UtcSvc[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

UtcSvc.exe
Size

4.0MB
MD5

49511208e88985fd561263c06e838b23
SHA1

a04a2386f56065cbf7a37c9efca9332a33fba11d
SHA256

21b519a71ed770f476f83637824dfc0d15ddfb3b83887c6bc11d052e1b469e12
SHA512

ecf9eb8e6b22a08f7721ee958b528f7afc5085e6452de410967d0a8116fa41066062aacb398b1063afff5d9007f6e88c159890c45f7640b384e6724928216940
SSDEEP

49152:VQtT8Nq8lEnnZ0pHx++M+W6Bad7iT6mEisCMXdI2123gs7XjbA82qQjCsoxwqp5J:2N9KBakKdpazcUxtrB

Score

1^/10

Malware Config

Signatures

Files

UtcSvc.exe
.exe windows:5 windows x64

99c07706b3d6f7c107e31233afe3b79e

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21/12/2012, 00:00

Not After

30/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18/10/2012, 00:00

Not After

29/12/2020, 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:dc:38:37:99:85:1e:10:2b:df:a4:28:b9:66:78:75:8e
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

26/12/2012, 07:38

Not After

27/12/2015, 07:38

Subject

CN=SoftEther K.K.,OU=Research and Development,O=SoftEther K.K.,L=Tsukuba,ST=Ibaraki,C=JP

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

e8:ec:8f:00:c1:dd:ba:23:07:3d:e7:0f:fc:bf:b9:3d:af:12:fe:52
Signer

Actual PE Digest

e8:ec:8f:00:c1:dd:ba:23:07:3d:e7:0f:fc:bf:b9:3d:af:12:fe:52

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

QueryPerformanceCounter
GetDriveTypeA
CreateFileW
CreateDirectoryW
CreateDirectoryA
RemoveDirectoryW
RemoveDirectoryA
DeleteFileW
DeleteFileA
GetFileAttributesW
GetFileAttributesA
FreeResource
LockResource
SizeofResource
LoadResource
FindResourceA
LoadLibraryExA
LoadLibraryExW
SetFileAttributesA
SetFileAttributesW
GetComputerNameA
LocalFree
GetCurrentProcess
GetThreadLocale
SetConsoleScreenBufferSize
GetConsoleScreenBufferInfo
GetStdHandle
LoadLibraryW
GetShortPathNameA
GetShortPathNameW
TerminateProcess
OpenProcess
SetThreadAffinityMask
GetCurrentThread
SetEvent
lstrcmpiA
GetCurrentProcessId
SetThreadPriority
FindClose
FindNextFileA
FindNextFileW
FindFirstFileA
FindFirstFileW
GetTempPathW
GetTempPathA
GetSystemDirectoryA
SetUnhandledExceptionFilter
GetModuleFileNameW
GetModuleFileNameA
GetCommandLineW
GetCommandLineA
FlushFileBuffers
GetTimeZoneInformation
HeapFree
GetProcessHeap
RaiseException
GetDiskFreeSpaceExW
GetDiskFreeSpaceExA
FileTimeToSystemTime
GetCurrentDirectoryW
GetCurrentDirectoryA
GlobalMemoryStatus
SetPriorityClass
CreateProcessW
CreateProcessA
MoveFileW
MoveFileA
SetFilePointer
GetFileSize
GetFileInformationByHandle
SetFileTime
SystemTimeToFileTime
HeapCreate
InitializeCriticalSection
DeleteCriticalSection
HeapDestroy
HeapAlloc
QueryPerformanceFrequency
GetSystemTime
EnterCriticalSection
LeaveCriticalSection
ResetEvent
ReadConsoleA
ReadConsoleW
WriteConsoleA
WriteConsoleW
GetVersion
MultiByteToWideChar
GetFileType
GetTickCount
GetVersionExW
SetLastError
WideCharToMultiByte
FlushConsoleInputBuffer
SetErrorMode
ReleaseMutex
PulseEvent
GetComputerNameW
GetSystemDefaultLCID
GetUserDefaultLCID
GetExitCodeProcess
GetLocalTime
WaitForMultipleObjects
GetLastError
OpenEventA
CreateEventA
DeviceIoControl
GetVersionExA
TlsAlloc
GetCurrentThreadId
MulDiv
GetModuleHandleA
EnumResourceNamesA
LoadLibraryA
WaitForSingleObject
EscapeCommFunction
ReadFile
WriteFile
CreateFileA
BuildCommDCBA
GetConsoleOutputCP
SetEnvironmentVariableW
SetEnvironmentVariableA
CompareStringW
CompareStringA
GetLocaleInfoW
HeapSize
PeekNamedPipe
GetFullPathNameA
SetStdHandle
LCMapStringW
LCMapStringA
GetStringTypeW
GetStringTypeA
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetConsoleCP
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
RtlPcToFileHeader
InitializeCriticalSectionAndSpinCount
RtlVirtualUnwind
IsDebuggerPresent
HeapSetInformation
FlsAlloc
FlsFree
FlsSetValue
FlsGetValue
DecodePointer
EncodePointer
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetConsoleMode
SetConsoleMode
ReadConsoleInputA
SetConsoleCtrlHandler
FileTimeToLocalFileTime
RtlCaptureContext
UnhandledExceptionFilter
GetSystemTimeAsFileTime
CreateThread
ExitThread
RtlUnwindEx
RtlLookupFunctionEntry
ExitProcess
GetModuleHandleW
GetStartupInfoA
LocalAlloc
SetCommState
SetCommTimeouts
Sleep
OpenMutexA
CloseHandle
CreateMutexA
TlsSetValue
TlsGetValue
GetProcAddress
FreeLibrary
HeapReAlloc
SetEndOfFile

