVerifyAndCommitUILanguageSettings
NtSetInformationProcess
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
NtShutdownSystem
RtlCompareUnicodeString
RtlCreateEnvironment
TpReleaseTimer
TpWaitForTimer
TpAllocTimer
TpSetTimer
NtOpenThreadToken
NtOpenFile
RtlAppendUnicodeToString
NtOpenDirectoryObject
RtlFreeSid
NtSetSecurityObject
RtlSetSaclSecurityDescriptor
RtlAddMandatoryAce
RtlCreateAcl
RtlCreateSecurityDescriptor
RtlAllocateAndInitializeSid
RtlDestroyEnvironment
RtlCopySid
RtlNtStatusToDosErrorNoTeb
RtlSetEnvironmentVariable
RtlQueryEnvironmentVariable_U
RtlExpandEnvironmentStrings_U
RtlInitUnicodeStringEx
RtlGetAce
NtSetIRTimer
NtCreateIRTimer
NtSetInformationToken
NtCreateToken
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
TpAllocWait
WinSqmSetDWORD
TpPostWork
TpAllocWork
RtlUnsubscribeWnfNotificationWaitForCompletion
TpReleaseWork
TpWaitForWork
TpReleaseWait
TpWaitForWait
TpSetWait
NtFilterToken
NtInitiatePowerAction
RtlAdjustPrivilege
RtlPublishWnfStateData
RtlLengthSid
EtwEventWriteStartScenario
EtwEventWriteEndScenario
RtlInitUnicodeString
NtAllocateLocallyUniqueId
RtlDeregisterWait
RtlRegisterWait
RtlTimeToSecondsSince1980
WinSqmAddToStream
TpSimpleTryPost
RtlEqualSid
EtwEventEnabled
EtwEventWrite
RtlCopyLuid
NtPowerInformation
EtwEventActivityIdControl
RtlGetActiveConsoleId
RtlInitString
NtQuerySystemInformation
NtSystemDebugControl
NtQueryInformationToken
NtOpenProcessToken
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlFreeUnicodeString
RtlNtStatusToDosError
RtlDuplicateUnicodeString
NtClose
RtlOpenCurrentUser
EtwTraceMessage
EtwEventRegister
EtwEventUnregister
EtwEventWriteTransfer
EtwEventSetInformation
RtlGetNtProductType

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsGetStringRawBuffer
WindowsCreateStringReference

api-ms-win-core-winrt-l1-1-0

RoActivateInstance

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 652KB - Virtual size: 651KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 160KB - Virtual size: 158KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

78356cc73f260babfc61a7495fa7eb8f

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-memory-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

rpcrt4

api-ms-win-core-com-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-registry-l1-1-1

api-ms-win-power-base-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-power-setting-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-shutdown-l1-1-1

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-security-credentials-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-core-job-l2-1-0

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-appcompat-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-security-credentials-l2-1-0

api-ms-win-base-bootconfig-l1-1-0

api-ms-win-eventlog-legacy-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-stateseparation-helpers-l1-1-0

kernelbase

ntdll

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 652KB - Virtual size: 651KB

.rdata Size: 160KB - Virtual size: 158KB

.data Size: 20KB - Virtual size: 26KB

.pdata Size: 28KB - Virtual size: 27KB

.didat Size: 4KB - Virtual size: 1KB

.rsrc Size: 20KB - Virtual size: 19KB

.text
Size: 652KB - Virtual size: 651KB

.rdata
Size: 160KB - Virtual size: 158KB

.data
Size: 20KB - Virtual size: 26KB

.pdata
Size: 28KB - Virtual size: 27KB

.didat
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 20KB - Virtual size: 19KB

.reloc
Size: 4KB - Virtual size: 3KB