winlogon[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

winlogon.exe
Size

880KB
MD5

41791cb9318cff31f32b01abf1a70762
SHA1

835c6e75da1b8881582f62617870c0821d696fd6
SHA256

bc549f3977eb7d2607ee663094ebdcc81855e3e149c389432b3ee08ff0fb8664
SHA512

d77d759e824b31750343316a0eb00242808750186acd9e6274730cc75e40aa9ae4ec509fc2f8492006fd72fd4c38a6413fbac7a0199b073a11e4139460bef1d2
SSDEEP

12288:huiwessDpr5vLNUw9vMNHMxlxRrCJPZiQyHsybwUD32VcfKpskK0nT:UsDprTUfNHOlxw/iQyMb2fKpbK0nT

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
winlogon.exe

Files

winlogon.exe
.exe windows:10 windows x64 arch:x64

d36ccd47e1e359036777e2b9aa784047

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

winlogon.pdb

Imports

msvcrt

iswspace
_vsnprintf_s
sprintf_s
_wcslwr_s
malloc
_callnewh
_XcptFilter
_wcsdup
__getmainargs
__set_app_type
exit
_exit
_cexit
free
__setusermatherr
wcsstr
_amsg_exit
_vsnwprintf
_initterm
_acmdln
_fmode
_commode
_lock
_unlock
__dllonexit
wcschr
_vscwprintf
memmove
memcpy
_onexit
wcstok
__CxxFrameHandler3
wcsrchr
memcmp
_local_unwind
_ismbblead
wcscpy_s
_CxxThrowException
?terminate@@YAXXZ
memset
??1type_info@@UEAA@XZ
_get_errno
_set_errno
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
__CxxFrameHandler4
_tolower
rand
_wcsicmp
_wtoi
_wcsnicmp
_ultow
__C_specific_handler
memmove_s
_purecall
memcpy_s
wcspbrk
wcscmp

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
GetProcAddress
GetModuleHandleExA
GetModuleFileNameW
GetModuleHandleW
LockResource
LoadStringW
FreeLibrary
FindResourceExW
LoadResource
LoadLibraryExW
GetModuleFileNameA

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceComplete
SleepConditionVariableSRW
InitOnceBeginInitialize
WakeAllConditionVariable
InitOnceExecuteOnce

api-ms-win-core-synch-l1-1-0

OpenSemaphoreW
WaitForSingleObjectEx
TryAcquireSRWLockExclusive
SetEvent
CreateMutexW
AcquireSRWLockExclusive
AcquireSRWLockShared
InitializeCriticalSection
OpenEventW
DeleteCriticalSection
ReleaseSemaphore
ReleaseSRWLockExclusive
CreateSemaphoreExW
CreateMutexExW
ReleaseMutex
LeaveCriticalSection
EnterCriticalSection
CreateEventW
WaitForSingleObject
InitializeCriticalSectionEx
TryEnterCriticalSection
ReleaseSRWLockShared
ResetEvent
SleepEx

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
HeapSize
GetProcessHeap
HeapSetInformation

api-ms-win-core-errorhandling-l1-1-0

SetLastError
UnhandledExceptionFilter
RaiseException
SetErrorMode
GetLastError
SetUnhandledExceptionFilter

api-ms-win-core-threadpool-l1-2-0

SubmitThreadpoolWork
SetThreadpoolTimer
CreateThreadpoolWork
CloseThreadpoolCleanupGroup
CreateThreadpoolTimer
SetThreadpoolThreadMaximum
WaitForThreadpoolTimerCallbacks
CloseThreadpoolCleanupGroupMembers
SetThreadpoolThreadMinimum
CloseThreadpoolWork
CreateThreadpool
CreateThreadpoolCleanupGroup
CloseThreadpoolTimer
TrySubmitThreadpoolCallback
CloseThreadpool

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
OpenProcessToken
ResumeThread
CreateProcessAsUserW
CreateThread
GetProcessId
TerminateProcess
GetStartupInfoW
GetCurrentThread
CreateRemoteThread
SetThreadToken
GetCurrentProcess
InitializeProcThreadAttributeList
CreateProcessW
SetPriorityClass
SetThreadPriority
GetExitCodeProcess
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
GetCurrentThreadId

api-ms-win-core-localization-l1-2-0

GetThreadUILanguage
FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-registry-l1-1-0

RegFlushKey
RegGetValueA
RegDeleteValueW
RegNotifyChangeKeyValue
RegGetValueW
RegQueryValueExW
RegCloseKey
RegEnumKeyExW
RegSetKeySecurity
RegSetValueExW
RegEnumValueW
RegQueryInfoKeyW
RegDeleteKeyExW
RegDeleteTreeW
RegCreateKeyExW
RegOpenKeyExW