gdi32

DeleteDC
CreateFontA
GetDeviceCaps
GetTextMetricsA
GetTextExtentPoint32A
SetBkMode
SetBkColor
SetTextColor
SelectObject
CreateDIBSection
BitBlt
GdiFlush
DeleteObject
GetObjectA
CreateCompatibleDC
GetStockObject

comdlg32

GetSaveFileNameA
GetSaveFileNameW
GetOpenFileNameA
GetOpenFileNameW

shell32

SHChangeNotify
SHGetSpecialFolderLocation
Shell_NotifyIconA
ShellExecuteA
SHGetPathFromIDListA
SHBrowseForFolderA
Shell_NotifyIconW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetMalloc
ShellExecuteExA
ShellExecuteExW
ShellExecuteW

ole32

CoUninitialize
CoInitialize
PropVariantClear
CoCreateInstance

oleaut32

SysFreeString
SysAllocString

ws2_32

WSAIoctl
shutdown
listen
accept
send
getpeername
htonl
bind
htons
setsockopt
connect
recvfrom
ntohs
socket
closesocket
WSAEventSelect
WSACleanup
WSAStartup
WSAGetLastError
gethostname
WSASetLastError
inet_ntoa
getsockopt
sendto
getsockname
getservbyname
inet_addr
gethostbyname
gethostbyaddr
getservbyport
ioctlsocket
recv

winmm

timeGetTime
PlaySoundA

comctl32

ImageList_ReplaceIcon
CreatePropertySheetPageW
InitCommonControlsEx
CreateStatusWindowW
ImageList_Destroy
ImageList_Create
ImageList_SetBkColor
PropertySheetW

iphlpapi

GetIpStatistics

version

GetFileVersionInfoSizeW
GetFileVersionInfoSizeA
GetFileVersionInfoA
GetFileVersionInfoW
VerQueryValueA

netapi32

Netbios

shlwapi

SHStrDupW

urlmon

CreateURLMoniker

Sections

.text
Size: 3.1MB - Virtual size: 3.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 468KB - Virtual size: 467KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 195KB - Virtual size: 227KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 117KB - Virtual size: 116KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

99c07706b3d6f7c107e31233afe3b79e

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3bCertificate

Extended Key Usages

Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50Certificate

Extended Key Usages

Key Usages

11:21:dc:38:37:99:85:1e:10:2b:df:a4:28:b9:66:78:75:8eCertificate

Extended Key Usages

Key Usages

e8:ec:8f:00:c1:dd:ba:23:07:3d:e7:0f:fc:bf:b9:3d:af:12:fe:52Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

gdi32

comdlg32

shell32

ole32

oleaut32

ws2_32

winmm

comctl32

iphlpapi

version

netapi32

shlwapi

urlmon

Sections

.text Size: 3.1MB - Virtual size: 3.1MB

.rdata Size: 468KB - Virtual size: 467KB

.data Size: 195KB - Virtual size: 227KB

.pdata Size: 117KB - Virtual size: 116KB

.rsrc Size: 62KB - Virtual size: 62KB

.reloc Size: 31KB - Virtual size: 31KB

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

11:21:dc:38:37:99:85:1e:10:2b:df:a4:28:b9:66:78:75:8e
Certificate

e8:ec:8f:00:c1:dd:ba:23:07:3d:e7:0f:fc:bf:b9:3d:af:12:fe:52
Signer

.text
Size: 3.1MB - Virtual size: 3.1MB

.rdata
Size: 468KB - Virtual size: 467KB

.data
Size: 195KB - Virtual size: 227KB

.pdata
Size: 117KB - Virtual size: 116KB

.rsrc
Size: 62KB - Virtual size: 62KB

.reloc
Size: 31KB - Virtual size: 31KB