fsutil[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

fsutil.exe
Size

145KB
MD5

1e7299471c2963f47624fd365b9b5e60
SHA1

b5ab72edd818ff7b82eb5239cac9bc0ad45ba9bb
SHA256

3b13a67dd25962bb50ab60aca722b0aec4810c9c23f2f8d6e3648ad6d694b194
SHA512

3e4b4f5d9f8af054556aaa03c651360434d7daa81e46cbe8053e6575807f540a76c1eabaa26c9d878466a9b4889efbdff2fbf9267afacfcb70974c7360781d93
SSDEEP

3072:cysAQ3C2HZ2byEfGCUuyHzy6lMg87j6jUr+87CXbRMuhrG:feZeyEeCUu11fpx7QRMuB

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fsutil.exe

Files

fsutil.exe
.exe windows:10 windows x86 arch:x86

3afda70fa7e12943e4f800c706b88a82

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

fsutil.pdb

Imports

msvcrt

_wtoi
iswctype
wcsrchr
towupper
realloc
wcscpy_s
wcstoul
_wcstoui64
wcscat_s
wcstok_s
isalpha
memcpy_s
wcstol
isdigit
_except_handler4_common
setlocale
calloc
_vsnwprintf
wcsncpy_s
_wcsdup
_XcptFilter
__p__commode
_errno
wprintf
_initterm
swprintf_s
?terminate@@YAXXZ
toupper
exit
_controlfp
malloc
wcschr
memmove
__setusermatherr
__p__fmode
_amsg_exit
_cexit
_exit
memcpy
__set_app_type
free
_wcsnicmp
_local_unwind4
__wgetmainargs
_wcsicmp
memset

ntdll

RtlVerifyVersionInfo
VerSetConditionMask
NtQuerySystemInformation
RtlTimeToTimeFields
RtlStringFromGUID
RtlInitializeCriticalSection
NtEnumerateTransactionObject
RtlGetOwnerSecurityDescriptor
RtlAllocateHeap
NtQuerySecurityObject
RtlFreeUnicodeString
RtlConvertSidToUnicodeString
NtCreateFile
RtlFreeHeap
NtClose
RtlSetCurrentTransaction
RtlGetCurrentTransaction
NtSetQuotaInformationFile
NtQueryQuotaInformationFile
RtlLengthSid
NtSetVolumeInformationFile
NtOpenFile
RtlInitUnicodeString
NtQueryVolumeInformationFile
NtQueryInformationFile
RtlNtStatusToDosError
NtSetInformationFile
RtlInitializeGenericTableAvl
RtlInsertElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlDosPathNameToNtPathName_U

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegEnumKeyExW
RegOpenKeyExW
RegCloseKey
RegEnumValueW
RegQueryValueExW

api-ms-win-core-file-l1-1-0

FindNextFileW
GetTempFileNameW
WriteFile
GetFileType
GetFullPathNameW
GetFileInformationByHandle
GetFileAttributesW
CreateDirectoryW
GetDiskFreeSpaceExW
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
FindClose
GetDriveTypeW
GetLogicalDriveStringsW
GetFileSizeEx
GetFinalPathNameByHandleW
DeleteFileW
SetEndOfFile
SetFilePointerEx
CreateFileW
GetVolumeInformationW
FindFirstFileW
QueryDosDeviceW
GetVolumePathNameW

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetComputerNameExW
GetWindowsDirectoryW
GetSystemDirectoryW
GetVersionExW
GetSystemInfo
GetTickCount

api-ms-win-core-errorhandling-l1-1-0

RaiseException
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
SetLastError

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExA
GetModuleFileNameA
GetProcAddress
GetModuleHandleW
FreeLibrary

api-ms-win-security-base-l1-1-0

AdjustTokenPrivileges
AllocateAndInitializeSid
FreeSid
CheckTokenMembership

api-ms-win-core-processthreads-l1-1-0

CreateProcessW
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
OpenProcessToken
GetCurrentProcess

api-ms-win-security-lsalookup-l2-1-0

LookupAccountSidW
LookupAccountNameW
LookupPrivilegeValueW

api-ms-win-core-com-l1-1-0

CoTaskMemFree
IIDFromString
StringFromGUID2
StringFromIID

api-ms-win-core-localization-l1-2-0

GetLocaleInfoEx
SetThreadUILanguage
FormatMessageW

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-file-l2-1-0

CreateHardLinkW
GetFileInformationByHandleEx

api-ms-win-core-file-l2-1-1

OpenFileById

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-file-l1-2-2

FindNextFileNameW
FindFirstFileNameW

api-ms-win-core-heap-l1-1-0

HeapFree
HeapSetInformation
HeapAlloc
GetProcessHeap

api-ms-win-security-lsalookup-l1-1-0

LookupAccountSidLocalW
LookupAccountNameLocalW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-console-l1-1-0

WriteConsoleW
GetConsoleMode
SetConsoleCtrlHandler
GetConsoleOutputCP

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WaitForSingleObject

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetStdHandle
GetCurrentDirectoryW

api-ms-win-core-file-l1-2-0

GetVolumePathNamesForVolumeNameW
GetTempPathW
GetVolumeNameForVolumeMountPointW

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-security-lsapolicy-l1-1-0

LsaLookupSids
LsaFreeMemory
LsaOpenPolicy

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-localization-l2-1-0

GetNumberFormatEx

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-eventing-provider-l1-1-0

EventProviderEnabled
EventSetInformation
EventUnregister
EventRegister
EventWriteTransfer

api-ms-win-core-memory-l1-1-0

VirtualProtect
VirtualQuery

Sections

.text
Size: 123KB - Virtual size: 123KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3afda70fa7e12943e4f800c706b88a82

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-file-l2-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-file-l1-2-2

api-ms-win-core-heap-l1-1-0

api-ms-win-security-lsalookup-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-localization-l2-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-memory-l1-1-0

Sections

.text Size: 123KB - Virtual size: 123KB

.data Size: 4KB - Virtual size: 5KB

.idata Size: 7KB - Virtual size: 7KB

.didat Size: 512B - Virtual size: 60B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 6KB - Virtual size: 5KB

.text
Size: 123KB - Virtual size: 123KB

.data
Size: 4KB - Virtual size: 5KB

.idata
Size: 7KB - Virtual size: 7KB

.didat
Size: 512B - Virtual size: 60B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 6KB - Virtual size: 5KB