nsWscSvc[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

nsWscSvc.exe
Size

1.0MB
MD5

d24ad24072fb293979224e86a03f71d9
SHA1

da1e6f6e3e4df03075c5edcd858d9879d61ece4c
SHA256

6b1332ed243dc0d540a7997ded8180b0a2629335f37b804c908f514ef4ad0d87
SHA512

aa4e65e15f022c56d8860f0f63e73f13e252f0b8fac0a4526a7f1f6bca9cb20b22d11368f291a80394e1f8568e883a1874d9a855474e9fc4ab65d63e7b8b4d56
SSDEEP

12288:KJp4vnjMXKZiWbyKAhdOsXI6XMeyx7e0SVdyjhpcqPPaaKkU6mICIbm4:KJqvnjCCiqAPOS1yx79S0bRKhIja4

Score

1^/10

Malware Config

Signatures

Files

nsWscSvc.exe
.exe windows:6 windows x64 arch:x64

0e641365e918156365a8b2ad4e2a9290

Code Sign

ba:5f:e5:a4:aa:e3:4f:22:5f:dc:f4:92:5c:8f:d5:7d
Certificate

Issuer

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Not Before

24/03/2021, 00:00

Not After

11/03/2022, 23:59

Subject

CN=NortonLifeLock Inc.,OU=Norton Product Engineering - CM,O=NortonLifeLock Inc.,POSTALCODE=85281,STREET=60 E. Rio Salado Pkwy Suite 600,L=Tempe,ST=Arizona,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

Issuer

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Not Before

02/11/2018, 00:00

Not After

31/12/2030, 23:59

Subject

CN=Sectigo RSA Code Signing CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:44:b7:3f:fc:ef:5a:cf:a2:7a:00:00:00:00:00:44
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22/07/2015, 21:03

Not After

22/07/2025, 21:03

Subject

CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22/10/2013, 12:00

Not After

22/10/2028, 12:00

Subject

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0b:be:91:35:61:37:61:3e:57:68:3e:60:3e:c5:38:bd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Code Signing CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

17/05/2021, 00:00

Not After

21/05/2024, 23:59

Subject

CN=NortonLifeLock Inc.,OU=Norton Product Engineering - CM,O=NortonLifeLock Inc.,L=Tempe,ST=Arizona,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01/01/2021, 00:00

Not After

06/01/2031, 00:00

Subject

CN=DigiCert Timestamp 2021,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

18:46:46:5d:24:d0:5c:76:03:02:6f:b1:74:51:e8:59:e2:45:c7:1f:aa:4e:a5:7c:d9:95:64:de:ce:3a:43:d1
Signer

Actual PE Digest

18:46:46:5d:24:d0:5c:76:03:02:6f:b1:74:51:e8:59:e2:45:c7:1f:aa:4e:a5:7c:d9:95:64:de:ce:3a:43:d1

Digest Algorithm

sha256

PE Digest Matches

true

18:46:46:5d:24:d0:5c:76:03:02:6f:b1:74:51:e8:59:e2:45:c7:1f:aa:4e:a5:7c:d9:95:64:de:ce:3a:43:d1
Signer

Actual PE Digest

18:46:46:5d:24:d0:5c:76:03:02:6f:b1:74:51:e8:59:e2:45:c7:1f:aa:4e:a5:7c:d9:95:64:de:ce:3a:43:d1

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\bld_area\Norton_Internet_Security_22.22.2_14\VS141\Bin\x64\Release\nsWscSvc.pdb

