consent[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

consent.exe
Size

221KB
MD5

8f81a5ddaa613ae681da25b86f727e6b
SHA1

ff187094a5800c91efaf73d27eeff19df34a7507
SHA256

8191fb83695f7b60b9d2d137b571ea6ffe34ed6dfae48866bfbdc934806d5229
SHA512

001b58fb7c8bca2fa2e178b3e0ddd49095e9428ccc6889c3b6b72a20d4da73392fb5cdc76fc844f55dcd91034f5fdab4ac0eb43c296b4f9ceaf7d0ffe63972e7
SSDEEP

3072:9Ieebwd/GHeNzXSP2+YUxIlMxmIlUB5iJErGqpzRR+C:xebwg+NDSP2+YUxIexzWrLpzt

Score

1^/10

Malware Config

Signatures

Files

consent.exe
.exe windows:10 windows x64 arch:x64

5d0c875dbd930a73d5a983016e384930

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c8:b0:65:a7:d2:b5:79:13:30:7e:50:72:e8:5c:09:59:e3:f0:0b:d8:c7:85:33:3e:f5:ff:dd:73:91:e6:5d:38
Signer

Actual PE Digest

c8:b0:65:a7:d2:b5:79:13:30:7e:50:72:e8:5c:09:59:e3:f0:0b:d8:c7:85:33:3e:f5:ff:dd:73:91:e6:5d:38

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

gdi32

CreateCompatibleDC
BitBlt
DeleteObject
SelectObject
CreateDIBSection
PatBlt
GetLayout
GetStockObject
DeleteDC
SetDCBrushColor
CreateCompatibleBitmap

user32

ShowWindow
GetThreadDesktop
SetThreadDesktop
GetShellWindow
UnregisterClassW
CreateWindowExW
FillRect
GetPropW
SetDisplayAutoRotationPreferences
GetDC
DestroyWindow
SendMessageTimeoutW
GetWindowRect
PostMessageW
DefWindowProcW
GetMessageW
GetWindowLongW
SendMessageW
EndPaint
LoadStringW
BeginPaint
DispatchMessageW
ReleaseDC
RegisterClassW
LoadIconW
CloseDesktop
PostThreadMessageW
ord2513
GetWindowBand
ord2574
GetAncestor
GetParent
DestroyIcon
OpenDesktopW
GetDesktopWindow
GetForegroundWindow
OpenInputDesktop
SetPropW
TranslateMessage
LoadCursorW
GetWindowDC
GetUserObjectInformationW
FlashWindowEx
SetWindowLongW
PostQuitMessage
GetSystemMetrics

msvcrt

memcmp
memcpy_s
__CxxFrameHandler3
??1type_info@@UEAA@XZ
memcpy
_onexit
__dllonexit
_unlock
_purecall
??1exception@@UEAA@XZ
__CxxFrameHandler4
_vsnwprintf
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBV0@@Z
_CxxThrowException
?terminate@@YAXXZ
_callnewh
malloc
_vsnprintf_s
wcsrchr
wcsncpy_s
_wtoi
_errno
_wtol
memmove_s
swscanf_s
wcschr
__C_specific_handler
_wcsicmp
free
_XcptFilter
memset
_amsg_exit
__getmainargs
__set_app_type
exit
_exit
_cexit
_ismbblead
__setusermatherr
_lock
_commode
_fmode
_acmdln
_initterm

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
FindResourceExW
GetModuleHandleExW
GetProcAddress
LockResource
GetModuleHandleA
LoadLibraryExW
LoadResource
GetModuleHandleW
GetModuleFileNameA

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
InitOnceComplete
Sleep

api-ms-win-core-synch-l1-1-0

CreateSemaphoreExW
ReleaseMutex
DeleteCriticalSection
WaitForSingleObjectEx
AcquireSRWLockShared
ReleaseSRWLockShared
OpenSemaphoreW
AcquireSRWLockExclusive
WaitForSingleObject
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
LeaveCriticalSection
CreateMutexExW
EnterCriticalSection
ReleaseSemaphore
CreateEventW
SetEvent

api-ms-win-core-heap-l1-1-0

HeapSetInformation
GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException
SetLastError

api-ms-win-core-com-l1-1-0

CoTaskMemAlloc
CoCreateInstance
CoUninitialize
CoInitializeSecurity
CoTaskMemFree
StringFromGUID2
CoCancelCall
CoEnableCallCancellation
CoInitializeEx
CoDisableCallCancellation

