SessEnv[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

SessEnv.dll
Size

435KB
MD5

bb97120e48aec5058ab68d5c801b5b70
SHA1

dc10c0c38fa07a935af62e19b41e35fc287ebeb9
SHA256

a80c98027c3a8b082bfd623061eb5cbe0b643a924bcd3f2d8045d310205c8225
SHA512

ae297e6dd50355652e37f2fdad37cccf3ac2291ad76cd11fd38e4d90b5f3b8b51b7822d86b4dcb97cded4a95457b6a721c8af563321f218e01d05f6ba8321f00
SSDEEP

12288:ik52hKaoMtQT/cPuPxbRa1jyXqU7FuUUx:158bQT/cP+VktU7FuUU

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
SessEnv.dll

Files

SessEnv.dll
.dll windows:10 windows x86 arch:x86

5e43e8dcdb36b70babe9b73fc5a7d281

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

SessEnv.pdb

Imports

msvcrt

swprintf_s
_initterm
_unlock
_callnewh
??0exception@@QAE@ABQBD@Z
malloc
??0exception@@QAE@ABQBDH@Z
__dllonexit
free
memmove_s
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
_CxxThrowException
memcpy
memmove
wcscpy_s
_onexit
?terminate@@YAXXZ
??1type_info@@UAE@XZ
??_V@YAXPAX@Z
_wcsicmp
memcpy_s
_wtol
_except_handler4_common
memcmp
__CxxFrameHandler3
_lock
wcschr
_vsnprintf
wcscat_s
_vsnwprintf
_amsg_exit
toupper
_XcptFilter
_purecall
_wcsnicmp
wcsncmp
wcsrchr
iswalpha
??3@YAXPAX@Z
memset

ntdll

NtDuplicateToken
NtQueryInformationProcess
RtlLengthSid
RtlAllocateHeap
RtlNtStatusToDosError
WinSqmSetDWORD
WinSqmStartSession
WinSqmAddToStream
WinSqmEndSession
WinSqmIsOptedIn
RtlGetActiveConsoleId
EtwEventWriteFull
EtwEventRegister
EtwEventUnregister
RtlUnsubscribeWnfStateChangeNotification
RtlSubscribeWnfStateChangeNotification
NtQueryWnfStateData
RtlInsertElementGenericTable
RtlLookupElementGenericTable
RtlQueryEnvironmentVariable_U
RtlInitUnicodeStringEx
RtlInitializeGenericTable
RtlDeleteElementGenericTable
RtlEnumerateGenericTable
RtlAllocateAndInitializeSid
RtlAcquireResourceExclusive
RtlReleaseResource
RtlAcquireResourceShared
DbgPrint
RtlEqualSid
VerSetConditionMask
RtlFreeSid
RtlInitializeResource
RtlVerifyVersionInfo
RtlCaptureStackBackTrace
RtlDeleteResource
NtQuerySystemInformation
RtlFreeHeap

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
LoadStringW
LoadLibraryExW
GetProcAddress
GetModuleHandleW
DisableThreadLibraryCalls
GetModuleFileNameW
GetModuleHandleExW
GetModuleFileNameA

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
GetLastError
UnhandledExceptionFilter
SetLastError

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

api-ms-win-service-core-l1-1-0

RegisterServiceCtrlHandlerExW
SetServiceStatus

api-ms-win-core-synch-l1-1-0

EnterCriticalSection
OpenSemaphoreW
AcquireSRWLockShared
WaitForSingleObject
InitializeCriticalSectionAndSpinCount
InitializeCriticalSectionEx
WaitForSingleObjectEx
ResetEvent
WaitForMultipleObjectsEx
LeaveCriticalSection
InitializeCriticalSection
CreateMutexExW
CreateEventW
SetEvent
ReleaseSRWLockExclusive
DeleteCriticalSection
AcquireSRWLockExclusive
CreateSemaphoreExW
ReleaseMutex
ReleaseSemaphore
ReleaseSRWLockShared

api-ms-win-core-registry-l1-1-0

RegOpenCurrentUser
RegQueryValueExW
RegNotifyChangeKeyValue
RegQueryInfoKeyW
RegGetValueW
RegDeleteValueW
RegEnumValueW
RegOpenKeyExW
RegDeleteTreeW
RegCloseKey
RegSetValueExW
RegLoadKeyW
RegCreateKeyExW
RegEnumKeyExW
RegUnLoadKeyW

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventActivityIdControl
EventSetInformation
EventProviderEnabled
EventRegister
EventWriteTransfer

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceExecuteOnce

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-core-processthreads-l1-1-0

ProcessIdToSessionId
GetCurrentThreadId
OpenThreadToken
CreateProcessW
CreateThread
OpenProcessToken
GetThreadId
TerminateThread
TerminateProcess
GetCurrentThread
GetCurrentProcessId
GetCurrentProcess
CreateProcessAsUserW

api-ms-win-core-sysinfo-l1-1-0

GetComputerNameExW
GetSystemDirectoryW
GetLocalTime
GetVersionExW
GetTickCount
GetSystemTimeAsFileTime
GetSystemTime

