wininit[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

wininit.exe
Size

414KB
MD5

c8141f2dcd0c7b75ec4f21ee6c3f0284
SHA1

0530f7f1d2d32ca603d1407e948f4782579b8bd0
SHA256

21da0122ba7b723adad041969bded52eefa99b47571670599bc03b3d7e1e3788
SHA512

6d776bfabb4aba704955263c4bb416a7774dec7d57e69ec4e05dae0a286c552bd47bbcf8d2d468edc5cf4aa716325b9b58f16d3cad88b0e8a6f79f9df59eebc8
SSDEEP

12288:TCMfUwZ0YLeS48p+J5m/jyPQB9QxHEaXi:WMso07RyGPQfQxkaS

Score

1^/10

Malware Config

Signatures

Files

wininit.exe
.exe windows:10 windows x64 arch:x64

5dd14afab46b0c83ea7a6093d7355fa9

Code Sign

33:00:00:04:48:4a:ab:a9:ca:f4:ee:80:15:00:00:00:00:04:48
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/08/2023, 18:38

Not After

07/08/2024, 18:38

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:19:f2:aa:f0:d6:b1:cf:48:71:60:d8:75:9b:e6:87:8d:c5:4d:54:33:88:ad:08:4a:f3:0c:c8:7b:f9:11:50
Signer

Actual PE Digest

52:19:f2:aa:f0:d6:b1:cf:48:71:60:d8:75:9b:e6:87:8d:c5:4d:54:33:88:ad:08:4a:f3:0c:c8:7b:f9:11:50

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

wininit.pdb

Imports

api-ms-win-crt-string-l1-1-0

wcsnlen
wcscmp
memset
wcsncmp
strncmp

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e
_register_thread_local_exe_atexit_callback
_c_exit

api-ms-win-crt-private-l1-1-0

_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__purecall
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__ultow_s
_o__wcsicmp
_o__wcslwr
_o__wcsnicmp
_o__wcsupr
memmove
_o_exit
_o_free
_o_strcpy_s
_o_terminate
_o_toupper
_o_wcscat_s
_o_wcscpy_s
_o_wcstoul
wcsstr
_o__get_narrow_winmain_command_line
_o__exit
_o__errno
_o__crt_atexit
_o__configure_narrow_argv
_o__configthreadlocale
_o__cexit
_o___stdio_common_vswscanf
_o___stdio_common_vswprintf_s
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___p__commode
__C_specific_handler
wcschr
wcsrchr
memcmp
memcpy

