SessEnv[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

SessEnv.dll
Size

324KB
MD5

1f930052e73d489207634e97d4d1768c
SHA1

55fb6b5a4bece224a4b526c03f3f1ed8164e0f50
SHA256

e522bc76d74132357ef000064da06c160e19aaa4d05e533e4985fb623281f51b
SHA512

40ea7d5e747ab2515abf893ddd9e6343b88694f4d414327cfcba4ebd1287c5129610d19eba9bd972daa778be8fd14be1c2ccb01d7e06bcbe790be8f326c3d138
SSDEEP

6144:PhCgliQtAvz9Wj8AlhF4VewiMEuvoxIIC2jT5z4CmXZP3vcaTBW5xcBgcRp0fC9t:BAvz9K8a4VHeeICuT5z4CeP3vcaTBW5e

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
SessEnv.dll

Files

SessEnv.dll
.dll windows:10 windows x86 arch:x86

731c58aa1fdaaa863b06aa0822e5f986

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

SessEnv.pdb

Imports

msvcrt

wcschr
memcpy_s
memmove
_except_handler4_common
swprintf_s
_wcsicmp
??1type_info@@UAE@XZ
__CxxFrameHandler3
_CxxThrowException
_purecall
wcscat_s
wcscpy_s
_onexit
__dllonexit
_unlock
_lock
_initterm
_amsg_exit
_XcptFilter
free
_callnewh
_wcsnicmp
wcsrchr
wcsncmp
iswalpha
_vsnprintf
_vsnwprintf
memcmp
memcpy
malloc
_wtol
memset

ntdll

NtQueryInformationProcess
RtlLengthSid
NtDuplicateToken
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosError
WinSqmSetDWORD
WinSqmStartSession
WinSqmAddToStream
WinSqmEndSession
WinSqmIsOptedIn
RtlGetActiveConsoleId
EtwEventWriteFull
EtwEventRegister
EtwEventUnregister
RtlInsertElementGenericTable
RtlLookupElementGenericTable
RtlQueryEnvironmentVariable_U
RtlInitUnicodeStringEx
RtlInitializeGenericTable
RtlDeleteElementGenericTable
RtlEnumerateGenericTable
RtlAllocateAndInitializeSid
RtlAcquireResourceExclusive
RtlReleaseResource
RtlAcquireResourceShared
DbgPrint
RtlEqualSid
VerSetConditionMask
RtlFreeSid
RtlInitializeResource
RtlVerifyVersionInfo
RtlCaptureStackBackTrace
RtlDeleteResource
NtQuerySystemInformation

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
LoadLibraryExW
LoadStringW
FreeLibrary
GetModuleHandleExW
DisableThreadLibraryCalls

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage
GetTraceLoggerHandle
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel

api-ms-win-core-errorhandling-l1-1-1

UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-service-core-l1-1-1

SetServiceStatus
RegisterServiceCtrlHandlerExW

api-ms-win-core-synch-l1-2-0

InitializeCriticalSection
SetEvent
DeleteCriticalSection
WaitForMultipleObjectsEx
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
CreateEventW
WaitForSingleObject
EnterCriticalSection
ResetEvent
Sleep
InitOnceExecuteOnce

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-2

GetCurrentProcess
OpenProcess
GetCurrentThread
GetCurrentThreadId
ProcessIdToSessionId
CreateProcessAsUserW
OpenProcessToken
TerminateThread
GetCurrentProcessId
CreateThread
CreateProcessW
GetThreadId
OpenThreadToken
TerminateProcess

api-ms-win-core-sysinfo-l1-2-1

GetSystemTimeAsFileTime
GetLocalTime
GetSystemTime
GetComputerNameExW
GetTickCount
GetSystemDirectoryW

kernel32

SetVolumeMountPointW
MoveFileW
WTSGetActiveConsoleSessionId
CreateTimerQueue
DeleteTimerQueueTimer
GetComputerNameW
DeleteTimerQueueEx
CreateTimerQueueTimer
UnregisterWaitEx

sysntfy

SysNotifyStartServer
SysNotifyStopServer

api-ms-win-eventing-controller-l1-1-0

EnableTraceEx2
ControlTraceW
StartTraceW

api-ms-win-core-registry-l1-1-0

RegNotifyChangeKeyValue
RegQueryValueExW
RegCloseKey
RegDeleteTreeW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegQueryInfoKeyW
RegUnLoadKeyW
RegGetValueW
RegLoadKeyW
RegEnumValueW
RegDeleteValueW
RegEnumKeyExW
RegOpenCurrentUser

api-ms-win-core-com-l1-1-1

CoCreateInstance
StringFromCLSID
CoCreateInstanceEx
CoCreateGuid
CoTaskMemFree
CoInitializeEx
CoUninitialize
CoTaskMemAlloc
CoSetProxyBlanket

