Sysmon[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Sysmon.exe
Size

3.5MB
MD5

c2f59c783a26dd480bafcc9955a99f42
SHA1

e6951e1a5d57e5ed56e4ca179258cf269724efa7
SHA256

8c50ce44732912726e5ab0958e4199deee77f904cd746369f37b91e67a9826c6
SHA512

f71f78b9d6845971016b519d05a2eff5783f56b674ab20484e92de0ae1fe3eccb20c8d7cb842bdd6d6d0168896a6e73368b051c254a1cd51de403ad47d31bfdb
SSDEEP

49152:5FarAOQsMZqNYvL9XH/FP8WW2pcinUCGiZ21uYecaBBfE27rf+Sm:5F9sMzL9XHl7s8BBBK

Score

1^/10

Malware Config

Signatures

Files

Sysmon.exe
.exe windows:5 windows x86 arch:x86

31a1bc5b444d14e392e430b44e8bd285

Code Sign

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-05-2019 21:37

Not After

02-05-2020 21:37

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08-07-2011 20:59

Not After

08-07-2026 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

79:10:ba:90:43:04:4c:63:d8:0b:68:f5:31:3d:cd:79:57:c0:e9:f6:dc:b1:44:cc:20:e4:b5:8c:7e:1c:38:42
Signer

Actual PE Digest

79:10:ba:90:43:04:4c:63:d8:0b:68:f5:31:3d:cd:79:57:c0:e9:f6:dc:b1:44:cc:20:e4:b5:8c:7e:1c:38:42

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\agent\_work\110\s\exe\Win32\Public_Release\Sysmon.pdb

Imports

tdh

TdhGetEventMapInformation
TdhGetEventInformation

userenv

ExpandEnvironmentStringsForUserW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW

netapi32

NetApiBufferFree
NetServerEnum

ws2_32

inet_ntoa
WSAStartup
gethostbyname
ntohs
getnameinfo
htons
gethostname

mpr

WNetCancelConnection2W
WNetAddConnection2W

wtsapi32

WTSEnumerateSessionsW
WTSFreeMemory
WTSQueryUserToken
WTSQuerySessionInformationW

ole32

StringFromGUID2
IIDFromString
CoCreateInstance
CoSetProxyBlanket
CoInitializeEx
CoUninitialize
CoInitializeSecurity

kernel32

RemoveDirectoryW
GetTempPathW
WaitForSingleObject
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
GetVersion
CreateToolhelp32Snapshot
Sleep
Process32NextW
SetEvent
LockResource
DeleteFileW
Process32FirstW
GetSystemInfo
LoadResource
FindResourceW
GetComputerNameW
CreateProcessW
GetSystemTimeAsFileTime
GetTickCount
ConnectNamedPipe
GetExitCodeProcess
DeviceIoControl
ProcessIdToSessionId
ExitProcess
GetCurrentProcessId
CopyFileW
SetConsoleCtrlHandler
GetFileSizeEx
WaitForMultipleObjects
SetThreadPriority
UnmapViewOfFile
CreateEventW
GetCurrentThread
GetOverlappedResult
CreateFileMappingW
MapViewOfFile
QueryDosDeviceW
GetFullPathNameW
WriteFile
OpenProcess
GetCurrentProcess
Module32FirstW
K32EnumProcesses
GetWindowsDirectoryW
SystemTimeToFileTime
GetTempFileNameW
GetSystemTime
K32GetMappedFileNameW
QueryPerformanceFrequency
ResetEvent
DeleteCriticalSection
QueryPerformanceCounter
CreateThread
FindFirstFileW
FindNextFileW
FindClose
InitializeCriticalSectionAndSpinCount
RaiseException
DecodePointer
TerminateProcess
WideCharToMultiByte
FreeLibraryAndExitThread
ResumeThread
ExitThread
SetConsoleMode
ReadConsoleInputA
PeekConsoleInputA
GetNumberOfConsoleInputEvents
GetConsoleMode
GetModuleHandleExW
SetStdHandle
InterlockedFlushSList
InterlockedPushEntrySList
GetConsoleScreenBufferInfo
SizeofResource
CreateDirectoryW
InterlockedExchange
CloseHandle
InitializeSListHead
lstrlenW
InitializeCriticalSection
ExpandEnvironmentStringsW
InterlockedIncrement
GetLastError
FormatMessageW
LeaveCriticalSection
InterlockedDecrement
EnterCriticalSection
GetDateFormatW
FreeLibrary
GetTimeFormatW
FileTimeToSystemTime
MultiByteToWideChar
GetModuleHandleW
LocalFree
GetProcAddress
LocalAlloc
GetStdHandle
GetCommandLineW
LoadLibraryExW
GetVersionExW
SetLastError
GetFileType
GetModuleFileNameW
GetModuleFileNameA
GetCommandLineA
GetACP
HeapFree
HeapAlloc
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
GetConsoleCP
ReadFile
HeapReAlloc
FindFirstFileExA
GetStringTypeW
SwitchToThread
TlsAlloc
FindFirstFileExW
FindNextFileA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
SetEnvironmentVariableW
TlsGetValue
TlsSetValue
TlsFree
GetProcessHeap
OutputDebugStringA
GetTimeZoneInformation
HeapSize
SetFilePointerEx
GetCurrentThreadId
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
WaitForSingleObjectEx
GetLocaleInfoW
GetCPInfo
OutputDebugStringW
WriteConsoleW
ReadConsoleW
SetEndOfFile
EncodePointer
CompareStringW
GetLogicalDriveStringsW
RtlUnwind
LCMapStringW

