userinit[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

userinit.exe
Size

57KB
MD5

47bbdbe152a597f4a840c5269ed961e8
SHA1

f2460307d8f0c264df4f101b5adaf6927d4116cf
SHA256

03c963391d522a764136008a878369c07fcdf05083274a8a9f27348a14e13d55
SHA512

e2bf584b2ca225ad44d0e243c454ff0bd8044936e4ed623f622428c9f2bbe3330122e51241452159a55b83c792a971c2c896091fb3506541ff1fc1cef166d6c6
SSDEEP

1536:Hpcgu/OWzSnyz/ZjRSANUcHgHZuxxhinQ7:HqgEObnyTZblHg5tQ7

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
userinit.exe

Files

userinit.exe
.exe windows:10 windows x64 arch:x64

f7ce4577c1c3eaeb2841c3e21921d9aa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

userinit.pdb

Imports

ntdll

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlGetActiveConsoleId

api-ms-win-core-file-l1-1-0

GetFileAttributesExW
CompareFileTime

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW
SetEnvironmentVariableW
SearchPathW
ExpandEnvironmentStringsW

api-ms-win-core-registry-l1-1-0

RegQueryInfoKeyW
RegCloseKey
RegGetValueW
RegQueryValueExW
RegOpenKeyExW
RegEnumValueW

api-ms-win-core-heap-l1-1-0

HeapSetInformation
HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
GetCurrentProcessId
GetCurrentThreadId
CreateProcessW
CreateThread
SetThreadPriority
TerminateProcess
GetCurrentProcess
GetCurrentThread

api-ms-win-eventing-classicprovider-l1-1-0

RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
UnregisterTraceGuids
TraceMessage
GetTraceLoggerHandle

api-ms-win-core-synch-l1-1-0

ReleaseMutex
WaitForSingleObjectEx
ReleaseSemaphore
CreateMutexExW
WaitForSingleObject
OpenSemaphoreW
OpenEventW
CreateSemaphoreExW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetSystemDirectoryW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameW
GetModuleHandleExW
GetProcAddress
LoadStringW
GetModuleHandleW
FreeLibrary
LoadLibraryExW
GetModuleFileNameA

api-ms-win-core-com-l1-1-0

CoTaskMemFree
CoTaskMemAlloc

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-crt-runtime-l1-1-0

_c_exit
_register_thread_local_exe_atexit_callback
_initterm
_initterm_e

api-ms-win-crt-private-l1-1-0

_o___p__commode
_o___std_exception_copy
_o___std_exception_destroy
_o___stdio_common_vsnprintf_s
_o___stdio_common_vswprintf
_o__cexit
_o__configthreadlocale
_o__configure_narrow_argv
_o__crt_atexit
_o__errno
_o__exit
_o__get_narrow_winmain_command_line
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
memcpy
memmove
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__wcsicmp
_o__wtoi
_o_exit
_o_free
_o_terminate
__C_specific_handler
wcsrchr
memcmp
_CxxThrowException
__CxxFrameHandler4

api-ms-win-crt-string-l1-1-0

memset

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Sections

.text
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 200B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 160B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f7ce4577c1c3eaeb2841c3e21921d9aa

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

api-ms-win-core-file-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Sections

.text Size: 36KB - Virtual size: 35KB

.rdata Size: 14KB - Virtual size: 14KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 2KB - Virtual size: 1KB

.didat Size: 512B - Virtual size: 200B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 160B

.text
Size: 36KB - Virtual size: 35KB

.rdata
Size: 14KB - Virtual size: 14KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 2KB - Virtual size: 1KB

.didat
Size: 512B - Virtual size: 200B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 160B