SystemSettingsAdminFlows[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

SystemSettingsAdminFlows.exe
Size

351KB
MD5

aa860708ae474e89ebcd0f42efdfa544
SHA1

34f6168251ce3ed625e9b8d26b0ce5dad7421dbe
SHA256

20a100ad633bd79474edcc3736eefc395d39f7d5904c46ddb96593316ce6b262
SHA512

06030dab80cac26b000c626897e7ba6b17e5e1d61e0862a2e1301993f5613cb9289f1a5a5cc1b340a9ef2517a488b02490f73e35841dde8864b0eee1364c0d05
SSDEEP

6144:4pcPg7nvy4zlrb83+lqneeORYjmOj1tZTUjtW:4K8vnR83+CWYjmO2jtW

Score

1^/10

Malware Config

Signatures

Files

SystemSettingsAdminFlows.exe
.exe windows:10 windows x64 arch:x64

ec1b3716ab3442432cf86829553e030b

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/03/2020, 18:30

Not After

03/03/2021, 18:30

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

88:0f:c9:99:65:a8:8a:3b:fc:74:e4:a8:3f:d1:25:26:38:f8:78:e7:ae:cd:70:75:54:d1:ff:68:c0:65:5e:df
Signer

Actual PE Digest

88:0f:c9:99:65:a8:8a:3b:fc:74:e4:a8:3f:d1:25:26:38:f8:78:e7:ae:cd:70:75:54:d1:ff:68:c0:65:5e:df

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_wcsicmp
??_V@YAXPEAX@Z
memmove
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
_vsnprintf_s
??0exception@@QEAA@AEBQEBDH@Z
malloc
abort
_get_current_locale
_wtol
?what@exception@@UEBAPEBDXZ
_callnewh
_XcptFilter
wcsncmp
free
__crtLCMapStringW
__crtCompareStringW
_wcsdup
_CxxThrowException
_wtoi
memset
memmove_s
_purecall
__CxxFrameHandler3
memcpy
_free_locale
??0exception@@QEAA@AEBQEBD@Z
_vsnwprintf
memcpy_s
??1exception@@UEAA@XZ
wcschr
??3@YAXPEAX@Z
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_commode
_fmode
_wcmdln
__C_specific_handler
_initterm
__setusermatherr
_ismbblead
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
??1type_info@@UEAA@XZ
??1bad_cast@@UEAA@XZ
??0bad_cast@@QEAA@PEBD@Z
??0bad_cast@@QEAA@AEBV0@@Z
realloc
strchr
_errno
___lc_collate_cp_func
setlocale
__pctype_func
___lc_handle_func
___lc_codepage_func
calloc
memcmp
___mb_cur_max_func

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceExecuteOnce

api-ms-win-core-processthreads-l1-1-2

GetCurrentProcess
TerminateProcess
GetCurrentThread
OpenThreadToken
OpenProcessToken
GetStartupInfoW
GetCurrentProcessId
GetCurrentThreadId

api-ms-win-core-errorhandling-l1-1-1

SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-2-1

GetTickCount
GetComputerNameExW
GetSystemTimeAsFileTime

systemsettingsthresholdadminflowui

SetFindMyDevicePage_CreateInstance
ChangeKbLayoutPage_CreateInstance
RetailDemoConfirmPage_CreateInstance
DevicePortalAuthenticationPage_CreateInstance
SetGeolocationMasterPage_CreateInstance
LeaveDomainPage_CreateInstance
JoinDomainPage_CreateInstance
SetDateTimePage_CreateInstance
ManageExclusionPage_CreateInstance
UnblockSimPinPage_CreateInstance
RenamePCPage_CreateInstance
DisableUserPage_CreateInstance
EnableUserPage_CreateInstance
EditUserPage_CreateInstance
LockdownAppPage_CreateInstance
LockdownUserPage_CreateInstance
RemoveUserPage_CreateInstance
AddDomainUserPage_CreateInstance
DeviceDiscoveryUnpairAllDevicesPage_CreateInstance
DevicePortalSetAuthenticationPage_CreateInstance
UninitializeXamlRuntime
UninitializeXamlCustomResourceLoader
InitializeXamlCustomResourceLoader
DeviceEncryptionPage_CreateInstance
DeveloperModePage_CreateInstance
EnablePreviewBuildsPage_CreateInstance
SurfaceHubDeveloperModePage_CreateInstance
InitializeXamlRuntime