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
OpenProcess

api-ms-win-eventing-controller-l1-1-0

EnableTraceEx2
ControlTraceW
StartTraceW

api-ms-win-core-heap-l2-1-0

LocalReAlloc
LocalFree
LocalAlloc

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-memory-l1-1-0

VirtualFree
VirtualAlloc

api-ms-win-core-memory-l1-1-1

SetProcessWorkingSetSizeEx
VirtualUnlock
GetProcessWorkingSetSizeEx
VirtualLock

api-ms-win-core-processenvironment-l1-1-0

SetEnvironmentVariableW
SearchPathW
GetCommandLineW
ExpandEnvironmentStringsW

api-ms-win-core-sysinfo-l1-1-0

GetSystemTime
GetTickCount
GetVersionExW
GetLocalTime
GetSystemTimeAsFileTime
GetTickCount64
GetSystemWindowsDirectoryW

api-ms-win-security-base-l1-1-0

ImpersonateLoggedOnUser
RevertToSelf
GetTokenInformation
GetLengthSid
AllocateLocallyUniqueId
CopySid
FreeSid
CreateRestrictedToken
AdjustTokenPrivileges
SetTokenInformation
EqualSid
IsValidSid
GetSidIdentifierAuthority
DuplicateToken
DuplicateTokenEx
CheckTokenMembership
CreateWellKnownSid
GetSecurityDescriptorDacl

rpcrt4

RpcMgmtIsServerListening
RpcStringFreeW
RpcBindingCopy
RpcAsyncCancelCall
Ndr64AsyncClientCall
RpcBindingSetAuthInfoExW
RpcBindingFromStringBindingW
RpcAsyncInitializeHandle
NdrClientCall3
RpcServerInqCallAttributesW
RpcServerTestCancel
RpcServerUseProtseqEpW
NdrServerCall2
Ndr64AsyncServerCallAll
NdrServerCallAll
NdrAsyncServerCall
RpcRaiseException
RpcServerInqBindings
RpcEpRegisterW
RpcEpUnregister
RpcServerListen
RpcServerRegisterIfEx
RpcServerUnregisterIf
RpcServerUseProtseqW
I_RpcBindingIsClientLocal
RpcBindingVectorFree
RpcServerUnsubscribeForNotification
RpcServerSubscribeForNotification
RpcStringBindingComposeW
RpcBindingUnbind
RpcBindingFree
I_RpcExceptionFilter
RpcBindingBind
UuidFromStringW
RpcBindingCreateW
RpcRevertToSelf
RpcImpersonateClient
I_RpcBindingInqLocalClientPID
UuidCreate
UuidToStringW
RpcAsyncAbortCall
I_RpcMapWin32Status
RpcAsyncCompleteCall

api-ms-win-core-com-l1-1-0

CoUninitialize
CoInitializeEx
CoGetMalloc
CoTaskMemRealloc
CoTaskMemFree
CoCreateInstance
CoTaskMemAlloc

api-ms-win-core-string-l1-1-0

CompareStringW
WideCharToMultiByte
CompareStringOrdinal

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW
RegDeleteKeyValueW

api-ms-win-power-base-l1-1-0

PowerDeterminePlatformRoleEx

api-ms-win-core-file-l1-1-0

CompareFileTime
GetShortPathNameW
CreateFileW
GetFileAttributesW

api-ms-win-core-timezone-l1-1-0

SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime

api-ms-win-core-datetime-l1-1-0

GetTimeFormatW
GetDateFormatW

api-ms-win-power-setting-l1-1-0

PowerSettingUnregisterNotification
PowerSettingRegisterNotification

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-shutdown-l1-1-1

InitiateShutdownW

api-ms-win-service-management-l1-1-0

OpenServiceW
CloseServiceHandle
StartServiceW
OpenSCManagerW

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
NotifyServiceStatusChangeW
QueryServiceStatusEx

api-ms-win-core-rtlsupport-l1-1-0

RtlCompareMemory
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-eventing-classicprovider-l1-1-0

UnregisterTraceGuids
GetTraceLoggerHandle
GetTraceEnableFlags
GetTraceEnableLevel
RegisterTraceGuidsW

api-ms-win-security-credentials-l1-1-0

CredFree
CredUnmarshalCredentialW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW
LookupAccountSidW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoSizeExW
VerQueryValueW
GetFileVersionInfoExW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus

api-ms-win-core-job-l2-1-0

TerminateJobObject
AssignProcessToJobObject
QueryInformationJobObject
CreateJobObjectW
SetInformationJobObject

api-ms-win-security-lsapolicy-l1-1-0

LsaQueryInformationPolicy
LsaStorePrivateData
LsaClose
LsaFreeMemory
LsaOpenPolicy

api-ms-win-core-appcompat-l1-1-0

BaseInitAppcompatCacheSupport

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-security-credentials-l2-1-0

