SettingSyncHost[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

SettingSyncHost.exe
Size

497KB
MD5

2ca2ff0a5f9bea459a686f895829e48a
SHA1

1b4aa3ec942d992ba298ed9960a0f80ee84371d7
SHA256

3c5cbbe394c57e73950ec4a584ce70b793594673c500401466d8c1e3dececc15
SHA512

760910a33cbb62d3cc1b4dd6573c01cb8db2edb1c761cd831705092409d52c9de7b06294de0a0a71add70af5b80de60656aaab839cef2fd5fbf7d14f3d06b2cb
SSDEEP

6144:3j5QOQ2OzalPTBh0W0GEKaopJ+S73RrREWd7gqIX4iVeec3m6EppPqSqJoljMLfW:39PTH09G+o7pXEi7ZqbVebEpFuLu

Score

1^/10

Malware Config

Signatures

Files

SettingSyncHost.exe
.exe windows:10 windows x86

a00cf2d1948147f18cafeb4f02b59018

Code Sign

33:00:00:00:bc:e1:20:fd:d2:7c:c8:ee:93:00:00:00:00:00:bc
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/08/2015, 17:15

Not After

18/11/2016, 17:15

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

70:11:7b:22:6d:1e:d0:d4:40:5b:c2:73:1e:0d:35:a8:fb:a1:61:8f:0f:7e:e5:30:39:06:eb:49:d3:de:6d:96
Signer

Actual PE Digest

70:11:7b:22:6d:1e:d0:d4:40:5b:c2:73:1e:0d:35:a8:fb:a1:61:8f:0f:7e:e5:30:39:06:eb:49:d3:de:6d:96

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

__dllonexit
_unlock
_onexit
__CxxFrameHandler3
__p__fmode
_cexit
?terminate@@YAXXZ
_exit
_controlfp
_except_handler4_common
wcschr
_lock
__set_app_type
_ftol2
wcstok_s
memcpy
__wgetmainargs
_initterm
__setusermatherr
memmove
_amsg_exit
__p__commode
_XcptFilter
wcsncpy_s
malloc
free
wcsstr
_get_errno
_set_errno
exit
iswalnum
_purecall
_callnewh
swscanf_s
_wcsicmp
_wcsnicmp
_wcstoui64
memcpy_s
_wcmdln
memcmp
_vsnwprintf
realloc
memmove_s
rand
srand
time
memset

api-ms-win-core-libraryloader-l1-2-0

SizeofResource
LockResource
LoadResource
GetModuleHandleExW
FreeLibrary
GetModuleFileNameA
LoadLibraryExW
FreeLibraryAndExitThread
GetModuleHandleA
GetModuleFileNameW
GetProcAddress

api-ms-win-core-synch-l1-2-0

ReleaseSemaphore
LeaveCriticalSection
EnterCriticalSection
WaitForSingleObject
ReleaseMutex
WaitForSingleObjectEx
CreateSemaphoreExW
CreateMutexExW
InitOnceExecuteOnce
SetEvent
CreateEventExW
InitializeSRWLock
OpenEventW
OpenSemaphoreW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeCriticalSection
Sleep
InitOnceBeginInitialize
InitOnceComplete
CreateEventW
DeleteCriticalSection
AcquireSRWLockShared
InitializeCriticalSectionEx
ReleaseSRWLockShared
ResetEvent

api-ms-win-core-heap-l1-2-0

HeapAlloc
HeapSetInformation
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-1

RaiseException
GetLastError
SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-2

GetCurrentThread
SetPriorityClass
GetCurrentThreadId
TerminateProcess
SetThreadPriority
GetCurrentProcess
TlsGetValue
TlsFree
TlsAlloc
GetStartupInfoW
OpenThreadToken
GetCurrentProcessId
OpenProcessToken
CreateProcessW
TlsSetValue
CreateThread
ProcessIdToSessionId

api-ms-win-core-localization-l1-2-1

GetGeoInfoW
GetUserGeoID
FormatMessageW

api-ms-win-core-debug-l1-1-1

OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-com-l1-1-1

RoGetAgileReference
CoUninitialize
CoTaskMemAlloc
CoResumeClassObjects
CoReleaseMarshalData
CoRegisterClassObject
CoCreateGuid
CoWaitForMultipleHandles
CoRevokeClassObject
StringFromIID
CoAddRefServerProcess
CoReleaseServerProcess
CoInitializeEx
CoGetCallContext
CoGetApartmentType
PropVariantClear
CoGetMalloc
CoGetInterfaceAndReleaseStream
CoTaskMemRealloc
StringFromCLSID
CoSetProxyBlanket
StringFromGUID2
CoDisableCallCancellation
CoEnableCallCancellation
CoTaskMemFree
CoCreateFreeThreadedMarshaler
CoCreateInstance
CoCancelCall
CLSIDFromString
CoFreeUnusedLibraries
CoMarshalInterThreadInterfaceInStream

api-ms-win-core-winrt-string-l1-1-0

WindowsIsStringEmpty
WindowsStringHasEmbeddedNull
WindowsCreateString
WindowsDeleteString
WindowsCreateStringReference
WindowsGetStringRawBuffer

api-ms-win-shcore-thread-l1-1-0

SHCreateThreadRef
SHSetThreadRef
SHCreateThreadWithHandle

api-ms-win-core-threadpool-legacy-l1-1-0

DeleteTimerQueueTimer
CreateTimerQueueTimer

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolWait
CloseThreadpoolWait
WaitForThreadpoolTimerCallbacks
TrySubmitThreadpoolCallback
CloseThreadpoolTimer
FreeLibraryWhenCallbackReturns
CreateThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolTimer
CallbackMayRunLong

api-ms-win-core-sysinfo-l1-2-1

GetSystemDirectoryW
GetTickCount
GetVersionExW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount64

