SettingSyncHost.exe

  • File Path: C:\Windows\system32\SettingSyncHost.exe
  • Description: Host Process for Setting Synchronization

Hashes

Type Hash
MD5 06393D54087A796B8C2FF4B63936AFC3
SHA1 BA333CA74945F6A694E52F27C5132CDE8384787D
SHA256 C6F310EE401EFFB174271BB44D3CA76704C186E76995498D14C5C9B8040BAD04
SHA384 662AB025C0EF2215EBBFD6BEDC26D38958FFB456CE9775D4B79AEB5C673A1528A4A5F18B0D89042F3B81450B3893D7AF
SHA512 8BAADA6B0A375848184852F9F3C3907794CBB116EC0BCFDAE5EA7E7FE907F1E3BC19C1B8B846C6DB29C4EF9733747BD0A23ACD4761B3C5F41293CE6CB813AC7C
SSDEEP 24576:Pdyu/PtZBrzXj92+tVAZRYC0H4fXJq4w0Tf9oM:AWZBvj9viZjo4fZq6Tf9o
IMP 340A6EC50943D4A1A0A0FF2FE4B8B939
PESHA1 00F9C6ED1A8C3763F6E7F052F67E9269F9C2A8C5
PE256 9A47BCE1F6D071D0AEC3F2FD06BD87CA5FEF6F8C26D757FAC23A689FBC9489A0

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\ntmarta.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\profapi.dll
C:\Windows\system32\PROPSYS.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\SettingSyncHost.exe
C:\Windows\System32\shcore.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\USERENV.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: SettingSyncHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1075 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1075
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/c6f310ee401effb174271bb44d3ca76704c186e76995498d14c5c9b8040bad04/detection/

Possible Misuse

The following table contains possible examples of SettingSyncHost.exe being misused. While SettingSyncHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_using_settingsynchost_as_lolbin.yml title: Using SettingSyncHost.exe as LOLBin DRL 1.0
sigma proc_creation_win_using_settingsynchost_as_lolbin.yml description: Detects using SettingSyncHost.exe to run hijacked binary DRL 1.0
sigma proc_creation_win_using_settingsynchost_as_lolbin.yml - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin DRL 1.0
LOLBAS SettingSyncHost.yml Name: SettingSyncHost.exe  
LOLBAS SettingSyncHost.yml - Command: SettingSyncHost -LoadAndRunDiagScript anything  
LOLBAS SettingSyncHost.yml - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything  
LOLBAS SettingSyncHost.yml - Path: C:\Windows\System32\SettingSyncHost.exe  
LOLBAS SettingSyncHost.yml - Path: C:\Windows\SysWOW64\SettingSyncHost.exe  
LOLBAS SettingSyncHost.yml - IOC: SettingSyncHost.exe should not be run on a normal workstation  
LOLBAS SettingSyncHost.yml - Link: https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/  

MIT License. Copyright (c) 2020-2021 Strontic.