SettingSyncHost[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

SettingSyncHost.exe
Size

482KB
MD5

97de53fb987dcac0a245d490b8c8500f
SHA1

c7007e61d81075f99fa3e448f2b24520d399216c
SHA256

06e6fe30f85cea70c9727c678fb9293ec58c5c651e9c0db323b46f35abf8d7cb
SHA512

943342dac99c75ce58b776f89ecdb720dd5c133c2bc34178c5668e347e30531ff53b6b9715313e69cd7b626c8224d1dc521419db46d9c0e886bf83d47839909f
SSDEEP

12288:U6vTjDyx76CGcTceTrAUcGkiwy36rQozaB:U6vTjDyx76CXTceTEfXiwysQow

Score

1^/10

Malware Config

Signatures

Files

SettingSyncHost.exe
.exe windows x86

b4eec7289c891fdb7b1c54dca7edffeb

Code Sign

33:00:00:02:32:41:fb:59:99:6d:cc:4d:ff:00:00:00:00:02:32
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:24

Not After

02/05/2020, 21:24

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

44:25:c8:ca:e4:12:85:4e:00:be:46:76:48:fd:eb:2b:3b:76:2c:c8:ee:18:a7:bf:2e:e8:8b:0d:93:ba:1c:27
Signer

Actual PE Digest

44:25:c8:ca:e4:12:85:4e:00:be:46:76:48:fd:eb:2b:3b:76:2c:c8:ee:18:a7:bf:2e:e8:8b:0d:93:ba:1c:27

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

__dllonexit
_onexit
__CxxFrameHandler3
?terminate@@YAXXZ
__p__fmode
_cexit
_exit
_controlfp
_except_handler4_common
memcpy
exit
__set_app_type
_unlock
memcmp
iswalnum
__wgetmainargs
wcschr
rand
srand
_amsg_exit
__p__commode
_XcptFilter
_ftol2
__setusermatherr
free
_callnewh
_get_errno
_set_errno
_lock
memmove
_purecall
wcsncpy_s
malloc
realloc
wcsstr
_wcmdln
memcpy_s
swscanf_s
_wcsicmp
_wcsnicmp
_wcstoui64
_vsnwprintf
memmove_s
_initterm
wcstok_s
time
memset

api-ms-win-core-libraryloader-l1-2-0

FreeLibraryAndExitThread
LoadResource
LockResource
SizeofResource
GetModuleHandleExW
GetModuleHandleA
LoadLibraryExW
FreeLibrary
GetModuleFileNameA
GetModuleFileNameW
GetProcAddress

api-ms-win-core-synch-l1-2-0

EnterCriticalSection
LeaveCriticalSection
OpenEventW
InitOnceExecuteOnce
CreateEventExW
InitializeSRWLock
CreateEventW
ResetEvent
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitOnceBeginInitialize
ReleaseSRWLockShared
Sleep
CreateSemaphoreExW
ReleaseSemaphore
InitOnceComplete
WaitForSingleObject
WaitForSingleObjectEx
InitializeCriticalSection
CreateMutexExW
SetEvent
DeleteCriticalSection
AcquireSRWLockShared
InitializeCriticalSectionEx
ReleaseMutex
OpenSemaphoreW

api-ms-win-core-heap-l1-2-0

HeapSetInformation
HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-errorhandling-l1-1-1

RaiseException
GetLastError
SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-2

GetStartupInfoW
GetCurrentProcessId
TlsGetValue
TerminateProcess
SetThreadPriority
ProcessIdToSessionId
GetCurrentProcess
TlsFree
TlsAlloc
OpenThreadToken
OpenProcessToken
SetPriorityClass
GetCurrentThread
TlsSetValue
CreateThread
CreateProcessW
GetCurrentThreadId

api-ms-win-core-localization-l1-2-1

GetGeoInfoW
GetUserGeoID
FormatMessageW

api-ms-win-core-debug-l1-1-1

OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-com-l1-1-1

CoTaskMemAlloc
CoUninitialize
CoTaskMemRealloc
CoRegisterClassObject
CoReleaseMarshalData
CoWaitForMultipleHandles
CoCreateGuid
StringFromIID
CoRevokeClassObject
CoResumeClassObjects
CoAddRefServerProcess
CoReleaseServerProcess
CoGetCallContext
CoInitializeEx
PropVariantClear
CoGetApartmentType
CoGetMalloc
RoGetAgileReference
CoGetInterfaceAndReleaseStream
CoSetProxyBlanket
StringFromGUID2
CoMarshalInterThreadInterfaceInStream
CoCreateFreeThreadedMarshaler
StringFromCLSID
CoDisableCallCancellation
CoEnableCallCancellation
CoTaskMemFree
CoCreateInstance
CoCancelCall
CLSIDFromString
CoFreeUnusedLibraries

