consent[.]exe | Triage

Resubmissions

02/01/2024, 12:35

240102-psc68ahge4 1

Sharing

Copy URL Twitter E-mail

General

Target

consent.exe
Size

153KB
MD5

9bf568cac95dc11234078ba936b1ddff
SHA1

46776a2d63ff16e07ec79f666378f28f6fc770b6
SHA256

cc48981c30bee846dc04538a7f45d505c37f39f2384483d97e8d52b9d0e52c7d
SHA512

abc3d1401fcdbfbd543c08cbc11f14224ebe1b7639b335c0937cd02708431ca26cbda269c187ca59f0f12a9e1d59e33acb80edd5398262d311d14a557af5f1fc
SSDEEP

3072:47T6RLHPKTPfX+VMz28fJHBPtPBis7tOx8zyYF:YMHPEP2VMzDBh/iotOKz3

Score

1^/10

Malware Config

Signatures

Files

consent.exe
.exe windows:10 windows x64 arch:x64

522d83761201075834f05037f5307949

Code Sign

33:00:00:01:c3:13:a0:85:c3:56:e2:99:d7:00:00:00:00:01:c3
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/07/2018, 20:45

Not After

26/07/2019, 20:45

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:8f:fa:44:84:0d:73:df:06:f7:64:2e:24:71:23:47:65:49:4c:6a:e3:1f:e3:2f:6d:d4:4e:ba:80:1a:a3:5f
Signer

Actual PE Digest

05:8f:fa:44:84:0d:73:df:06:f7:64:2e:24:71:23:47:65:49:4c:6a:e3:1f:e3:2f:6d:d4:4e:ba:80:1a:a3:5f

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

gdi32

SelectObject
CreateDIBSection
BitBlt
CreateCompatibleDC
DeleteObject
PatBlt
GetLayout
GetStockObject
DeleteDC
SetDCBrushColor
CreateCompatibleBitmap

user32

ShowWindow
GetThreadDesktop
SetThreadDesktop
GetShellWindow
UnregisterClassW
CreateWindowExW
FillRect
GetPropW
SetDisplayAutoRotationPreferences
GetDC
DestroyWindow
SendMessageTimeoutW
GetWindowRect
PostMessageW
DefWindowProcW
GetMessageW
GetWindowLongW
SendMessageW
LoadStringW
DispatchMessageW
RegisterClassW
GetForegroundWindow
GetParent
OpenInputDesktop
CloseDesktop
ord2513
GetWindowBand
ord2574
SetPropW
TranslateMessage
LoadCursorW
OpenDesktopW
GetDesktopWindow
GetWindowDC
GetUserObjectInformationW
FlashWindowEx
SetWindowLongW
PostQuitMessage
ReleaseDC
BeginPaint
EndPaint
GetSystemMetrics
DestroyIcon
LoadIconW
GetAncestor

msvcrt

_CxxThrowException
__CxxFrameHandler3
_vsnwprintf
memcpy
__dllonexit
memcpy_s
_purecall
??1exception@@UEAA@XZ
_onexit
?terminate@@YAXXZ
??0exception@@QEAA@XZ
??1type_info@@UEAA@XZ
memset
_callnewh
malloc
??0exception@@QEAA@AEBV0@@Z
_vsnprintf_s
_wtoi
_errno
_wtol
swscanf_s
wcschr
wcsrchr
__C_specific_handler
_wcsicmp
free
wcscmp
_XcptFilter
_amsg_exit
__getmainargs
__set_app_type
exit
_unlock
_lock
_commode
_fmode
_acmdln
_initterm
__setusermatherr
_ismbblead
_cexit
_exit

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
FindResourceExW
GetModuleFileNameA
LoadResource
LockResource
FreeLibrary
GetProcAddress
GetModuleHandleExW
LoadLibraryExW

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceBeginInitialize
InitOnceComplete

api-ms-win-core-synch-l1-1-0

OpenSemaphoreW
ReleaseSemaphore
CreateSemaphoreExW
CreateEventW
WaitForSingleObjectEx
SetEvent
CreateMutexExW
ReleaseMutex
WaitForSingleObject

api-ms-win-core-heap-l1-1-0

HeapSetInformation
HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
GetLastError
UnhandledExceptionFilter
RaiseException
SetLastError

api-ms-win-core-com-l1-1-0

CoCreateInstance
CoEnableCallCancellation
StringFromGUID2
CoInitializeSecurity
CoCancelCall
CoTaskMemFree
CoUninitialize
CoDisableCallCancellation
CoTaskMemAlloc
CoInitializeEx