gdi32

GetDeviceCaps

kernel32

CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
GetProcAddress
LocalFree
HeapFree
GetProcessHeap
CloseHandle
FreeLibrary
FormatMessageW
GetModuleHandleExW
GetModuleFileNameA
LoadLibraryExW
GetLastError
OutputDebugStringW
SetEvent
ResetEvent
ReleaseSemaphore
ReleaseMutex
WaitForSingleObjectEx
AcquireSRWLockExclusive
AcquireSRWLockShared
InitializeCriticalSectionEx
DeleteCriticalSection
HeapAlloc
WaitForSingleObject
OpenSemaphoreW
WaitForMultipleObjectsEx
GetProductInfo
CreateEventW
TlsGetValue
OpenProcess
CreateEventExW
CreateThreadpoolWork
SubmitThreadpoolWork
WaitForThreadpoolWorkCallbacks
CloseThreadpoolWork
TlsAlloc
TlsFree
DecodePointer
ReleaseSRWLockExclusive
TlsSetValue
SetLastError
ReleaseSRWLockShared
CreateSemaphoreExW
CreateMutexExW
EncodePointer
InitOnceBeginInitialize
InitOnceComplete
RaiseException
ResolveLocaleName
EnterCriticalSection
LeaveCriticalSection
InitializeSRWLock
CompareStringOrdinal
CreateThreadpoolTimer
SetThreadpoolTimer
RegOpenKeyExW
RegSetValueExW
RegCloseKey
RegCreateKeyExW
RegGetValueW

newdev

DiUninstallDevice

ntdll

NtQueryInformationToken
NtGetMUIRegistryInfo

ole32

CoCreateFreeThreadedMarshaler
CoGetMalloc
CoTaskMemRealloc
CoTaskMemAlloc
CoResumeClassObjects
CoRegisterClassObject
CoRevokeClassObject
CoAddRefServerProcess
CoReleaseServerProcess
CreateClassMoniker
GetRunningObjectTable
CoUninitialize
CoInitializeEx
CoWaitForMultipleHandles
CoGetApartmentType
CoCreateInstance
CoTaskMemFree
CoSetProxyBlanket
CoInitialize

setupapi

SetupDiOpenDeviceInfoW
SetupDiCreateDeviceInfoList
SetupDiDestroyDeviceInfoList

shell32

CommandLineToArgvW
ShellExecuteExW
SHGetSpecialFolderPathW

shlwapi

StrChrW
ord16
SHStrDupW

dui70

?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z
UnInitProcessPriv
InitProcessPriv
InitThread
StartMessagePump
UnInitThread
?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ
?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z
?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z
?Destroy@Element@DirectUI@@QEAAJ_N@Z

user32

LoadStringW
InflateRect
AllowSetForegroundWindow
EnableMouseInPointer
GetWindow
GetPropW
SetWindowPos
PostMessageW
GetWindowRect
DestroyWindow
GetWindowLongPtrW
DefWindowProcW
GetWindowThreadProcessId
DispatchMessageW
LoadCursorW
SetCursor
TranslateMessage
PostQuitMessage
MsgWaitForMultipleObjectsEx
PeekMessageW
GetDC
ReleaseDC
ord2544

shcore

ord188
ord123
ord244
ord241
SHSetValueW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventActivityIdControl
EventUnregister
EventRegister
EventWrite

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
RegisterTraceGuidsW
GetTraceEnableFlags
UnregisterTraceGuids
TraceMessage
GetTraceLoggerHandle

api-ms-win-core-winrt-string-l1-1-0

WindowsIsStringEmpty
WindowsStringHasEmbeddedNull
WindowsDeleteString
WindowsCreateStringReference
WindowsGetStringRawBuffer
WindowsCreateString