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsStringHasEmbeddedNull
WindowsDeleteString
WindowsIsStringEmpty
WindowsCreateString
WindowsGetStringRawBuffer

api-ms-win-shcore-thread-l1-1-0

SHCreateThreadRef
SHCreateThreadWithHandle
SHSetThreadRef

api-ms-win-core-threadpool-legacy-l1-1-0

CreateTimerQueueTimer
DeleteTimerQueueTimer

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolWait
CloseThreadpoolWait
CreateThreadpoolWait
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CallbackMayRunLong
FreeLibraryWhenCallbackReturns
TrySubmitThreadpoolCallback
SetThreadpoolTimer

api-ms-win-core-sysinfo-l1-2-1

GetTickCount64
GetVersionExW
GetSystemDirectoryW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW

api-ms-win-core-heap-l2-1-0

LocalReAlloc
LocalFree
LocalAlloc

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringOrdinal
MultiByteToWideChar

api-ms-win-eventing-provider-l1-1-0

EventWrite
EventUnregister
EventSetInformation
EventRegister
EventWriteTransfer

api-ms-win-core-registry-l1-1-0

RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegDeleteTreeW
RegEnumValueW
RegCloseKey
RegSetValueExW
RegGetValueW
RegQueryValueExW
RegOpenCurrentUser
RegQueryInfoKeyW
RegDeleteValueW

api-ms-win-core-file-l1-2-1

CompareFileTime
GetTempPathW
FindFirstFileW
FindNextFileW
RemoveDirectoryW
DeleteFileW
GetFileAttributesExW
CreateDirectoryW
SetFileAttributesW
GetFileAttributesW
FindClose

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
UnregisterTraceGuids
RegisterTraceGuidsW
TraceMessage

ntdll

RtlGetSuiteMask
vDbgPrintEx
NtPowerInformation
ZwClose
AlpcGetMessageAttribute
AlpcInitializeMessageAttribute
TpWaitForAlpcCompletion
ZwAlpcConnectPort
RtlWaitOnAddress
ZwAlpcQueryInformation
TpReleaseAlpcCompletion
ZwAlpcSendWaitReceivePort
ZwAlpcDisconnectPort
TpAllocAlpcCompletion
RtlWakeAddressAll
ZwAlpcCancelMessage
RtlFreeHeap
RtlAllocateHeap
RtlInitUnicodeString
RtlPublishWnfStateData
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlFreeUnicodeString
RtlConvertSidToUnicodeString
NtQueryWnfStateData
EtwTraceMessage
EtwEventActivityIdControl
EtwEventWrite
NtSetInformationProcess
NtSetInformationThread
RtlNtStatusToDosError

api-ms-win-core-libraryloader-l1-2-2

FindResourceW

api-ms-win-shcore-stream-l1-1-0

SHCreateMemStream
IStream_Write
SHOpenRegStream2W
SHCreateStreamOnFileW
IStream_Reset

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW
CommandLineToArgvW

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo
RoOriginateErrorW
SetRestrictedErrorInfo
RoTransformError
RoOriginateError

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-winrt-l1-1-0

RoRevokeActivationFactories
RoActivateInstance
RoRegisterActivationFactories
RoGetActivationFactory

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-l2-1-0

CharLowerBuffW

api-ms-win-core-path-l1-1-0

PathCchAppend
PathAllocCombine

api-ms-win-shcore-registry-l1-1-1

SHSetValueW
SHRegSetPathW
SHDeleteValueW
SHRegGetValueW
SHRegGetPathW
SHDeleteKeyW

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathStripPathW

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-shlwapi-obsolete-l1-2-0

StrStrIW
StrToIntExW
QISearch

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-security-base-l1-2-0

GetTokenInformation
CreateWellKnownSid
GetSidSubAuthority
AdjustTokenPrivileges

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-security-provider-l1-1-0

GetNamedSecurityInfoW
SetNamedSecurityInfoW
SetEntriesInAclW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-url-l1-1-0

UrlEscapeW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

api-ms-win-power-base-l1-1-0

PowerDeterminePlatformRoleEx

api-ms-win-core-version-l1-1-0

VerQueryValueW
GetFileVersionInfoExW
GetFileVersionInfoSizeExW

propsys

PropVariantToStringAlloc
PropVariantToUInt32
PSCreateMemoryPropertyStore

Sections

.text
Size: 428KB - Virtual size: 427KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 200B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b4eec7289c891fdb7b1c54dca7edffeb

Code Sign

33:00:00:02:32:41:fb:59:99:6d:cc:4d:ff:00:00:00:00:02:32Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

44:25:c8:ca:e4:12:85:4e:00:be:46:76:48:fd:eb:2b:3b:76:2c:c8:ee:18:a7:bf:2e:e8:8b:0d:93:ba:1c:27Signer

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-localization-l1-2-1

api-ms-win-core-debug-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-synch-l1-2-1

api-ms-win-core-heap-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-eventing-classicprovider-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-2

api-ms-win-shcore-stream-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-registry-l1-1-1

api-ms-win-core-registry-l1-1-1

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-2-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-security-provider-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-url-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-power-base-l1-1-0

api-ms-win-core-version-l1-1-0

propsys

Sections

.text Size: 428KB - Virtual size: 427KB

.data Size: 1024B - Virtual size: 3KB

.idata Size: 11KB - Virtual size: 11KB

.didat Size: 512B - Virtual size: 200B

.rsrc Size: 9KB - Virtual size: 8KB

.reloc Size: 23KB - Virtual size: 22KB

33:00:00:02:32:41:fb:59:99:6d:cc:4d:ff:00:00:00:00:02:32
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

44:25:c8:ca:e4:12:85:4e:00:be:46:76:48:fd:eb:2b:3b:76:2c:c8:ee:18:a7:bf:2e:e8:8b:0d:93:ba:1c:27
Signer

.text
Size: 428KB - Virtual size: 427KB

.data
Size: 1024B - Virtual size: 3KB

.idata
Size: 11KB - Virtual size: 11KB

.didat
Size: 512B - Virtual size: 200B

.rsrc
Size: 9KB - Virtual size: 8KB

.reloc
Size: 23KB - Virtual size: 22KB