Imports

kernel32

GetCurrentThread
GetCurrentProcess
GetSystemInfo
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
SetFilePointer
WriteFile
FlushFileBuffers
SetEndOfFile
DeleteFileW
CreateDirectoryW
FileTimeToSystemTime
GetTempPathW
TerminateProcess
CreateProcessW
VirtualAlloc
VirtualFree
CreateSemaphoreW
ReleaseSemaphore
DuplicateHandle
GetSystemTime
GetCurrentProcessId
ProcessIdToSessionId
VirtualQuery
OpenProcess
GetSystemTimeAsFileTime
GetLongPathNameW
GetSystemDirectoryW
lstrlenA
RtlCaptureContext
FindNextFileW
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
WaitForSingleObjectEx
GetStartupInfoW
QueryPerformanceCounter
InitializeSListHead
QueryDosDeviceW
ExpandEnvironmentStringsW
SetLastError
lstrcmpA
lstrcmpW
RtlUnwindEx
RtlPcToFileHeader
EncodePointer
TlsAlloc
TlsGetValue
GetModuleHandleW
TlsFree
GetFileAttributesExW
VirtualProtect
ExitProcess
GetModuleHandleExW
GetStdHandle
GetCommandLineA
GetCommandLineW
GetFileType
CompareStringW
LCMapStringW
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetStringTypeW
GetConsoleCP
GetConsoleMode
SetFilePointerEx
WriteConsoleW
lstrlenW
WaitForMultipleObjects
GetTickCount
WaitForMultipleObjectsEx
GetCurrentThreadId
WideCharToMultiByte
GetProcAddress
FindClose
FindFirstFileW
ResetEvent
SetEvent
CreateEventW
GetFileAttributesW
GetModuleFileNameW
CreateFileW
ReadFile
CloseHandle
GetFileSize
MultiByteToWideChar
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
OutputDebugStringW
IsDebuggerPresent
FindResourceExW
FindResourceW
LoadResource
LockResource
SizeofResource
VerifyVersionInfoW
VerSetConditionMask
CreateThread
WaitForSingleObject
FreeLibrary
LoadLibraryExW
TlsSetValue
LoadLibraryW
LoadLibraryExA
GetProcessTimes
GetProcessHeap
DeleteCriticalSection
HeapDestroy
HeapAlloc
RaiseException
HeapReAlloc
GetLastError
HeapSize
InitializeCriticalSectionAndSpinCount
LocalFree
HeapFree
ReadProcessMemory

user32

MsgWaitForMultipleObjectsEx
PeekMessageW
IsWindowUnicode
GetMessageA
GetMessageW
TranslateMessage
DispatchMessageA
DispatchMessageW
wsprintfW

advapi32

MakeSelfRelativeSD
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
GetAclInformation
AddAce
InitializeAcl
GetSidSubAuthorityCount
RegSetKeySecurity
IsValidSid
GetLengthSid
ConvertSidToStringSidW
CopySid
TraceMessage
ControlTraceW
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
GetSidSubAuthority
InitializeSid
GetSidLengthRequired
ConvertStringSecurityDescriptorToSecurityDescriptorW
AdjustTokenPrivileges
LookupPrivilegeValueW
FreeSid
EqualSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
AllocateAndInitializeSid
RegEnumKeyExW
RegQueryInfoKeyW
RegEnumValueW
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW
CloseServiceHandle
ChangeServiceConfig2W
OpenServiceW
OpenSCManagerW
RegisterServiceCtrlHandlerExW
SetServiceStatus
StartServiceCtrlDispatcherW
GetSecurityDescriptorLength
GetSecurityDescriptorControl
MakeAbsoluteSD
InitializeSecurityDescriptor
LookupAccountSidW
GetSecurityDescriptorSacl

rpcrt4

RpcBindingFromStringBindingW
RpcBindingSetAuthInfoW
RpcServerRegisterIfEx
RpcServerUseProtseqEpW
RpcServerUnregisterIf
NdrClientCall3
NdrServerCallAll
NdrServerCall2
RpcBindingSetAuthInfoExW
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcRaiseException
RpcBindingInqAuthClientW
RpcStringFreeW
UuidCreate
RpcServerInqCallAttributesW
RpcStringBindingComposeW
RpcRevertToSelf
RpcImpersonateClient
RpcSmDestroyClientContext
RpcBindingFree

ole32

StringFromIID
CLSIDFromString
CoUninitialize
StringFromGUID2
CoCreateGuid
CoCreateInstance
CoTaskMemFree
CoInitializeEx

