SessEnv[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

SessEnv.dll
Size

427KB
MD5

37e6301f2b137811e80b24ca03d8adc4
SHA1

91bdc93fea367b603af170e8ac48cf6a189dd17f
SHA256

cd064c718a46d6f248c4ca976c58f89293ac401a8459e1f5cf5cb752bbe994b2
SHA512

44200c205aef9b911a1ab89634c1fbc794a2a801a50b1ef7d0cc3441a75512c4ee48c2e208a5c91cefea0b86d78c40743b4f74664bc52a64c657b8cd51535e1d
SSDEEP

6144:dlc4F38QnzxL8c9yqQIFDENX2h3WWwLHKPF4+7VXmB00ZjElUpxri+psdXalBo1E:FNN9pPxwMVmBaUPrHpsdXacPCU1L

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
SessEnv.dll

Files

SessEnv.dll
.dll windows:10 windows x86 arch:x86

e55ff25f1540978d01da304ff4e43d2c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

SessEnv.pdb

Imports

msvcrt

swprintf_s
_wcsicmp
_purecall
__CxxFrameHandler3
toupper
?terminate@@YAXXZ
wcschr
_CxxThrowException
wcscpy_s
_wcsnicmp
wcsrchr
wcsncmp
iswalpha
memmove_s
_vsnprintf
_vsnwprintf
wcscat_s
??1type_info@@UAE@XZ
memcpy_s
memcmp
memcpy
memmove
_except_handler4_common
_onexit
__dllonexit
_unlock
_lock
_initterm
_amsg_exit
_XcptFilter
free
_callnewh
malloc
_wtol
memset

ntdll

NtQueryInformationProcess
NtDuplicateToken
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosError
WinSqmSetDWORD
WinSqmStartSession
WinSqmAddToStream
WinSqmEndSession
WinSqmIsOptedIn
RtlGetActiveConsoleId
EtwEventWriteFull
EtwEventRegister
EtwEventUnregister
RtlUnsubscribeWnfStateChangeNotification
RtlSubscribeWnfStateChangeNotification
NtQueryWnfStateData
RtlInsertElementGenericTable
RtlLookupElementGenericTable
RtlQueryEnvironmentVariable_U
RtlInitUnicodeStringEx
RtlInitializeGenericTable
RtlDeleteElementGenericTable
RtlEnumerateGenericTable
RtlAllocateAndInitializeSid
RtlAcquireResourceExclusive
RtlReleaseResource
RtlAcquireResourceShared
DbgPrint
RtlEqualSid
VerSetConditionMask
RtlFreeSid
RtlInitializeResource
RtlVerifyVersionInfo
RtlCaptureStackBackTrace
RtlDeleteResource
NtQuerySystemInformation
RtlLengthSid

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA
LoadStringW
LoadLibraryExW
FreeLibrary
DisableThreadLibraryCalls
GetProcAddress
GetModuleHandleExW
GetModuleHandleW
GetModuleFileNameW

api-ms-win-core-errorhandling-l1-1-0

SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-service-core-l1-1-0

RegisterServiceCtrlHandlerExW
SetServiceStatus

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionAndSpinCount
CreateSemaphoreExW
AcquireSRWLockShared
SetEvent
WaitForMultipleObjectsEx
ReleaseSemaphore
WaitForSingleObject
ReleaseSRWLockExclusive
CreateMutexExW
InitializeCriticalSectionEx
AcquireSRWLockExclusive
OpenSemaphoreW
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
DeleteCriticalSection
WaitForSingleObjectEx
ReleaseSRWLockShared
CreateEventW
ReleaseMutex
ResetEvent

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegNotifyChangeKeyValue
RegQueryValueExW
RegDeleteTreeW
RegLoadKeyW
RegQueryInfoKeyW
RegUnLoadKeyW
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegEnumValueW
RegDeleteValueW
RegEnumKeyExW
RegOpenCurrentUser
RegGetValueW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventProviderEnabled
EventUnregister
EventSetInformation
EventRegister
EventActivityIdControl

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
OpenThreadToken
CreateProcessAsUserW
CreateThread
GetCurrentProcessId
ProcessIdToSessionId
GetCurrentThreadId
CreateProcessW
GetCurrentProcess
TerminateProcess
GetThreadId
OpenProcessToken
TerminateThread

