fsutil[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

fsutil.exe
Size

195KB
MD5

d975e83244b3233afe578196e2728599
SHA1

0f468b40d6634fba2b5adfeb1c68c8ec00c04547
SHA256

cb89a8ccdb934d04d202bb9b800bc7340606a71888cff0192ec5a39733586b90
SHA512

9cf220d6c1af8b2f8dc08d7a44f153f3bb3cb882bd1ea08bb53a4200496f3bac6885b07c18b0a4e77717aa2d517ea4a6f3eb2fe123ae3318cc93268c788f0f42
SSDEEP

6144:13FfvgQGoYtzycRlnzb80UXm2xqLxclENy2ClIy9xqLDIZSyP9Jnw9dNhoE+DZkQ:HfvgQGosycPn5U22ILueNy2ClIy9xqL8

Score

1^/10

Malware Config

Signatures

Files

fsutil.exe
.exe windows:10 windows x86

396a19b2f5016a7923fb04bba9ffe1cd

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

75:32:df:4a:bb:d3:86:23:2d:9d:5e:a4:13:76:8d:83:86:65:c5:84:ce:c9:2b:0e:10:b2:01:03:76:81:f3:63
Signer

Actual PE Digest

75:32:df:4a:bb:d3:86:23:2d:9d:5e:a4:13:76:8d:83:86:65:c5:84:ce:c9:2b:0e:10:b2:01:03:76:81:f3:63

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

wcstol
calloc
wcschr
_errno
_XcptFilter
_pclose
_amsg_exit
fgetws
wcstok_s
_wcstoui64
__wgetmainargs
__set_app_type
_wpopen
iswctype
_wcsdup
wcsncpy_s
_exit
_cexit
__p__fmode
memcpy_s
__setusermatherr
wcscpy_s
realloc
_initterm
towupper
_wtoi
wcsrchr
wcscat_s
isalpha
isdigit
toupper
mbstowcs_s
wcstoul
_except_handler4_common
?terminate@@YAXXZ
_controlfp
setlocale
_vsnwprintf
wprintf
swprintf_s
malloc
_wcsicmp
free
memcpy
_local_unwind4
exit
_wcsnicmp
__p__commode
memset

ntdll

RtlInitializeBitMap
RtlSetBits
RtlSetBit
NtFlushBuffersFileEx
NtClose
RtlVerifyVersionInfo
VerSetConditionMask
RtlGetLastNtStatus
NtQuerySystemInformation
RtlTimeToTimeFields
RtlStringFromGUID
NtEnumerateTransactionObject
RtlGetOwnerSecurityDescriptor
RtlAllocateHeap
NtQuerySecurityObject
RtlConvertSidToUnicodeString
NtCreateFile
RtlFreeHeap
RtlDosPathNameToNtPathName_U
RtlSetCurrentTransaction
RtlNumberOfSetBits
NtSetQuotaInformationFile
NtQueryQuotaInformationFile
RtlInitializeCriticalSection
RtlLengthSid
NtSetVolumeInformationFile
NtOpenFile
RtlInitUnicodeString
NtQueryVolumeInformationFile
NtQueryEaFile
NtQueryInformationFile
NtSetInformationFile
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlWriteRegistryValue
RtlDeleteRegistryValue
RtlFreeUnicodeString
RtlQueryRegistryValuesEx
RtlNtStatusToDosError
RtlGetVersion
RtlGetCurrentTransaction

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegCloseKey
RegOpenKeyExW
RegEnumValueW
RegEnumKeyExW
RegDeleteValueW
RegSetValueExW

api-ms-win-core-file-l1-1-0

GetTempFileNameW
FindNextFileW
ReadFile
WriteFile
QueryDosDeviceW
GetFullPathNameW
GetFileType
GetFileAttributesW
CreateDirectoryW
FindVolumeClose
CreateFileW
FindNextVolumeW
FindFirstVolumeW
GetFileInformationByHandle
FindFirstFileW
FindClose
GetDiskFreeSpaceExW
DeleteFileW
SetFilePointerEx
GetVolumePathNameW
GetDriveTypeW
GetLogicalDriveStringsW
GetFileSizeEx
GetFinalPathNameByHandleW
SetEndOfFile
GetVolumeInformationW

api-ms-win-core-sysinfo-l1-1-0

GetComputerNameExW
GetSystemDirectoryW
GetTickCount
GetWindowsDirectoryW
GetSystemTimeAsFileTime
GetVersionExW
GetSystemInfo