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoRegisterActivationFactories
RoRevokeActivationFactories
RoInitialize
RoUninitialize
RoActivateInstance

crypt32

CryptUnprotectData

api-ms-win-core-winrt-error-l1-1-1

RoOriginateErrorW
RoOriginateError

oleaut32

SysFreeString
VariantInit
VariantClear
SysAllocString

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-service-management-l1-1-0

OpenServiceW
OpenSCManagerW
StartServiceW
CloseServiceHandle

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
ChangeServiceConfigW

api-ms-win-core-delayload-l1-1-1

DelayLoadFailureHook
ResolveDelayLoadedAPI

api-ms-win-core-rtlsupport-l1-2-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-libraryloader-l1-2-2

LoadLibraryW

wkscli

NetGetJoinInformation

logoncli

DsGetDcNameW

netutils

NetApiBufferFree

api-ms-win-service-winsvc-l1-2-0

QueryServiceStatus
ControlService

api-ms-win-security-base-l1-2-0

GetTokenInformation
CreateWellKnownSid
CheckTokenMembership
DuplicateToken

api-ms-win-core-heap-l2-1-0

LocalAlloc

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW

api-ms-win-security-lsapolicy-l1-1-0

LsaClose
LsaFreeMemory
LsaLookupSids
LsaOpenPolicy

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-appmodel-unlock-l1-1-0

SetIsSideloadingEnabled
SetIsDeveloperModeEnabled
IsSideloadingPolicyApplied
IsDeveloperModePolicyApplied

bcp47langs

Bcp47GetMuiForm

Sections

.text
Size: 187KB - Virtual size: 187KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 80KB - Virtual size: 80KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ec1b3716ab3442432cf86829553e030b

Code Sign

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

88:0f:c9:99:65:a8:8a:3b:fc:74:e4:a8:3f:d1:25:26:38:f8:78:e7:ae:cd:70:75:54:d1:ff:68:c0:65:5e:dfSigner

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-2-1

systemsettingsthresholdadminflowui

gdi32

kernel32

newdev

ntdll

ole32

setupapi

shell32

shlwapi

dui70

user32

shcore

api-ms-win-eventing-provider-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

crypt32

api-ms-win-core-winrt-error-l1-1-1

oleaut32

api-ms-win-core-registry-l1-1-1

api-ms-win-service-management-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-rtlsupport-l1-2-0

api-ms-win-core-libraryloader-l1-2-2

wkscli

logoncli

netutils

api-ms-win-service-winsvc-l1-2-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-appmodel-unlock-l1-1-0

bcp47langs

Sections

.text Size: 187KB - Virtual size: 187KB

.imrsiv Size: - Virtual size: 4B

.rdata Size: 80KB - Virtual size: 80KB

.data Size: 6KB - Virtual size: 9KB

.pdata Size: 10KB - Virtual size: 9KB

.didat Size: 512B - Virtual size: 72B

.rsrc Size: 52KB - Virtual size: 52KB

.reloc Size: 2KB - Virtual size: 1KB

33:00:00:02:66:bd:15:80:ef:a7:5c:d6:d3:00:00:00:00:02:66
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

88:0f:c9:99:65:a8:8a:3b:fc:74:e4:a8:3f:d1:25:26:38:f8:78:e7:ae:cd:70:75:54:d1:ff:68:c0:65:5e:df
Signer

.text
Size: 187KB - Virtual size: 187KB

.imrsiv
Size: - Virtual size: 4B

.rdata
Size: 80KB - Virtual size: 80KB

.data
Size: 6KB - Virtual size: 9KB

.pdata
Size: 10KB - Virtual size: 9KB

.didat
Size: 512B - Virtual size: 72B

.rsrc
Size: 52KB - Virtual size: 52KB

.reloc
Size: 2KB - Virtual size: 1KB