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventRegister
EventUnregister
EventWriteTransfer

api-ms-win-core-heap-l2-1-0

GlobalFree
LocalAlloc
LocalFree

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
ResumeThread
CreateThread
TerminateProcess
GetExitCodeThread
GetCurrentProcess
SetPriorityClass
GetCurrentThreadId
QueueUserAPC
TerminateThread
GetPriorityClass
GetCurrentProcessId

api-ms-win-core-localization-l1-2-0

SetProcessPreferredUILanguages
GetLocaleInfoW
GetUserPreferredUILanguages
FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-security-base-l1-1-0

MakeAbsoluteSD
RevertToSelf
GetSidSubAuthorityCount
GetTokenInformation
ImpersonateLoggedOnUser
InitializeSid
GetSidLengthRequired
GetSidSubAuthority

api-ms-win-core-registry-l1-1-0

RegOpenCurrentUser
RegCloseKey
RegGetValueW

sspicli

LsaLogonUser
LsaDeregisterLogonProcess
LsaRegisterLogonProcess
SeciAllocateAndSetCallFlags
LogonUserExExW
SeciAllocateAndSetIPAddress
LsaFreeReturnBuffer
SeciFreeCallContext
GetUserNameExW
LsaCallAuthenticationPackage
LsaLookupAuthenticationPackage

samcli

NetLocalGroupAddMembers
NetUserGetInfo
NetUserAdd

netutils

NetApiBufferFree

crypt32

CertFreeCertificateContext

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsCompareStringOrdinal
WindowsGetStringRawBuffer
WindowsCreateStringReference

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
CloseThreadpoolTimer
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks

api-ms-win-core-file-l1-1-0

GetFileType
CreateFileW
GetDriveTypeW

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

userenv

LoadUserProfileW
UnloadUserProfile

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-memory-l1-1-0

CreateFileMappingW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem

wmsgapi

WmsgSendMessage

ntdll

EtwEventWrite
NtQueryVolumeInformationFile
EtwEventUnregister
NtWriteVirtualMemory
EtwSendNotification
EtwUnregisterTraceGuids
NtDuplicateObject
NtReadVirtualMemory
EtwGetTraceEnableFlags
NtOpenProcess
RtlAllocateHeap
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwEventRegister
RtlLengthSid
RtlNtStatusToDosError
RtlFreeHeap
RtlInitString
RtlAdjustPrivilege
NtClose
RtlLengthRequiredSid
NtQueryInformationToken
RtlSubAuthoritySid
NtDuplicateToken
RtlInitializeSid
NtAllocateLocallyUniqueId
RtlNtStatusToDosErrorNoTeb
EtwTraceMessage
EtwRegisterTraceGuidsW
RtlEqualSid

amsi

AmsiUninitialize
AmsiUacInitialize
AmsiUacScan

comctl32

ord345

msctfmonitor

UninitLocalMsCtfMonitor

msimg32

AlphaBlend

winsta

WinStationQueryInformationW

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 100KB - Virtual size: 99KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

consent
Size: 4KB - Virtual size: 98B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 52KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 228B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5d0c875dbd930a73d5a983016e384930

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

c8:b0:65:a7:d2:b5:79:13:30:7e:50:72:e8:5c:09:59:e3:f0:0b:d8:c7:85:33:3e:f5:ff:dd:73:91:e6:5d:38Signer

Headers

DLL Characteristics

File Characteristics

Imports

gdi32

user32

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-registry-l1-1-0

sspicli

samcli

netutils

crypt32

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-security-sddl-l1-1-0

userenv

api-ms-win-core-synch-l1-2-1

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-memory-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

wmsgapi

ntdll

amsi

comctl32

msctfmonitor

msimg32

winsta

wtsapi32

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 100KB - Virtual size: 99KB

.rdata Size: 32KB - Virtual size: 30KB

.data Size: 4KB - Virtual size: 3KB

.pdata Size: 8KB - Virtual size: 5KB

.didat Size: 4KB - Virtual size: 208B

consent Size: 4KB - Virtual size: 98B

.rsrc Size: 52KB - Virtual size: 49KB

.reloc Size: 4KB - Virtual size: 228B

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

c8:b0:65:a7:d2:b5:79:13:30:7e:50:72:e8:5c:09:59:e3:f0:0b:d8:c7:85:33:3e:f5:ff:dd:73:91:e6:5d:38
Signer

.text
Size: 100KB - Virtual size: 99KB

.rdata
Size: 32KB - Virtual size: 30KB

.data
Size: 4KB - Virtual size: 3KB

.pdata
Size: 8KB - Virtual size: 5KB

.didat
Size: 4KB - Virtual size: 208B

consent
Size: 4KB - Virtual size: 98B

.rsrc
Size: 52KB - Virtual size: 49KB

.reloc
Size: 4KB - Virtual size: 228B