SettingSyncHost[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

SettingSyncHost.exe
Size

482KB
MD5

ed7f0da3b234138e1701c9dabb3c251b
SHA1

857b31c9b73ae93dd3f61d40ed8c44b138f2099a
SHA256

1c1b43cc9d81f71cd020f235b86cd36cbc8c39f78f63e6df1448862c7d964ad8
SHA512

d23e61aa6f581a498fb3d0e29720335460001d4ceae3f43460f5e9f535735f5387766ca0e1cb17730f544325fbb0a5d7777de9d777a2562b4333bdca3e43fa7d
SSDEEP

12288:zA3TRCd6m5UkQ7VZF/UclAG69lC2LWhuWDc+:U3TRu6m5UkQ7VZF/haH9lC2Gu6c+

Score

1^/10

Malware Config

Signatures

Files

SettingSyncHost.exe
.exe windows:10 windows x86 arch:x86

a00cf2d1948147f18cafeb4f02b59018

Code Sign

33:00:00:01:74:69:de:10:8b:37:65:a8:d7:00:00:00:00:01:74
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

11/08/2017, 20:23

Not After

11/08/2018, 20:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

fd:a8:6e:ae:37:16:e8:35:ef:52:a5:f5:df:da:b1:67:63:87:48:be:cd:46:b3:14:29:4d:83:9c:c8:46:9c:a8
Signer

Actual PE Digest

fd:a8:6e:ae:37:16:e8:35:ef:52:a5:f5:df:da:b1:67:63:87:48:be:cd:46:b3:14:29:4d:83:9c:c8:46:9c:a8

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

SettingSyncHost.pdb

Imports

msvcrt

__dllonexit
_unlock
_onexit
__CxxFrameHandler3
__p__fmode
_cexit
?terminate@@YAXXZ
_exit
_controlfp
_except_handler4_common
wcschr
_lock
__set_app_type
_ftol2
wcstok_s
memcpy
__wgetmainargs
_initterm
__setusermatherr
memmove
_amsg_exit
__p__commode
_XcptFilter
wcsncpy_s
malloc
free
wcsstr
_get_errno
_set_errno
exit
iswalnum
_purecall
_callnewh
swscanf_s
_wcsicmp
_wcsnicmp
_wcstoui64
memcpy_s
_wcmdln
memcmp
_vsnwprintf
realloc
memmove_s
rand
srand
time
memset

api-ms-win-core-libraryloader-l1-2-0

SizeofResource
LockResource
LoadResource
GetModuleHandleExW
FreeLibrary
GetModuleFileNameA
LoadLibraryExW
FreeLibraryAndExitThread
GetModuleHandleA
GetModuleFileNameW
GetProcAddress

api-ms-win-core-synch-l1-2-0

ReleaseSemaphore
LeaveCriticalSection
EnterCriticalSection
WaitForSingleObject
ReleaseMutex
WaitForSingleObjectEx
CreateSemaphoreExW
CreateMutexExW
InitOnceExecuteOnce
SetEvent
CreateEventExW
InitializeSRWLock
OpenEventW
OpenSemaphoreW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeCriticalSection
Sleep
InitOnceBeginInitialize
InitOnceComplete
CreateEventW
DeleteCriticalSection
AcquireSRWLockShared
InitializeCriticalSectionEx
ReleaseSRWLockShared
ResetEvent

api-ms-win-core-heap-l1-2-0

HeapAlloc
HeapSetInformation
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-1

RaiseException
GetLastError
SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-2

GetCurrentThread
SetPriorityClass
GetCurrentThreadId
TerminateProcess
SetThreadPriority
GetCurrentProcess
TlsGetValue
TlsFree
TlsAlloc
GetStartupInfoW
OpenThreadToken
GetCurrentProcessId
OpenProcessToken
CreateProcessW
TlsSetValue
CreateThread
ProcessIdToSessionId

api-ms-win-core-localization-l1-2-1

GetGeoInfoW
GetUserGeoID
FormatMessageW

api-ms-win-core-debug-l1-1-1

OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-core-com-l1-1-1

RoGetAgileReference
CoUninitialize
CoTaskMemAlloc
CoResumeClassObjects
CoReleaseMarshalData
CoRegisterClassObject
CoCreateGuid
CoWaitForMultipleHandles
CoRevokeClassObject
StringFromIID
CoAddRefServerProcess
CoReleaseServerProcess
CoInitializeEx
CoGetCallContext
CoGetApartmentType
PropVariantClear
CoGetMalloc
CoGetInterfaceAndReleaseStream
CoTaskMemRealloc
StringFromCLSID
CoSetProxyBlanket
StringFromGUID2
CoDisableCallCancellation
CoEnableCallCancellation
CoTaskMemFree
CoCreateFreeThreadedMarshaler
CoCreateInstance
CoCancelCall
CLSIDFromString
CoFreeUnusedLibraries
CoMarshalInterThreadInterfaceInStream

api-ms-win-core-winrt-string-l1-1-0

WindowsIsStringEmpty
WindowsStringHasEmbeddedNull
WindowsCreateString
WindowsDeleteString
WindowsCreateStringReference
WindowsGetStringRawBuffer

api-ms-win-shcore-thread-l1-1-0

SHCreateThreadRef
SHSetThreadRef
SHCreateThreadWithHandle

api-ms-win-core-threadpool-legacy-l1-1-0

DeleteTimerQueueTimer
CreateTimerQueueTimer

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolWait
CloseThreadpoolWait
WaitForThreadpoolTimerCallbacks
TrySubmitThreadpoolCallback
CloseThreadpoolTimer
FreeLibraryWhenCallbackReturns
CreateThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolTimer
CallbackMayRunLong

api-ms-win-core-sysinfo-l1-2-1

GetSystemDirectoryW
GetTickCount
GetVersionExW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount64