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW

api-ms-win-core-heap-l2-1-0

LocalReAlloc
LocalFree
LocalAlloc

api-ms-win-core-string-l1-1-0

CompareStringOrdinal
MultiByteToWideChar
WideCharToMultiByte

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventRegister
EventSetInformation
EventWrite
EventWriteTransfer

api-ms-win-core-registry-l1-1-0

RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegDeleteTreeW
RegEnumValueW
RegGetValueW
RegQueryValueExW
RegOpenCurrentUser
RegQueryInfoKeyW
RegCloseKey
RegDeleteValueW

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
UnregisterTraceGuids
GetTraceEnableFlags
TraceMessage
GetTraceLoggerHandle
RegisterTraceGuidsW

ntdll

RtlGetSuiteMask
vDbgPrintEx
NtPowerInformation
ZwClose
AlpcGetMessageAttribute
AlpcInitializeMessageAttribute
TpWaitForAlpcCompletion
ZwAlpcConnectPort
RtlWaitOnAddress
ZwAlpcQueryInformation
TpReleaseAlpcCompletion
ZwAlpcSendWaitReceivePort
ZwAlpcDisconnectPort
TpAllocAlpcCompletion
RtlWakeAddressAll
ZwAlpcCancelMessage
RtlFreeHeap
RtlAllocateHeap
RtlInitUnicodeString
RtlPublishWnfStateData
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlFreeUnicodeString
RtlConvertSidToUnicodeString
NtQueryWnfStateData
EtwTraceMessage
EtwEventActivityIdControl
EtwEventWrite
NtSetInformationProcess
NtSetInformationThread
RtlNtStatusToDosError

api-ms-win-core-libraryloader-l1-2-2

FindResourceW

api-ms-win-shcore-stream-l1-1-0

IStream_Write
SHOpenRegStream2W
IStream_Reset
SHCreateStreamOnFileW
SHCreateMemStream

api-ms-win-core-file-l1-2-1

DeleteFileW
GetTempPathW
FindFirstFileW
FindNextFileW
RemoveDirectoryW
GetFileAttributesExW
SetFileAttributesW
CreateDirectoryW
CompareFileTime
GetFileAttributesW
FindClose

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW
SHStrDupW

api-ms-win-core-winrt-error-l1-1-1

RoOriginateError
RoGetMatchingRestrictedErrorInfo
RoTransformError
RoOriginateErrorW
SetRestrictedErrorInfo

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-winrt-l1-1-0

RoRegisterActivationFactories
RoActivateInstance
RoRevokeActivationFactories
RoGetActivationFactory

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-l2-1-0

CharLowerBuffW

api-ms-win-core-path-l1-1-0

PathAllocCombine
PathCchAppend

api-ms-win-shcore-registry-l1-1-1

SHSetValueW
SHDeleteKeyW
SHDeleteValueW
SHRegGetPathW
SHRegGetValueW
SHRegSetPathW

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathStripPathW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

api-ms-win-core-shlwapi-obsolete-l1-2-0

StrToIntExW
QISearch
StrStrIW

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-security-base-l1-2-0

AdjustTokenPrivileges
GetTokenInformation
GetSidSubAuthority
CreateWellKnownSid

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW
GetNamedSecurityInfoW
SetNamedSecurityInfoW

api-ms-win-core-delayload-l1-1-1

DelayLoadFailureHook
ResolveDelayLoadedAPI

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-url-l1-1-0

UrlEscapeW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

api-ms-win-power-base-l1-1-0

PowerDeterminePlatformRoleEx

api-ms-win-core-version-l1-1-0

VerQueryValueW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW

propsys

PropVariantToStringAlloc
PropVariantToUInt32
PSCreateMemoryPropertyStore

Sections

.text
Size: 443KB - Virtual size: 442KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 200B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a00cf2d1948147f18cafeb4f02b59018

Code Sign

33:00:00:00:bc:e1:20:fd:d2:7c:c8:ee:93:00:00:00:00:00:bcCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

70:11:7b:22:6d:1e:d0:d4:40:5b:c2:73:1e:0d:35:a8:fb:a1:61:8f:0f:7e:e5:30:39:06:eb:49:d3:de:6d:96Signer

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-localization-l1-2-1

api-ms-win-core-debug-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-synch-l1-2-1

api-ms-win-core-heap-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-2

api-ms-win-shcore-stream-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-registry-l1-1-1

api-ms-win-core-registry-l1-1-1

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-2-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-security-provider-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-url-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-power-base-l1-1-0

api-ms-win-core-version-l1-1-0

propsys

Sections

.text Size: 443KB - Virtual size: 442KB

.data Size: 1024B - Virtual size: 2KB

.idata Size: 11KB - Virtual size: 11KB

.didat Size: 512B - Virtual size: 200B

.rsrc Size: 9KB - Virtual size: 8KB

.reloc Size: 23KB - Virtual size: 23KB

33:00:00:00:bc:e1:20:fd:d2:7c:c8:ee:93:00:00:00:00:00:bc
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

70:11:7b:22:6d:1e:d0:d4:40:5b:c2:73:1e:0d:35:a8:fb:a1:61:8f:0f:7e:e5:30:39:06:eb:49:d3:de:6d:96
Signer

.text
Size: 443KB - Virtual size: 442KB

.data
Size: 1024B - Virtual size: 2KB

.idata
Size: 11KB - Virtual size: 11KB

.didat
Size: 512B - Virtual size: 200B

.rsrc
Size: 9KB - Virtual size: 8KB

.reloc
Size: 23KB - Virtual size: 23KB