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventRegister
EventWriteTransfer
EventUnregister

api-ms-win-core-heap-l2-1-0

GlobalFree
LocalFree
LocalAlloc

api-ms-win-core-processthreads-l1-1-0

SetPriorityClass
TerminateThread
CreateThread
TerminateProcess
GetCurrentProcess
GetStartupInfoW
GetCurrentThreadId
GetCurrentProcessId
GetExitCodeThread
QueueUserAPC
ResumeThread

api-ms-win-core-localization-l1-2-0

GetLocaleInfoW
FormatMessageW
GetUserPreferredUILanguages
SetProcessPreferredUILanguages

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-security-base-l1-1-0

RevertToSelf
MakeAbsoluteSD
ImpersonateLoggedOnUser
GetSidLengthRequired
InitializeSid
GetSidSubAuthority
GetTokenInformation
GetSidSubAuthorityCount

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegOpenCurrentUser
RegCloseKey

sspicli

SeciFreeCallContext
SeciAllocateAndSetCallFlags
LsaLookupAuthenticationPackage
LsaCallAuthenticationPackage
GetUserNameExW
LsaRegisterLogonProcess
LsaDeregisterLogonProcess
SeciAllocateAndSetIPAddress
LsaFreeReturnBuffer
LsaLogonUser

crypt32

CertFreeCertificateContext

api-ms-win-core-winrt-string-l1-1-0

WindowsCompareStringOrdinal
WindowsCreateStringReference
WindowsGetStringRawBuffer
WindowsDeleteString

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-file-l1-1-0

CreateFileW
GetFileType
GetDriveTypeW

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

userenv

LoadUserProfileW
UnloadUserProfile

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-memory-l1-1-0

CreateFileMappingW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem

wmsgapi

WmsgSendMessage

ntdll

EtwEventRegister
EtwEventWrite
NtQueryVolumeInformationFile
NtWriteVirtualMemory
EtwSendNotification
RtlFreeHeap
EtwUnregisterTraceGuids
NtDuplicateObject
NtReadVirtualMemory
EtwGetTraceEnableFlags
NtOpenProcess
RtlAllocateHeap
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwEventUnregister
RtlLengthSid
RtlNtStatusToDosError
RtlEqualSid
RtlInitString
RtlAdjustPrivilege
NtClose
RtlLengthRequiredSid
NtQueryInformationToken
RtlSubAuthoritySid
NtDuplicateToken
RtlInitializeSid
NtAllocateLocallyUniqueId
RtlNtStatusToDosErrorNoTeb
EtwTraceMessage
EtwRegisterTraceGuidsW

amsi

AmsiUacScan
AmsiUninitialize
AmsiUacInitialize

comctl32

ord345

msctfmonitor

UninitLocalMsCtfMonitor
InitLocalMsCtfMonitor

msimg32

AlphaBlend

winsta

WinStationQueryInformationW

wtsapi32

WTSQuerySessionInformationW
WTSFreeMemory

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 64KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

consent
Size: 512B - Virtual size: 98B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

522d83761201075834f05037f5307949

Code Sign

33:00:00:01:c3:13:a0:85:c3:56:e2:99:d7:00:00:00:00:01:c3Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

05:8f:fa:44:84:0d:73:df:06:f7:64:2e:24:71:23:47:65:49:4c:6a:e3:1f:e3:2f:6d:d4:4e:ba:80:1a:a3:5fSigner

Headers

DLL Characteristics

File Characteristics

Imports

gdi32

user32

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-registry-l1-1-0

sspicli

crypt32

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-security-sddl-l1-1-0

userenv

api-ms-win-core-synch-l1-2-1

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-memory-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

wmsgapi

ntdll

amsi

comctl32

msctfmonitor

msimg32

winsta

wtsapi32

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

Sections

.text Size: 64KB - Virtual size: 63KB

.rdata Size: 25KB - Virtual size: 24KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 3KB - Virtual size: 3KB

.didat Size: 512B - Virtual size: 208B

consent Size: 512B - Virtual size: 98B

.rsrc Size: 49KB - Virtual size: 49KB

.reloc Size: 512B - Virtual size: 180B

33:00:00:01:c3:13:a0:85:c3:56:e2:99:d7:00:00:00:00:01:c3
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

05:8f:fa:44:84:0d:73:df:06:f7:64:2e:24:71:23:47:65:49:4c:6a:e3:1f:e3:2f:6d:d4:4e:ba:80:1a:a3:5f
Signer

.text
Size: 64KB - Virtual size: 63KB

.rdata
Size: 25KB - Virtual size: 24KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 3KB - Virtual size: 3KB

.didat
Size: 512B - Virtual size: 208B

consent
Size: 512B - Virtual size: 98B

.rsrc
Size: 49KB - Virtual size: 49KB

.reloc
Size: 512B - Virtual size: 180B