user32

GetSysColorBrush
UnregisterClassW
MessageBoxW
InflateRect
SendMessageW
EndDialog
SetWindowTextW
DialogBoxIndirectParamW
LoadCursorW
SetCursor
GetDlgItem

gdi32

EndDoc
GetDeviceCaps
SetMapMode
StartDocW
EndPage
StartPage

comdlg32

PrintDlgW

advapi32

CreateServiceW
RegQueryValueExW
RegOpenKeyW
RegCreateKeyW
RegOpenKeyExW
RegSetValueExW
ConvertSidToStringSidW
GetSecurityDescriptorLength
LookupAccountSidW
DeregisterEventSource
GetSidSubAuthorityCount
GetSidSubAuthority
CopySid
GetLengthSid
RegisterEventSourceW
ReportEventW
RegNotifyChangeKeyValue
RegisterServiceCtrlHandlerExW
SetSecurityDescriptorDacl
RegDeleteKeyW
SetServiceStatus
ChangeServiceConfig2W
SetEntriesInAclW
RegCreateKeyExW
InitializeSecurityDescriptor
StartServiceCtrlDispatcherW
QueryServiceConfigW
RegDeleteValueW
LookupPrivilegeValueW
AdjustTokenPrivileges
RevertToSelf
EnableTraceEx2
QueryServiceStatus
EqualSid
CloseServiceHandle
OpenSCManagerW
AllocateAndInitializeSid
DeleteService
ControlService
ImpersonateLoggedOnUser
LogonUserW
OpenProcessToken
FreeSid
StartServiceW
RegConnectRegistryW
OpenServiceW
GetTokenInformation
StartTraceW
ProcessTrace
CloseTrace
ControlTraceW
OpenTraceW
RegCloseKey

oleaut32

VariantChangeType
VariantClear
SysStringByteLen
SysAllocStringByteLen
SafeArrayUnaccessData
SysAllocStringLen
SysFreeString
SysAllocString
CreateErrorInfo
SafeArrayGetLBound
SafeArrayGetElement
SafeArrayGetUBound
VariantInit
SafeArrayAccessData
SafeArrayDestroy
SysStringLen
GetErrorInfo
SetErrorInfo
VarBstrCmp

crypt32

CertDuplicateCertificateContext
CryptFindOIDInfo
CertGetCertificateChain
CertGetNameStringW
CryptDecodeObject

secur32

LsaGetLogonSessionData
LsaFreeReturnBuffer

Sections

.text
Size: 713KB - Virtual size: 713KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 289KB - Virtual size: 289KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 36KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

31a1bc5b444d14e392e430b44e8bd285

Code Sign

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

79:10:ba:90:43:04:4c:63:d8:0b:68:f5:31:3d:cd:79:57:c0:e9:f6:dc:b1:44:cc:20:e4:b5:8c:7e:1c:38:42Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

tdh

userenv

version

netapi32

ws2_32

mpr

wtsapi32

ole32

kernel32

user32

gdi32

comdlg32

advapi32

oleaut32

crypt32

secur32

Sections

.text Size: 713KB - Virtual size: 713KB

.rdata Size: 289KB - Virtual size: 289KB

.data Size: 11KB - Virtual size: 19KB

.rsrc Size: 2.4MB - Virtual size: 2.4MB

.reloc Size: 36KB - Virtual size: 35KB

33:00:00:01:51:9e:8d:8f:40:71:a3:0e:41:00:00:00:00:01:51
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

79:10:ba:90:43:04:4c:63:d8:0b:68:f5:31:3d:cd:79:57:c0:e9:f6:dc:b1:44:cc:20:e4:b5:8c:7e:1c:38:42
Signer

.text
Size: 713KB - Virtual size: 713KB

.rdata
Size: 289KB - Virtual size: 289KB

.data
Size: 11KB - Virtual size: 19KB

.rsrc
Size: 2.4MB - Virtual size: 2.4MB

.reloc
Size: 36KB - Virtual size: 35KB