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx
CreateTimerQueueTimer
DeleteTimerQueueEx
CreateTimerQueue
DeleteTimerQueueTimer

sysntfy

SysNotifyStopServer
SysNotifyStartServer

dismapi

DismDisableFeature
DismOpenSession
DismInitialize
DismShutdown
DismEnableFeature

api-ms-win-eventing-controller-l1-1-0

StartTraceW
ControlTraceW
EnableTraceEx2

api-ms-win-core-com-l1-1-0

CoInitializeEx
CoTaskMemFree
CoWaitForMultipleHandles
CoTaskMemAlloc
StringFromCLSID
CoCreateGuid
CoUninitialize
CoSetProxyBlanket
CoCreateInstance
CoCreateInstanceEx

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringA
DebugBreak
OutputDebugStringW

api-ms-win-security-base-l1-1-0

GetAce
DuplicateTokenEx
GetLengthSid
EqualSid
GetFileSecurityW
SetFileSecurityW
CheckTokenMembership
GetSecurityDescriptorDacl
CreateWellKnownSid
DuplicateToken
SetSecurityDescriptorDacl
FreeSid
SetTokenInformation
CopySid
GetTokenInformation
RevertToSelf
GetSecurityDescriptorLength
SetSecurityDescriptorControl
InitializeSecurityDescriptor
IsValidSid
DeleteAce
GetSecurityDescriptorControl
AllocateAndInitializeSid
GetAclInformation
MakeAbsoluteSD
AdjustTokenPrivileges
ImpersonateLoggedOnUser

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-security-sddl-l1-1-0

ConvertStringSidToSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

rpcrt4

I_RpcBindingInqLocalClientPID
UuidCreate
RpcGetAuthorizationContextForClient
RpcServerInqCallAttributesW
NdrServerCall2
UuidToStringW
RpcStringFreeW
RpcBindingVectorFree
RpcServerInqDefaultPrincNameW
RpcStringBindingParseW
RpcEpRegisterW
RpcServerInqBindings
RpcServerUseProtseqExW
RpcBindingFree
RpcBindingInqAuthClientW
RpcBindingServerFromClient
RpcFreeAuthorizationContext
RpcServerUseProtseqEpW
RpcServerRegisterIfEx
RpcServerUnregisterIfEx
RpcBindingToStringBindingW
RpcServerRegisterAuthInfoW
RpcRevertToSelf
RpcImpersonateClient

api-ms-win-core-heap-l1-1-0

HeapFree
HeapReAlloc
GetProcessHeap
HeapAlloc

api-ms-win-core-file-l1-1-0

GetFileTime
GetFileAttributesW
FindNextFileW
RemoveDirectoryW
FindClose
DeleteVolumeMountPointW
CreateDirectoryW
FindFirstFileW
FindVolumeClose
CreateFileW
SetFileAttributesW
FindNextVolumeW
DeleteFileW
WriteFile
CompareFileTime
SetFilePointer
ReadFile
FileTimeToLocalFileTime
FindFirstVolumeW
GetFileSizeEx

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-shutdown-l1-1-0

InitiateSystemShutdownExW

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
CreateThreadpoolTimer

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-file-l2-1-0

CreateSymbolicLinkW
CopyFileExW
GetFileInformationByHandleEx
MoveFileWithProgressW

api-ms-win-core-path-l1-1-0

PathCchCombine

api-ms-win-core-processthreads-l1-1-1

OpenProcess
GetProcessMitigationPolicy

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

samcli

NetLocalGroupDelMembers
NetLocalGroupAddMembers
NetUserGetInfo

api-ms-win-core-file-l1-2-0

GetVolumeNameForVolumeMountPointW
GetVolumePathNamesForVolumeNameW
GetTempPathW

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-security-credentials-l1-1-0

CredUnprotectW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrToIntExW

api-ms-win-security-lsalookup-l1-1-0

LookupAccountSidLocalW

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW
WTSGetActiveConsoleSessionId
MoveFileW

api-ms-win-core-kernel32-legacy-l1-1-1

SetVolumeMountPointW
VerifyVersionInfoW

api-ms-win-core-registry-l2-1-0

RegEnumKeyW
RegDeleteKeyW

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW

scecli

SceSetupSystemByInfName

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-security-lsapolicy-l1-1-0

LsaFreeMemory

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-eventlog-legacy-l1-1-0

ReportEventW
DeregisterEventSource
RegisterEventSourceW

Exports

Exports

ServiceMain
SvchostPushServiceGlobals

Sections

.text
Size: 394KB - Virtual size: 393KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 552B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

5e43e8dcdb36b70babe9b73fc5a7d281

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

sysntfy

dismapi

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-sddl-l1-1-0

rpcrt4

api-ms-win-core-heap-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-shutdown-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-psapi-l1-1-0

samcli

api-ms-win-core-file-l1-2-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-security-credentials-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-security-lsalookup-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-registry-l2-1-0

api-ms-win-security-provider-l1-1-0

scecli

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-security-lsapolicy-l1-1-0

api-ms-win-core-apiquery-l1-1-0

api-ms-win-eventlog-legacy-l1-1-0

Exports

Exports

Sections

.text Size: 394KB - Virtual size: 393KB

.data Size: 1KB - Virtual size: 14KB

.idata Size: 12KB - Virtual size: 12KB

.didat Size: 1024B - Virtual size: 552B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 23KB - Virtual size: 23KB

.text
Size: 394KB - Virtual size: 393KB

.data
Size: 1KB - Virtual size: 14KB

.idata
Size: 12KB - Virtual size: 12KB

.didat
Size: 1024B - Virtual size: 552B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 23KB - Virtual size: 23KB