fsutil[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

fsutil.exe
Size

183KB
MD5

e760a27a84d19019162c58bf65d67140
SHA1

3c0f8d8ad7c0bfb2ef910ac29ec24f21fbef2100
SHA256

3762905d403535575b1cba85beaf5863ed16529012ff416e2ef0f1d6b4964bfb
SHA512

a7254c6c910e8b315a96cbe0fb7b5f6a8daaa1922a766067f326a289df64d125928c76655e34f55bf66fff468ca150fffec9a05f1bfa3899edcb3fc2cc9694ae
SSDEEP

3072:fUXp6ObpCF0IRkH6V+adIA166ltsV6NSYLobyImRHS4MHlYoPfQNNZ0wy2oQF4q4:iPbpCF0IRkH6V+adIA166ltsV6NSYLo9

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fsutil.exe

Files

fsutil.exe
.exe windows x64

7c32a8ec1e76b16706721b7107567fc2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_initterm
__wgetmainargs
_amsg_exit
_XcptFilter
wcstol
_fmode
wcstok_s
_wcstoui64
_commode
?terminate@@YAXXZ
wcstoul
iswctype
_errno
exit
_wcsdup
wcsncpy_s
memcpy_s
wcscpy_s
realloc
__set_app_type
_wtoi
wcsrchr
wcscat_s
isalpha
memset
isdigit
memmove
toupper
setlocale
calloc
_vsnwprintf
memcpy
_exit
wprintf
swprintf_s
_local_unwind
__C_specific_handler
malloc
free
wcschr
_wcsnicmp
_wcsicmp
towupper
_cexit
__setusermatherr
wcscmp

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
NtClose
RtlVerifyVersionInfo
VerSetConditionMask
NtQuerySystemInformation
RtlTimeToTimeFields
RtlStringFromGUID
RtlInitializeCriticalSection
NtEnumerateTransactionObject
RtlGetOwnerSecurityDescriptor
RtlAllocateHeap
NtQuerySecurityObject
RtlFreeUnicodeString
RtlConvertSidToUnicodeString
NtCreateFile
RtlVirtualUnwind
RtlDosPathNameToNtPathName_U
RtlSetCurrentTransaction
RtlGetCurrentTransaction
NtSetQuotaInformationFile
NtQueryQuotaInformationFile
RtlLengthSid
NtSetVolumeInformationFile
NtOpenFile
RtlInitUnicodeString
NtQueryVolumeInformationFile
NtQueryEaFile
NtQueryInformationFile
RtlNtStatusToDosError
NtSetInformationFile
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlFreeHeap

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegEnumValueW
RegEnumKeyExW
RegSetValueExW

api-ms-win-core-file-l1-1-0

FindNextVolumeW
FindFirstVolumeW
SetFilePointerEx
GetDiskFreeSpaceExW
GetFinalPathNameByHandleW
GetFileSizeEx
SetEndOfFile
GetFileInformationByHandle
DeleteFileW
FindVolumeClose
GetLogicalDriveStringsW
GetDriveTypeW
GetFileType
FindClose
GetVolumeInformationW
CreateFileW
FindNextFileW
FindFirstFileW
QueryDosDeviceW
GetVolumePathNameW
WriteFile
CreateDirectoryW
GetFileAttributesW
GetFullPathNameW
GetTempFileNameW

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount
GetSystemDirectoryW
GetWindowsDirectoryW
GetVersionExW
GetSystemInfo
GetComputerNameExW

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
RaiseException
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
LoadLibraryExA
GetProcAddress
GetModuleFileNameA
GetModuleHandleW

api-ms-win-security-base-l1-1-0

AllocateAndInitializeSid
CheckTokenMembership
AdjustTokenPrivileges
FreeSid

api-ms-win-core-processthreads-l1-1-0

CreateProcessW
TerminateProcess
GetCurrentProcess
GetCurrentProcessId
OpenProcessToken
GetCurrentThreadId

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW
LookupAccountSidW
LookupPrivilegeValueW

api-ms-win-core-com-l1-1-0

CoTaskMemFree
IIDFromString
StringFromIID
StringFromGUID2

api-ms-win-core-localization-l1-2-0

SetThreadUILanguage
FormatMessageW
GetLocaleInfoEx

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-file-l2-1-0

CreateHardLinkW
GetFileInformationByHandleEx

api-ms-win-core-file-l2-1-1

OpenFileById

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-file-l1-2-2

FindNextFileNameW
FindFirstFileNameW

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapSetInformation
HeapFree
GetProcessHeap

api-ms-win-security-lsalookup-l1-1-0

LookupAccountSidLocalW
LookupAccountNameLocalW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-console-l1-1-0

GetConsoleOutputCP
WriteConsoleW
GetConsoleMode
SetConsoleCtrlHandler

api-ms-win-core-synch-l1-1-0

AcquireSRWLockExclusive
WaitForSingleObject
ReleaseSRWLockExclusive

api-ms-win-core-processenvironment-l1-1-0

GetStdHandle
GetCurrentDirectoryW
ExpandEnvironmentStringsW

api-ms-win-core-file-l1-2-0

GetVolumePathNamesForVolumeNameW
GetVolumeNameForVolumeMountPointW
GetTempPathW

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-security-lsapolicy-l1-1-0

LsaFreeMemory
LsaLookupSids
LsaOpenPolicy

api-ms-win-core-localization-l2-1-0

GetNumberFormatEx

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventUnregister
EventSetInformation
EventProviderEnabled
EventRegister

api-ms-win-core-memory-l1-1-0

VirtualQuery
VirtualProtect

Sections

.text
Size: 137KB - Virtual size: 137KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 996B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7c32a8ec1e76b16706721b7107567fc2

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ntdll

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-file-l2-1-1

api-ms-win-core-string-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-file-l1-2-2

api-ms-win-core-heap-l1-1-0

api-ms-win-security-lsalookup-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-localization-l2-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-memory-l1-1-0

Sections

.text Size: 137KB - Virtual size: 137KB

.rdata Size: 30KB - Virtual size: 29KB

.data Size: 6KB - Virtual size: 8KB

.pdata Size: 4KB - Virtual size: 4KB

.didat Size: 512B - Virtual size: 120B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 1024B - Virtual size: 996B

.text
Size: 137KB - Virtual size: 137KB

.rdata
Size: 30KB - Virtual size: 29KB

.data
Size: 6KB - Virtual size: 8KB

.pdata
Size: 4KB - Virtual size: 4KB

.didat
Size: 512B - Virtual size: 120B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 996B