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetSystemTime
GetLocalTime
GetComputerNameExW
GetSystemTimeAsFileTime
GetTickCount
GetSystemDirectoryW

kernel32

WTSGetActiveConsoleSessionId
CreateTimerQueue
SetVolumeMountPointW
MoveFileW
CreateTimerQueueTimer
DeleteTimerQueueEx
UnregisterWaitEx
GetComputerNameW
VerifyVersionInfoW
DeleteTimerQueueTimer

sysntfy

SysNotifyStartServer
SysNotifyStopServer

dismapi

DismInitialize
DismOpenSession
DismEnableFeature
DismShutdown
DismDisableFeature

api-ms-win-eventing-controller-l1-1-0

ControlTraceW
StartTraceW
EnableTraceEx2

api-ms-win-core-com-l1-1-0

CoUninitialize
CoTaskMemAlloc
CoTaskMemFree
StringFromCLSID
CoCreateInstanceEx
CoCreateGuid
CoInitializeEx
CoWaitForMultipleHandles
CoCreateInstance
CoSetProxyBlanket

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW
OutputDebugStringA
DebugBreak

api-ms-win-security-base-l1-1-0

DeleteAce
GetSecurityDescriptorControl
CopySid
CreateWellKnownSid
GetLengthSid
DuplicateTokenEx
DuplicateToken
AllocateAndInitializeSid
MakeAbsoluteSD
GetTokenInformation
InitializeSecurityDescriptor
SetSecurityDescriptorControl
GetSecurityDescriptorLength
ImpersonateLoggedOnUser
RevertToSelf
SetTokenInformation
EqualSid
GetAce
GetAclInformation
GetSecurityDescriptorDacl
SetSecurityDescriptorDacl
IsValidSid
SetFileSecurityW
AdjustTokenPrivileges
GetFileSecurityW
CheckTokenMembership
FreeSid

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
ConvertStringSidToSidW

rpcrt4

RpcEpRegisterW
RpcServerInqBindings
RpcServerUseProtseqExW
RpcBindingFree
UuidCreate
RpcBindingServerFromClient
RpcStringFreeW
UuidToStringW
RpcRevertToSelf
RpcImpersonateClient
RpcFreeAuthorizationContext
RpcGetAuthorizationContextForClient
RpcServerInqCallAttributesW
RpcStringBindingParseW
RpcBindingToStringBindingW
I_RpcBindingInqLocalClientPID
RpcServerUnregisterIfEx
RpcBindingVectorFree
RpcServerRegisterIfEx
RpcServerUseProtseqEpW
RpcServerRegisterAuthInfoW
RpcServerInqDefaultPrincNameW
RpcBindingInqAuthClientW
NdrServerCall2

api-ms-win-core-heap-l1-1-0

HeapReAlloc
GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-file-l1-1-0

RemoveDirectoryW
GetFileAttributesW
FindClose
FindNextFileW
DeleteFileW
FindFirstFileW
CompareFileTime
SetFileAttributesW
FindFirstVolumeW
FindNextVolumeW
SetFilePointer
FileTimeToLocalFileTime
CreateDirectoryW
CreateFileW
GetFileSizeEx
GetFileTime
FindVolumeClose
WriteFile
DeleteVolumeMountPointW
ReadFile

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-shutdown-l1-1-0

InitiateSystemShutdownExW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-file-l2-1-0

CopyFileExW
MoveFileWithProgressW
GetFileInformationByHandleEx
CreateSymbolicLinkW

api-ms-win-core-path-l1-1-0

PathCchCombine

api-ms-win-core-processthreads-l1-1-1

OpenProcess
GetProcessMitigationPolicy

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

samcli

NetLocalGroupDelMembers
NetLocalGroupAddMembers
NetUserGetInfo

api-ms-win-core-file-l1-2-0

GetVolumePathNamesForVolumeNameW
GetTempPathW
GetVolumeNameForVolumeMountPointW

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-security-credentials-l1-1-0

CredUnprotectW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrToIntExW

api-ms-win-security-lsalookup-l1-1-0

LookupAccountSidLocalW

shell32

SHGetKnownFolderPath

scecli

SceSetupSystemByInfName

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
SetThreadpoolTimer

api-ms-win-security-lsapolicy-l1-1-0

LsaFreeMemory

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

ServiceMain
SvchostPushServiceGlobals

Sections

.text
Size: 388KB - Virtual size: 387KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 592B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

e55ff25f1540978d01da304ff4e43d2c

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

kernel32

sysntfy

dismapi

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-sddl-l1-1-0

rpcrt4

api-ms-win-core-heap-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-shutdown-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-psapi-l1-1-0

samcli

api-ms-win-core-file-l1-2-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-security-credentials-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-security-lsalookup-l1-1-0

shell32

scecli

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-localization-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 388KB - Virtual size: 387KB

.data Size: 1KB - Virtual size: 14KB

.idata Size: 12KB - Virtual size: 11KB

.didat Size: 1024B - Virtual size: 592B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 22KB - Virtual size: 22KB

.text
Size: 388KB - Virtual size: 387KB

.data
Size: 1KB - Virtual size: 14KB

.idata
Size: 12KB - Virtual size: 11KB

.didat
Size: 1024B - Virtual size: 592B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 22KB - Virtual size: 22KB