SessEnv[.]dll | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

SessEnv.dll
Size

274KB
MD5

0b2e4cd938757b3b3bbb10c845bd6ee7
SHA1

b9bcc13143db21fcf58451b858e998c9c92d2381
SHA256

b3b1ffff5ec8facfc6eb990227eb4f072d6731e517a4a778ef8dc400be8f69cd
SHA512

d7331ad98c0a50a59358d42276d5557dbc6b9607ae00c1e3a8f53ff6c93c276f2eea37887621084b1a9897c11e44b8403ead8fb9b9bfa5256705424849761d73
SSDEEP

6144:8j8kVSUNuMawlRCiGF8GSxWpw4ROd4fLpFAfS3aAI51gqXAOAiqG4n2o6ARMJtU:MPArRCao1gqXAOAiqG42oZM

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
SessEnv.dll

Files

SessEnv.dll
.dll windows:6 windows x86 arch:x86

3cfaf9bce1e3bcba1f8de3798aea2e14

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

SessEnv.pdb

Imports

msvcrt

wcscat_s
wcscpy_s
wcschr
_wtol
??_V@YAXPAX@Z
memcpy_s
_vsnprintf
_wcsicmp
??1type_info@@UAE@XZ
__CxxFrameHandler3
_CxxThrowException
??2@YAPAXI@Z
_vsnwprintf
memcmp
memcpy
??_U@YAPAXI@Z
_except_handler4_common
_onexit
__dllonexit
_unlock
_lock
_initterm
malloc
free
_amsg_exit
_XcptFilter
_purecall
swprintf_s
??3@YAXPAX@Z
memmove
_wcsnicmp
wcsrchr
wcsncmp
iswalpha
memset

ntdll

RtlFreeHeap
RtlAllocateHeap
NtQueryInformationProcess
RtlNtStatusToDosError
WinSqmAddToStream
WinSqmEndSession
WinSqmSetDWORD
WinSqmStartSession
WinSqmIsOptedIn
EtwEventWriteFull
EtwEventRegister
EtwEventUnregister
RtlLookupElementGenericTable
RtlInsertElementGenericTable
RtlQueryEnvironmentVariable_U
RtlInitUnicodeStringEx
RtlInitializeGenericTable
RtlDeleteElementGenericTable
RtlEnumerateGenericTable
RtlAllocateAndInitializeSid
RtlAcquireResourceShared
RtlReleaseResource
RtlAcquireResourceExclusive
RtlCaptureStackBackTrace
RtlDeleteResource
RtlVerifyVersionInfo
RtlFreeSid
NtQuerySystemInformation
VerSetConditionMask
RtlInitializeResource

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
DisableThreadLibraryCalls
GetProcAddress
LoadStringW
GetModuleHandleExW
FreeLibrary

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableFlags
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceLoggerHandle
GetTraceEnableLevel
TraceMessage

api-ms-win-core-errorhandling-l1-1-1

UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-service-core-l1-1-1

RegisterServiceCtrlHandlerExW
SetServiceStatus

api-ms-win-core-synch-l1-2-0

WaitForSingleObject
CreateEventW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
ResetEvent
WaitForMultipleObjectsEx
Sleep
DeleteCriticalSection
SetEvent

api-ms-win-core-profile-l1-1-0

QueryPerformanceFrequency
QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-2

CreateThread
GetCurrentProcessId
GetCurrentThread
OpenThreadToken
OpenProcessToken
CreateProcessAsUserW
ProcessIdToSessionId
GetThreadId
OpenProcess
GetCurrentProcess
GetCurrentThreadId
TerminateThread
TerminateProcess

api-ms-win-core-sysinfo-l1-2-1

GetTickCount
GetSystemTimeAsFileTime
GetComputerNameExW
GetLocalTime
GetSystemDirectoryW
GetSystemTime

kernel32

MoveFileW
UnregisterWaitEx
SetVolumeMountPointW
WaitForMultipleObjects
WTSGetActiveConsoleSessionId
DeleteTimerQueueTimer
CreateTimerQueueTimer
DeleteTimerQueueEx
CreateTimerQueue
LoadLibraryW

sysntfy

SysNotifyStartServer
SysNotifyStopServer

api-ms-win-eventing-controller-l1-1-0

EnableTraceEx2
StartTraceW
ControlTraceW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegOpenKeyExW
RegDeleteTreeW
RegEnumKeyExW
RegSetValueExW
RegEnumValueW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenCurrentUser
RegUnLoadKeyW
RegDeleteValueW
RegLoadKeyW
RegGetValueW
RegCreateKeyExW
RegNotifyChangeKeyValue