ntdll

RtlSubscribeWnfStateChangeNotification
NtDeleteWnfStateName
NtCreateWnfStateName
NtOpenThreadToken
RtlCapabilityCheckForSingleSessionSku
RtlIsMultiSessionSku
RtlRemovePrivileges
NtOpenProcessToken
NtShutdownSystem
NtSetThreadExecutionState
CsrClientCallServer
RtlDeregisterWaitEx
RtlUnsubscribeWnfNotificationWaitForCompletion
NtQueryInformationProcess
RtlInitializeCriticalSection
RtlDestroyEnvironment
RtlGetCurrentServiceSessionId
NtSetValueKey
NtCreateKey
RtlRegisterWait
NtClose
NtCreateUserProcess
RtlCreateProcessParametersEx
NtAllocateLocallyUniqueId
RtlDosPathNameToNtPathName_U_WithStatus
NtCreateEvent
NtQuerySystemEnvironmentValueEx
RtlInitUnicodeString
RtlAllocateHeap
RtlUnhandledExceptionFilter
RtlFreeHeap
RtlGetSystemBootStatus
RtlNtStatusToDosError
RtlAllocateAndInitializeSid
EtwEventEnabled
RtlCreateSecurityDescriptor
RtlCreateAcl
NtPrivilegeCheck
RtlSetDaclSecurityDescriptor
RtlLengthSid
NtAdjustPrivilegesToken
NtPrivilegeObjectAuditAlarm
EtwEventWrite
NtQuerySystemInformation
RtlLeaveCriticalSection
RtlGetActiveConsoleId
RtlEnterCriticalSection
NtSetInformationProcess
RtlSetThreadIsCritical
RtlSetProcessIsCritical
NtOpenEvent
EtwEventWriteStartScenario
EtwEventActivityIdControl
ZwQuerySystemInformation
RtlAppendUnicodeToString
RtlFreeUnicodeString
RtlGetCurrentDirectory_U
ZwSetSystemInformation
RtlUnlockBootStatusData
ZwClose
ZwDeviceIoControlFile
ZwCreateFile
ZwOpenFile
RtlAppendUnicodeStringToString
RtlWriteRegistryValue
ZwUnloadDriver
ZwLoadDriver
ZwCreateKey
ZwDeleteKey
ZwOpenKey
RtlPublishWnfStateData
EtwEventWriteTransfer
EtwEventSetInformation
EtwEventRegister
NtPowerInformation
RtlCompareUnicodeString
RtlInitUnicodeStringEx
RtlQueryEnvironmentVariable_U
RtlSetEnvironmentVariable
RtlFreeSid
EtwEventUnregister
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
NtQueryInformationToken
EtwGetTraceEnableFlags
RtlCreateEnvironment
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwTraceMessage
RtlAdjustPrivilege
WinSqmIsOptedIn
WinSqmAddToStream
NtSystemDebugControl
RtlGUIDFromString
RtlStringFromGUID
ZwQueryAttributesFile
ZwWaitForSingleObject
ZwQueryKey
ZwReleaseMutant
ZwOpenMutant
ZwQuerySymbolicLinkObject
ZwQueryDirectoryObject
ZwOpenSymbolicLinkObject
ZwOpenDirectoryObject
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
ZwLoadKey
RtlAddAccessAllowedAceEx
ZwDeleteValueKey
ZwEnumerateKey
ZwQueryValueKey
ZwSetSecurityObject
ZwUnloadKey
ZwSetValueKey
LdrGetProcedureAddress
LdrGetDllHandle
ZwQueryInformationProcess
RtlInitAnsiString
ZwQueryInformationFile
ZwOpenProcess
ZwAllocateUuids
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
RtlImpersonateSelf
RtlCaptureContext
NtOpenSymbolicLinkObject
NtOpenKey
NtQuerySymbolicLinkObject
NtDeviceIoControlFile
NtOpenFile
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
RtlLookupFunctionEntry
RtlVirtualUnwind
NtSetEvent

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-processthreads-l1-1-0

CreateProcessW
OpenProcessToken
GetCurrentProcessId
GetCurrentThread
CreateProcessAsUserW
UpdateProcThreadAttribute
CreateRemoteThread
InitializeProcThreadAttributeList
GetExitCodeProcess
ResumeThread
SetThreadPriority
GetStartupInfoW
TerminateProcess
CreateThread
GetCurrentProcess
SetPriorityClass
GetCurrentThreadId
DeleteProcThreadAttributeList

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapSetInformation
GetProcessHeap
HeapFree
HeapCreate
HeapDestroy

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
LoadLibraryExA
FindResourceExW
FreeLibrary
GetModuleHandleW
GetProcAddress
GetModuleFileNameW
GetModuleHandleExW
LoadLibraryExW
LoadResource
LockResource

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-errorhandling-l1-1-0

SetErrorMode
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
SetLastError

api-ms-win-core-synch-l1-1-0

EnterCriticalSection
InitializeCriticalSectionEx
WaitForSingleObjectEx
ReleaseMutex
WaitForMultipleObjectsEx
AcquireSRWLockExclusive
ReleaseSemaphore
DeleteCriticalSection
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
CreateSemaphoreExW
InitializeCriticalSection
WaitForSingleObject
OpenSemaphoreW
CreateEventW
SetEvent
ResetEvent
CreateMutexExW
LeaveCriticalSection
SleepEx

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
CloseThreadpoolTimer
SetThreadpoolTimer

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-registry-l1-1-0

RegEnumValueW
RegSetValueExW
RegDeleteTreeW
RegCloseKey
RegCreateKeyExW
RegGetValueW
RegDeleteValueW
RegOpenKeyExW
RegQueryValueExW
RegQueryValueExA
RegQueryInfoKeyW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetWindowsDirectoryW
GetComputerNameExW
GetLocalTime
GetVersionExW
GetSystemTimeAsFileTime

api-ms-win-core-file-l1-1-0

ReadFile
CreateDirectoryW
CreateFileW
GetDriveTypeW
DeleteFileW
FindNextVolumeW
FindClose
GetFileAttributesW
GetShortPathNameW
FindFirstFileW
FindFirstVolumeW
FindVolumeClose