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetLastError
RaiseException
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processtopology-obsolete-l1-1-0

GetActiveProcessorCount

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
GetModuleHandleExA
GetModuleHandleW
GetProcAddress
LoadLibraryExA

api-ms-win-core-sysinfo-l1-2-6

GetDeveloperDriveEnablementState

fltlib

FilterFindClose
FilterVolumeInstanceFindNext
FilterVolumeInstanceFindFirst

api-ms-win-security-base-l1-1-0

AdjustTokenPrivileges
FreeSid
CheckTokenMembership
AllocateAndInitializeSid

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
CreateProcessW
GetCurrentThreadId
GetCurrentProcess
TerminateProcess
OpenProcessToken

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW
LookupAccountNameW
LookupAccountSidW

api-ms-win-core-com-l1-1-0

StringFromGUID2
IIDFromString
StringFromIID
CoTaskMemFree

api-ms-win-core-localization-l1-2-0

SetThreadUILanguage
GetLocaleInfoEx
FormatMessageW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-file-l2-1-0

GetFileInformationByHandleEx
CreateHardLinkW

api-ms-win-core-file-l2-1-1

OpenFileById

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-file-l1-2-2

FindNextFileNameW
FindFirstFileNameW

api-ms-win-core-heap-l1-1-0

HeapFree
HeapSetInformation
GetProcessHeap
HeapAlloc

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
ReleaseSRWLockExclusive
AcquireSRWLockExclusive

api-ms-win-security-lsalookup-l1-1-0

LookupAccountSidLocalW
LookupAccountNameLocalW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime

api-ms-win-core-datetime-l1-1-0

GetTimeFormatW
GetDateFormatW

api-ms-win-core-console-l1-1-0

WriteConsoleW
GetConsoleMode
GetConsoleOutputCP
SetConsoleCtrlHandler

api-ms-win-core-processenvironment-l1-1-0

GetCurrentDirectoryW
GetEnvironmentVariableW
ExpandEnvironmentStringsW
GetStdHandle

api-ms-win-core-file-l1-2-0

GetVolumePathNamesForVolumeNameW
GetVolumeNameForVolumeMountPointW

api-ms-win-core-file-l1-2-4

GetTempPath2W

api-ms-win-core-namedpipe-l1-1-0

CreatePipe

api-ms-win-core-kernel32-legacy-l1-1-0

MoveFileW

api-ms-win-security-lsapolicy-l1-1-0

LsaOpenPolicy
LsaFreeMemory
LsaLookupSids

api-ms-win-core-localization-l2-1-0

GetNumberFormatEx

fmifs

ClearPerMachineFileSystemState
CreatePerMachineFileSystemStateKey

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-memory-l1-1-0

VirtualQuery
VirtualProtect

Sections

.text
Size: 159KB - Virtual size: 159KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

396a19b2f5016a7923fb04bba9ffe1cd

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

75:32:df:4a:bb:d3:86:23:2d:9d:5e:a4:13:76:8d:83:86:65:c5:84:ce:c9:2b:0e:10:b2:01:03:76:81:f3:63Signer

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

ntdll

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processtopology-obsolete-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-sysinfo-l1-2-6

fltlib

api-ms-win-security-base-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-file-l2-1-1

api-ms-win-core-string-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-file-l1-2-2

api-ms-win-core-heap-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-security-lsalookup-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-file-l1-2-4

api-ms-win-core-namedpipe-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-localization-l2-1-0

fmifs

api-ms-win-core-apiquery-l1-1-0

api-ms-win-core-memory-l1-1-0

Sections

.text Size: 159KB - Virtual size: 159KB

.data Size: 6KB - Virtual size: 7KB

.idata Size: 8KB - Virtual size: 8KB

.didat Size: 512B - Virtual size: 60B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 8KB - Virtual size: 7KB

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

75:32:df:4a:bb:d3:86:23:2d:9d:5e:a4:13:76:8d:83:86:65:c5:84:ce:c9:2b:0e:10:b2:01:03:76:81:f3:63
Signer

.text
Size: 159KB - Virtual size: 159KB

.data
Size: 6KB - Virtual size: 7KB

.idata
Size: 8KB - Virtual size: 8KB

.didat
Size: 512B - Virtual size: 60B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 8KB - Virtual size: 7KB