api-ms-win-core-com-l1-1-1

CoCreateGuid
CoUninitialize
CoCreateInstance
StringFromCLSID
CoTaskMemFree
CoSetProxyBlanket
CoCreateInstanceEx
CoInitializeEx

api-ms-win-core-debug-l1-1-1

OutputDebugStringA

api-ms-win-security-base-l1-2-0

RevertToSelf
GetLengthSid
CheckTokenMembership
SetFileSecurityW
GetTokenInformation
GetAclInformation
AdjustTokenPrivileges
CopySid
AllocateAndInitializeSid
MakeAbsoluteSD
EqualSid
SetTokenInformation
SetSecurityDescriptorDacl
GetAce
GetSecurityDescriptorDacl
DuplicateTokenEx
CreateWellKnownSid
SetSecurityDescriptorControl
DeleteAce
GetSecurityDescriptorControl
InitializeSecurityDescriptor
GetSecurityDescriptorLength
IsValidSid
GetFileSecurityW

api-ms-win-core-heap-l1-2-0

HeapReAlloc
HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-file-l1-2-1

CompareFileTime
GetTempPathW
FileTimeToLocalFileTime
FindClose
RemoveDirectoryW
GetFileTime
GetFileAttributesW
GetFileSizeEx
ReadFile
FindFirstVolumeW
FindNextVolumeW
FindVolumeClose
SetFileAttributesW
DeleteVolumeMountPointW
FindNextFileW
FindFirstFileW
CreateFileW
DeleteFileW
CreateDirectoryW
SetFilePointer
WriteFile
GetVolumeNameForVolumeMountPointW
GetVolumePathNamesForVolumeNameW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
ConvertStringSidToSidW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

api-ms-win-core-processenvironment-l1-2-0

ExpandEnvironmentStringsW

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolWork
WaitForThreadpoolWorkCallbacks
CallbackMayRunLong
CreateThreadpoolWork
SubmitThreadpoolWork

api-ms-win-core-io-l1-1-1

DeviceIoControl

rpcrt4

RpcServerInqDefaultPrincNameW
I_RpcBindingInqLocalClientPID
RpcStringFreeW
RpcServerUseProtseqEpW
UuidCreate
NdrServerCall2
RpcServerRegisterAuthInfoW
RpcServerRegisterIfEx
RpcServerUnregisterIfEx
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcServerInqCallAttributesW
RpcGetAuthorizationContextForClient
RpcFreeAuthorizationContext
RpcImpersonateClient
RpcRevertToSelf
UuidToStringW

api-ms-win-core-file-l2-1-1

CreateSymbolicLinkW
MoveFileWithProgressW
CopyFileExW
GetFileInformationByHandleEx

api-ms-win-core-path-l1-1-0

PathCchCombine

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-security-credentials-l1-1-0

CredUnprotectW

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree
LocalSize

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrToIntExW

api-ms-win-security-lsalookup-l1-1-1

LookupAccountSidLocalW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI
DelayLoadFailureHook

shell32

SHGetKnownFolderPath

api-ms-win-core-localization-l1-2-1

FormatMessageW

Exports

Exports

ServiceMain
SvchostPushServiceGlobals

Sections

.text
Size: 235KB - Virtual size: 234KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

3cfaf9bce1e3bcba1f8de3798aea2e14

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-handle-l1-1-0

api-ms-win-service-core-l1-1-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-sysinfo-l1-2-1

kernel32

sysntfy

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-debug-l1-1-1

api-ms-win-security-base-l1-2-0

api-ms-win-core-heap-l1-2-0

api-ms-win-core-file-l1-2-1

api-ms-win-core-string-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-io-l1-1-1

rpcrt4

api-ms-win-core-file-l2-1-1

api-ms-win-core-path-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-security-credentials-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-security-lsalookup-l1-1-1

api-ms-win-core-delayload-l1-1-1

shell32

api-ms-win-core-localization-l1-2-1

Exports

Exports

Sections

.text Size: 235KB - Virtual size: 234KB

.data Size: 12KB - Virtual size: 12KB

.idata Size: 9KB - Virtual size: 9KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 14KB - Virtual size: 14KB

.text
Size: 235KB - Virtual size: 234KB

.data
Size: 12KB - Virtual size: 12KB

.idata
Size: 9KB - Virtual size: 9KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 14KB - Virtual size: 14KB