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW

api-ms-win-core-heap-l2-1-0

LocalReAlloc
LocalFree
LocalAlloc

api-ms-win-core-string-l1-1-0

CompareStringOrdinal
MultiByteToWideChar
WideCharToMultiByte

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventRegister
EventSetInformation
EventWrite
EventWriteTransfer

api-ms-win-core-registry-l1-1-0

RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegDeleteTreeW
RegEnumValueW
RegGetValueW
RegQueryValueExW
RegOpenCurrentUser
RegQueryInfoKeyW
RegCloseKey
RegDeleteValueW

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
UnregisterTraceGuids
GetTraceEnableFlags
TraceMessage
GetTraceLoggerHandle
RegisterTraceGuidsW

ntdll

RtlGetSuiteMask
vDbgPrintEx
NtPowerInformation
ZwClose
AlpcGetMessageAttribute
AlpcInitializeMessageAttribute
TpWaitForAlpcCompletion
ZwAlpcConnectPort
RtlWaitOnAddress
ZwAlpcQueryInformation
TpReleaseAlpcCompletion
ZwAlpcSendWaitReceivePort
ZwAlpcDisconnectPort
TpAllocAlpcCompletion
RtlWakeAddressAll
ZwAlpcCancelMessage
RtlFreeHeap
RtlAllocateHeap
RtlInitUnicodeString
RtlPublishWnfStateData
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlFreeUnicodeString
RtlConvertSidToUnicodeString
NtQueryWnfStateData
EtwTraceMessage
EtwEventActivityIdControl
EtwEventWrite
NtSetInformationProcess
NtSetInformationThread
RtlNtStatusToDosError

api-ms-win-core-libraryloader-l1-2-2

FindResourceW

api-ms-win-shcore-stream-l1-1-0

IStream_Write
SHOpenRegStream2W
IStream_Reset
SHCreateStreamOnFileW
SHCreateMemStream

api-ms-win-core-file-l1-2-1

DeleteFileW
GetTempPathW
FindFirstFileW
FindNextFileW
RemoveDirectoryW
GetFileAttributesExW
SetFileAttributesW
CreateDirectoryW
CompareFileTime
GetFileAttributesW
FindClose

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW
SHStrDupW

api-ms-win-core-winrt-error-l1-1-1

RoOriginateError
RoGetMatchingRestrictedErrorInfo
RoTransformError
RoOriginateErrorW
SetRestrictedErrorInfo

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-winrt-l1-1-0

RoRegisterActivationFactories
RoActivateInstance
RoRevokeActivationFactories
RoGetActivationFactory

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-l2-1-0

CharLowerBuffW

api-ms-win-core-path-l1-1-0

PathAllocCombine
PathCchAppend

api-ms-win-shcore-registry-l1-1-1

SHSetValueW
SHDeleteKeyW
SHDeleteValueW
SHRegGetPathW
SHRegGetValueW
SHRegSetPathW

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathStripPathW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

api-ms-win-core-shlwapi-obsolete-l1-2-0

StrToIntExW
QISearch
StrStrIW

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-security-base-l1-2-0

AdjustTokenPrivileges
GetTokenInformation
GetSidSubAuthority
CreateWellKnownSid

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW
GetNamedSecurityInfoW
SetNamedSecurityInfoW

api-ms-win-core-delayload-l1-1-1

DelayLoadFailureHook
ResolveDelayLoadedAPI

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-url-l1-1-0

UrlEscapeW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime

api-ms-win-power-base-l1-1-0

PowerDeterminePlatformRoleEx

api-ms-win-core-version-l1-1-0

VerQueryValueW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW

propsys

PropVariantToStringAlloc
PropVariantToUInt32
PSCreateMemoryPropertyStore

Sections

.text
Size: 428KB - Virtual size: 427KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 200B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a00cf2d1948147f18cafeb4f02b59018

Code Sign

33:00:00:01:74:69:de:10:8b:37:65:a8:d7:00:00:00:00:01:74Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

fd:a8:6e:ae:37:16:e8:35:ef:52:a5:f5:df:da:b1:67:63:87:48:be:cd:46:b3:14:29:4d:83:9c:c8:46:9c:a8Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-localization-l1-2-1

api-ms-win-core-debug-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-synch-l1-2-1

api-ms-win-core-heap-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-2

api-ms-win-shcore-stream-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-registry-l1-1-1

api-ms-win-core-registry-l1-1-1

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-2-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-security-base-l1-2-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-security-provider-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-url-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-power-base-l1-1-0

api-ms-win-core-version-l1-1-0

propsys

Sections

.text Size: 428KB - Virtual size: 427KB

.data Size: 1024B - Virtual size: 3KB

.idata Size: 11KB - Virtual size: 11KB

.didat Size: 512B - Virtual size: 200B

.rsrc Size: 9KB - Virtual size: 8KB

.reloc Size: 23KB - Virtual size: 22KB

33:00:00:01:74:69:de:10:8b:37:65:a8:d7:00:00:00:00:01:74
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

fd:a8:6e:ae:37:16:e8:35:ef:52:a5:f5:df:da:b1:67:63:87:48:be:cd:46:b3:14:29:4d:83:9c:c8:46:9c:a8
Signer

.text
Size: 428KB - Virtual size: 427KB

.data
Size: 1024B - Virtual size: 3KB

.idata
Size: 11KB - Virtual size: 11KB

.didat
Size: 512B - Virtual size: 200B

.rsrc
Size: 9KB - Virtual size: 8KB

.reloc
Size: 23KB - Virtual size: 22KB