CredReadByTokenHandle

api-ms-win-base-bootconfig-l1-1-0

NotifyBootConfigStatus

api-ms-win-eventlog-legacy-l1-1-0

RegisterEventSourceW
GetEventLogInformation
DeregisterEventSource
ReportEventW

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem
CreateTimerQueueTimer
DeleteTimerQueueTimer
UnregisterWaitEx

api-ms-win-core-kernel32-legacy-l1-1-0

UnregisterWait
RegisterWaitForSingleObject
GetComputerNameW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathIsRelativeW

api-ms-win-core-registry-l2-1-0

RegOpenKeyW
RegCreateKeyW

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

kernelbase

CreateProcessInternalW
AppContainerDeriveSidFromMoniker

ntdll

WinSqmIsOptedIn
NtCreateEvent
RtlAddAce
RtlSetDaclSecurityDescriptor
RtlGetDaclSecurityDescriptor
NtAdjustPrivilegesToken
NtDuplicateToken
RtlUnhandledExceptionFilter
NtQueryInformationProcess
NtSetInformationThread
NtDeviceIoControlFile
WinSqmEndSession
RtlInitializeResource
RtlAcquireResourceExclusive
RtlReleaseResource
RtlDeleteResource
NtGetCachedSigningLevel
WinSqmSetString
NtOpenEvent
NtSetEvent
RtlGetCurrentServiceSessionId
NtDeleteWnfStateName
NtCreateWnfStateName
RtlQueryResourcePolicy
__isascii
isupper
wcstok_s
_vsnprintf
RtlGetNtProductType
RtlSetSystemBootStatus
RtlRemovePrivileges
RtlpVerifyAndCommitUILanguageSettings
NtSetInformationProcess
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
NtShutdownSystem
RtlCompareUnicodeString
RtlCreateEnvironment
TpReleaseTimer
TpWaitForTimer
TpAllocTimer
TpSetTimer
NtOpenThreadToken
NtOpenFile
RtlAppendUnicodeToString
NtOpenDirectoryObject
RtlFreeSid
NtSetSecurityObject
RtlSetSaclSecurityDescriptor
RtlAddMandatoryAce
RtlCreateAcl
RtlCreateSecurityDescriptor
RtlAllocateAndInitializeSid
RtlDestroyEnvironment
RtlCopySid
RtlNtStatusToDosErrorNoTeb
RtlSetEnvironmentVariable
RtlQueryEnvironmentVariable_U
RtlExpandEnvironmentStrings_U
RtlInitUnicodeStringEx
RtlGetAce
NtSetIRTimer
NtCreateIRTimer
NtSetInformationToken
NtCreateToken
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
TpAllocWait
WinSqmSetDWORD
TpPostWork
TpAllocWork
RtlUnsubscribeWnfNotificationWaitForCompletion
TpReleaseWork
TpWaitForWork
TpReleaseWait
TpWaitForWait
TpSetWait
NtFilterToken
NtInitiatePowerAction
RtlAdjustPrivilege
RtlPublishWnfStateData
RtlLengthSid
EtwEventWriteStartScenario
EtwEventWriteEndScenario
RtlInitUnicodeString
NtAllocateLocallyUniqueId
RtlDeregisterWait
RtlRegisterWait
RtlTimeToSecondsSince1980
WinSqmAddToStream
TpSimpleTryPost
RtlEqualSid
EtwEventEnabled
EtwEventWrite
RtlCopyLuid
NtPowerInformation
EtwEventActivityIdControl
RtlGetActiveConsoleId
RtlInitString
NtQuerySystemInformation
NtSystemDebugControl
NtQueryInformationToken
NtOpenProcessToken
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlFreeUnicodeString
RtlNtStatusToDosError
RtlDuplicateUnicodeString
NtClose
RtlOpenCurrentUser
EtwTraceMessage
EtwEventRegister
EtwEventUnregister
EtwEventWriteTransfer
EtwEventSetInformation
WinSqmStartSession

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsCreateStringReference
WindowsGetStringRawBuffer

api-ms-win-core-winrt-l1-1-0

RoActivateInstance

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 640KB - Virtual size: 638KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 160KB - Virtual size: 156KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d36ccd47e1e359036777e2b9aa784047

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-memory-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

rpcrt4

api-ms-win-core-com-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-registry-l1-1-1

api-ms-win-power-base-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-power-setting-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-shutdown-l1-1-1

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-security-credentials-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-core-job-l2-1-0

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-appcompat-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-security-credentials-l2-1-0

api-ms-win-base-bootconfig-l1-1-0

api-ms-win-eventlog-legacy-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-stateseparation-helpers-l1-1-0

kernelbase

ntdll

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 640KB - Virtual size: 638KB

.rdata Size: 160KB - Virtual size: 156KB

.data Size: 20KB - Virtual size: 26KB

.pdata Size: 28KB - Virtual size: 27KB

.didat Size: 4KB - Virtual size: 1KB

.rsrc Size: 20KB - Virtual size: 19KB

.text
Size: 640KB - Virtual size: 638KB

.rdata
Size: 160KB - Virtual size: 156KB

.data
Size: 20KB - Virtual size: 26KB

.pdata
Size: 28KB - Virtual size: 27KB

.didat
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 20KB - Virtual size: 19KB

.reloc
Size: 4KB - Virtual size: 3KB