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
SetEnvironmentVariableW

api-ms-win-security-base-l1-1-0

CheckTokenMembership
ImpersonateLoggedOnUser
RevertToSelf
GetSecurityDescriptorControl
GetSecurityDescriptorOwner
GetTokenInformation
EqualSid
GetSecurityDescriptorGroup
SetTokenInformation
SetFileSecurityW
SetKernelObjectSecurity
GetSecurityDescriptorSacl
DuplicateTokenEx
GetSecurityDescriptorDacl
CreateWellKnownSid

rpcrt4

RpcServerRegisterAuthInfoW
RpcServerUseProtseqW
UuidFromStringW
RpcBindingVectorFree
RpcEpRegisterW
RpcServerInqBindings
RpcServerInqDefaultPrincNameW
RpcServerUnregisterIf
I_RpcExceptionFilter
NdrClientCall3
RpcServerRegisterIf3
RpcBindingSetAuthInfoExW
RpcExceptionFilter
NdrServerCallAll
Ndr64AsyncServerCallAll
NdrAsyncServerCall
RpcServerTestCancel
NdrServerCall2
I_RpcBindingIsClientLocal
RpcAsyncAbortCall
RpcBindingFromStringBindingW
RpcImpersonateClient
RpcStringBindingComposeW
RpcRevertToSelf
RpcServerUseProtseqEpW
RpcServerRegisterIfEx
RpcServerListen
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcEpUnregister
Ndr64AsyncClientCall
RpcBindingUnbind
RpcBindingServerFromClient
RpcServerInqCallAttributesW
RpcAsyncCancelCall
RpcBindingFree
RpcBindingCopy
RpcAsyncCompleteCall
RpcStringFreeW
RpcBindingBind
RpcAsyncInitializeHandle
RpcBindingCreateW
RpcMgmtIsServerListening

api-ms-win-core-heap-l2-1-0

LocalReAlloc
LocalFree
LocalAlloc

api-ms-win-core-datetime-l1-1-1

GetTimeFormatEx
GetDateFormatEx

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-version-l1-1-0

VerQueryValueW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW

api-ms-win-core-psapi-l1-1-0

K32GetModuleFileNameExW

api-ms-win-eventing-controller-l1-1-0

StartTraceW
ControlTraceW
EnableTraceEx2

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem
DeleteTimerQueueTimer
CreateTimerQueueTimer

api-ms-win-core-kernel32-legacy-l1-1-0

WTSGetActiveConsoleSessionId

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

profapi

ord102
ord101
ord104

kernelbase

WTSGetServiceSessionId

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventWriteTransfer
EventSetInformation
EventProviderEnabled
EventUnregister

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-rtlsupport-l1-1-0

RtlCompareMemory

Sections

.text
Size: 289KB - Virtual size: 288KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 90KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5dd14afab46b0c83ea7a6093d7355fa9

Code Sign

33:00:00:04:48:4a:ab:a9:ca:f4:ee:80:15:00:00:00:00:04:48Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

52:19:f2:aa:f0:d6:b1:cf:48:71:60:d8:75:9b:e6:87:8d:c5:4d:54:33:88:ad:08:4a:f3:0c:c8:7b:f9:11:50Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

ntdll

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-security-base-l1-1-0

rpcrt4

api-ms-win-core-heap-l2-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-version-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

profapi

kernelbase

api-ms-win-stateseparation-helpers-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

Sections

.text Size: 289KB - Virtual size: 288KB

.rdata Size: 90KB - Virtual size: 90KB

.data Size: 2KB - Virtual size: 6KB

.pdata Size: 9KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 488B

.rsrc Size: 8KB - Virtual size: 7KB

.reloc Size: 1KB - Virtual size: 1KB

33:00:00:04:48:4a:ab:a9:ca:f4:ee:80:15:00:00:00:00:04:48
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

52:19:f2:aa:f0:d6:b1:cf:48:71:60:d8:75:9b:e6:87:8d:c5:4d:54:33:88:ad:08:4a:f3:0c:c8:7b:f9:11:50
Signer

.text
Size: 289KB - Virtual size: 288KB

.rdata
Size: 90KB - Virtual size: 90KB

.data
Size: 2KB - Virtual size: 6KB

.pdata
Size: 9KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 488B

.rsrc
Size: 8KB - Virtual size: 7KB

.reloc
Size: 1KB - Virtual size: 1KB