oleaut32

SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayCreateVector
SafeArrayLock
SafeArrayPtrOfIndex
SafeArrayUnlock
SafeArrayCreate
SysStringByteLen
SysAllocStringByteLen
VariantCopyInd
SysFreeString
SysStringLen
SysAllocString
VariantInit
VariantClear

shlwapi

PathAddBackslashW
SHDeleteKeyW
PathAppendW
PathIsUNCServerW
PathRemoveFileSpecW
SHDeleteEmptyKeyW

crypt32

CertGetNameStringW
CertNameToStrW
CryptQueryObject
CryptMsgGetParam
CertFindCertificateInStore
CertFreeCertificateContext
CertCloseStore
CryptMsgClose
CertGetEnhancedKeyUsage

wintrust

CryptCATAdminCalcHashFromFileHandle
CryptCATAdminReleaseContext
CryptCATAdminAcquireContext
CryptCATAdminReleaseCatalogContext
CryptCATCatalogInfoFromContext
CryptCATAdminEnumCatalogFromHash
WintrustGetRegPolicyFlags
WinVerifyTrust

Sections

.text
Size: 638KB - Virtual size: 638KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 182KB - Virtual size: 182KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 30KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 147KB - Virtual size: 146KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

0e641365e918156365a8b2ad4e2a9290

Code Sign

ba:5f:e5:a4:aa:e3:4f:22:5f:dc:f4:92:5c:8f:d5:7dCertificate

Extended Key Usages

Key Usages

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6aCertificate

Extended Key Usages

Key Usages

33:00:00:00:44:b7:3f:fc:ef:5a:cf:a2:7a:00:00:00:00:00:44Certificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08Certificate

Extended Key Usages

Key Usages

0b:be:91:35:61:37:61:3e:57:68:3e:60:3e:c5:38:bdCertificate

Extended Key Usages

Key Usages

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:ddCertificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

18:46:46:5d:24:d0:5c:76:03:02:6f:b1:74:51:e8:59:e2:45:c7:1f:aa:4e:a5:7c:d9:95:64:de:ce:3a:43:d1Signer

18:46:46:5d:24:d0:5c:76:03:02:6f:b1:74:51:e8:59:e2:45:c7:1f:aa:4e:a5:7c:d9:95:64:de:ce:3a:43:d1Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

user32

advapi32

rpcrt4

ole32

oleaut32

shlwapi

crypt32

wintrust

Sections

.text Size: 638KB - Virtual size: 638KB

.rdata Size: 182KB - Virtual size: 182KB

.data Size: 5KB - Virtual size: 20KB

.pdata Size: 30KB - Virtual size: 30KB

.rsrc Size: 147KB - Virtual size: 146KB

.reloc Size: 5KB - Virtual size: 5KB

ba:5f:e5:a4:aa:e3:4f:22:5f:dc:f4:92:5c:8f:d5:7d
Certificate

1d:a2:48:30:6f:9b:26:18:d0:82:e0:96:7d:33:d3:6a
Certificate

33:00:00:00:44:b7:3f:fc:ef:5a:cf:a2:7a:00:00:00:00:00:44
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
Certificate

0b:be:91:35:61:37:61:3e:57:68:3e:60:3e:c5:38:bd
Certificate

0d:42:4a:e0:be:3a:88:ff:60:40:21:ce:14:00:f0:dd
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

18:46:46:5d:24:d0:5c:76:03:02:6f:b1:74:51:e8:59:e2:45:c7:1f:aa:4e:a5:7c:d9:95:64:de:ce:3a:43:d1
Signer

18:46:46:5d:24:d0:5c:76:03:02:6f:b1:74:51:e8:59:e2:45:c7:1f:aa:4e:a5:7c:d9:95:64:de:ce:3a:43:d1
Signer

.text
Size: 638KB - Virtual size: 638KB

.rdata
Size: 182KB - Virtual size: 182KB

.data
Size: 5KB - Virtual size: 20KB

.pdata
Size: 30KB - Virtual size: 30KB

.rsrc
Size: 147KB - Virtual size: 146KB

.reloc
Size: 5KB - Virtual size: 5KB