api-ms-win-core-debug-l1-1-1

OutputDebugStringA
DebugBreak
IsDebuggerPresent

api-ms-win-security-base-l1-2-0

GetTokenInformation
CheckTokenMembership
CopySid
CreateWellKnownSid
GetLengthSid
ImpersonateLoggedOnUser
FreeSid
AllocateAndInitializeSid
SetTokenInformation
SetFileSecurityW
EqualSid
GetAce
AdjustTokenPrivileges
GetAclInformation
GetSecurityDescriptorLength
SetSecurityDescriptorControl
InitializeSecurityDescriptor
IsValidSid
DeleteAce
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
RevertToSelf
SetSecurityDescriptorDacl
DuplicateTokenEx
MakeAbsoluteSD
DuplicateToken
GetFileSecurityW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-heap-l1-2-0

GetProcessHeap
HeapReAlloc
HeapAlloc
HeapFree

api-ms-win-core-file-l1-2-1

FindFirstVolumeW
FindNextVolumeW
CreateDirectoryW
GetTempPathW
RemoveDirectoryW
SetFileAttributesW
FindNextFileW
CompareFileTime
SetFilePointer
FileTimeToLocalFileTime
CreateFileW
GetFileTime
GetFileAttributesW
ReadFile
DeleteFileW
WriteFile
GetVolumeNameForVolumeMountPointW
GetVolumePathNamesForVolumeNameW
FindClose
FindFirstFileW
DeleteVolumeMountPointW
GetFileSizeEx
FindVolumeClose

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-security-sddl-l1-1-0

ConvertStringSidToSidW
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventWriteTransfer
EventSetInformation
EventUnregister
EventActivityIdControl

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-core-io-l1-1-1

DeviceIoControl

rpcrt4

I_RpcBindingInqLocalClientPID
NdrServerCall2
RpcServerInqDefaultPrincNameW
UuidToStringW
RpcServerRegisterAuthInfoW
RpcStringFreeW
RpcServerUseProtseqEpW
RpcServerRegisterIfEx
RpcBindingVectorFree
RpcEpRegisterW
RpcServerInqBindings
RpcServerUseProtseqExW
RpcBindingFree
RpcBindingInqAuthClientW
RpcBindingServerFromClient
UuidCreate
RpcServerUnregisterIfEx
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcServerInqCallAttributesW
RpcGetAuthorizationContextForClient
RpcRevertToSelf
RpcImpersonateClient
RpcFreeAuthorizationContext

api-ms-win-core-file-l2-1-1

GetFileInformationByHandleEx
MoveFileWithProgressW
CreateSymbolicLinkW
CopyFileExW

api-ms-win-core-path-l1-1-0

PathCchCombine

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

samcli

NetLocalGroupDelMembers
NetLocalGroupAddMembers
NetUserGetInfo

api-ms-win-security-credentials-l1-1-0

CredUnprotectW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-core-shlwapi-obsolete-l1-2-0

StrToIntExW

api-ms-win-security-lsalookup-l1-1-1

LookupAccountSidLocalW

shell32

SHGetKnownFolderPath

api-ms-win-core-libraryloader-l1-2-2

LoadLibraryW

api-ms-win-core-localization-l1-2-1

FormatMessageW

api-ms-win-security-lsapolicy-l1-1-0

LsaFreeMemory

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Exports

Exports

ServiceMain
SvchostPushServiceGlobals

Sections

.text
Size: 291KB - Virtual size: 291KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 592B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

731c58aa1fdaaa863b06aa0822e5f986

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-service-core-l1-1-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-sysinfo-l1-2-1

kernel32

sysntfy

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-debug-l1-1-1

api-ms-win-security-base-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-file-l1-2-1

api-ms-win-core-string-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-io-l1-1-1

rpcrt4

api-ms-win-core-file-l2-1-1

api-ms-win-core-path-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-synch-l1-2-1

samcli

api-ms-win-security-credentials-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-2-0

api-ms-win-security-lsalookup-l1-1-1

shell32

api-ms-win-core-libraryloader-l1-2-2

api-ms-win-core-localization-l1-2-1

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Exports

Exports

Sections

.text Size: 291KB - Virtual size: 291KB

.data Size: 1024B - Virtual size: 13KB

.idata Size: 10KB - Virtual size: 10KB

.didat Size: 1024B - Virtual size: 592B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 18KB - Virtual size: 17KB

.text
Size: 291KB - Virtual size: 291KB

.data
Size: 1024B - Virtual size: 13KB

.idata
Size: 10KB - Virtual size: 10KB

.didat
Size: 1024B - Virtual size: 592B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 18KB - Virtual size: 17KB