fsutil[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

fsutil.exe
Size

159KB
MD5

23c2ca347887944cd1a7f01771be2930
SHA1

e448af73e5c2c14fa49b18e1451f55721dba84e3
SHA256

663176115ad56014efc43b792aead9658c3d1045cc64fe794c3ef9d4105a8f3a
SHA512

d7c7983377818dda4f15dcad04fb299c06dc890df65475db5aaac969e154a2e02b99dc16af827b5f56a6e5f84de507d830302d9b89f6a664825279c5882746ea
SSDEEP

3072:3yzEmlKs8fkxze+/UIL4kcJmJmwoDwsnkW8/0pTnSaIHWsEI:z8xzr/fL4tmcRm0pTnSzf

Score

1^/10

Malware Config

Signatures

Files

fsutil.exe
.exe windows:10 windows x86 arch:x86

bef7e40d6897927d6071f7c5df1078f0

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/07/2018, 20:45

Not After

26/07/2019, 20:45

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f9:c8:97:f3:18:87:ce:fc:e2:24:21:be:f6:6d:2c:1c:44:db:24:81:f1:11:b8:2b:8e:69:57:fa:6c:e6:24:67
Signer

Actual PE Digest

f9:c8:97:f3:18:87:ce:fc:e2:24:21:be:f6:6d:2c:1c:44:db:24:81:f1:11:b8:2b:8e:69:57:fa:6c:e6:24:67

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

fsutil.pdb

Imports

msvcrt

wcstol
wcstok_s
_wcstoui64
?terminate@@YAXXZ
wcstoul
iswctype
_controlfp
_errno
exit
_wcsdup
wcsncpy_s
memcpy_s
wcscpy_s
_XcptFilter
towupper
_wtoi
wcsrchr
__wgetmainargs
memmove
__set_app_type
memcpy
_local_unwind4
_wcsicmp
wcscat_s
wcschr
isalpha
isdigit
toupper
setlocale
calloc
_initterm
_except_handler4_common
_vsnwprintf
_amsg_exit
__p__commode
wprintf
__setusermatherr
swprintf_s
malloc
__p__fmode
realloc
free
_wcsnicmp
_cexit
_exit
memset

ntdll

NtClose
RtlVerifyVersionInfo
VerSetConditionMask
NtQuerySystemInformation
RtlTimeToTimeFields
RtlStringFromGUID
RtlInitializeCriticalSection
NtEnumerateTransactionObject
RtlGetOwnerSecurityDescriptor
RtlAllocateHeap
NtQuerySecurityObject
RtlFreeUnicodeString
RtlConvertSidToUnicodeString
NtCreateFile
NtFlushBuffersFileEx
RtlDosPathNameToNtPathName_U
RtlSetCurrentTransaction
RtlGetCurrentTransaction
NtSetQuotaInformationFile
NtQueryQuotaInformationFile
RtlLengthSid
NtSetVolumeInformationFile
NtOpenFile
RtlInitUnicodeString
NtQueryVolumeInformationFile
NtQueryInformationFile
RtlNtStatusToDosError
NtSetInformationFile
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlFreeHeap

api-ms-win-core-registry-l1-1-0

RegEnumKeyExW
RegCloseKey
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
RegEnumValueW

api-ms-win-core-file-l1-1-0

GetDiskFreeSpaceExW
GetFileSizeEx
DeleteFileW
SetEndOfFile
GetFileInformationByHandle
GetDriveTypeW
SetFilePointerEx
FindFirstVolumeW
GetVolumeInformationW
GetFileType
FindNextVolumeW
GetTempFileNameW
FindVolumeClose
FindNextFileW
FindFirstFileW
FindClose
CreateFileW
WriteFile
GetVolumePathNameW
QueryDosDeviceW
GetFullPathNameW
GetFinalPathNameByHandleW
GetFileAttributesW
CreateDirectoryW
GetLogicalDriveStringsW

api-ms-win-core-sysinfo-l1-1-0

GetSystemInfo
GetSystemDirectoryW
GetWindowsDirectoryW
GetVersionExW
GetTickCount
GetComputerNameExW
GetSystemTimeAsFileTime

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
RaiseException
SetLastError

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
LoadLibraryExA
FreeLibrary
GetProcAddress
GetModuleHandleW

api-ms-win-security-base-l1-1-0

FreeSid
CheckTokenMembership
AllocateAndInitializeSid
AdjustTokenPrivileges

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentThreadId
CreateProcessW
GetCurrentProcess
OpenProcessToken
GetCurrentProcessId

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW
LookupPrivilegeValueW
LookupAccountSidW

api-ms-win-core-com-l1-1-0

StringFromIID
CoTaskMemFree
StringFromGUID2
IIDFromString

api-ms-win-core-localization-l1-2-0

GetLocaleInfoEx
SetThreadUILanguage
FormatMessageW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-file-l2-1-0

CreateHardLinkW
GetFileInformationByHandleEx

api-ms-win-core-file-l2-1-1

OpenFileById

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-file-l1-2-2

FindFirstFileNameW
FindNextFileNameW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree
HeapSetInformation

api-ms-win-security-lsalookup-l1-1-0

LookupAccountSidLocalW
LookupAccountNameLocalW

api-ms-win-core-timezone-l1-1-0

SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-console-l1-1-0

WriteConsoleW
SetConsoleCtrlHandler
GetConsoleOutputCP
GetConsoleMode

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
AcquireSRWLockExclusive
ReleaseSRWLockExclusive

api-ms-win-core-processenvironment-l1-1-0

GetStdHandle
GetCurrentDirectoryW
ExpandEnvironmentStringsW

api-ms-win-core-file-l1-2-0

GetVolumePathNamesForVolumeNameW
GetVolumeNameForVolumeMountPointW
GetTempPathW

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-security-lsapolicy-l1-1-0

LsaOpenPolicy
LsaLookupSids
LsaFreeMemory

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-localization-l2-1-0

GetNumberFormatEx

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventRegister
EventSetInformation
EventUnregister
EventProviderEnabled

api-ms-win-core-memory-l1-1-0

VirtualProtect
VirtualQuery

Sections

.text
Size: 129KB - Virtual size: 129KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

bef7e40d6897927d6071f7c5df1078f0

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

f9:c8:97:f3:18:87:ce:fc:e2:24:21:be:f6:6d:2c:1c:44:db:24:81:f1:11:b8:2b:8e:69:57:fa:6c:e6:24:67Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-file-l2-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-file-l1-2-2

api-ms-win-core-heap-l1-1-0

api-ms-win-security-lsalookup-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-localization-l2-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-memory-l1-1-0

Sections

.text Size: 129KB - Virtual size: 129KB

.data Size: 4KB - Virtual size: 5KB

.idata Size: 7KB - Virtual size: 7KB

.didat Size: 512B - Virtual size: 60B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 6KB - Virtual size: 6KB

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

f9:c8:97:f3:18:87:ce:fc:e2:24:21:be:f6:6d:2c:1c:44:db:24:81:f1:11:b8:2b:8e:69:57:fa:6c:e6:24:67
Signer

.text
Size: 129KB - Virtual size: 129KB

.data
Size: 4KB - Virtual size: 5KB

.idata
Size: 7KB - Virtual size: 7KB

.didat
Size: 512B - Virtual size: 60B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 6KB - Virtual size: 6KB