SettingSyncHost.exe

  • File Path: C:\Windows\SysWOW64\SettingSyncHost.exe
  • Description: Host Process for Setting Synchronization

Hashes

Type Hash
MD5 7A3B783ADC3F5C6746BCD2FA350CF235
SHA1 C688621818F5A4E8AC52DC198B1A9E1D6917B758
SHA256 293FB25450DF50173992D6D406DBD8BBD6B70E43C0B22383D0954B333AECD7D6
SHA384 E055FF9B7B800D1D1500311F694B8E9CD9C3087567B516D764E7A05A1C81EE1E981666A010FF7C7CB2622AE101D61FEA
SHA512 5238B899D148AD23333AF1A6FC180EEBB6ED5ED9D5F00F5A7918683EE2302DA093A04C29DFC3CDE52171D4AE8129F833B7E88373AEEB82EE32E331D007588E46
SSDEEP 24576:Hr3TSK6MEYsvCzhO+N8I1LEjjjktjlaOckmWZh/FZx:rTSK6MEABajctVh/FZx
IMP 8872E42058372AAB0AB5AC752E0ADDD2
PESHA1 C69B9210584312570114E150919093EFE41B1639
PE256 728E38F7B0CB1AAD5D1159EC71841FA89B88F538928157C763E43A40B88974F9

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\SettingSyncHost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: SettingSyncHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1320 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1320
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/293fb25450df50173992d6d406dbd8bbd6b70e43c0b22383d0954b333aecd7d6/detection

Possible Misuse

The following table contains possible examples of SettingSyncHost.exe being misused. While SettingSyncHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_using_settingsynchost_as_lolbin.yml title: Using SettingSyncHost.exe as LOLBin DRL 1.0
sigma proc_creation_win_using_settingsynchost_as_lolbin.yml description: Detects using SettingSyncHost.exe to run hijacked binary DRL 1.0
sigma proc_creation_win_using_settingsynchost_as_lolbin.yml - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin DRL 1.0
LOLBAS SettingSyncHost.yml Name: SettingSyncHost.exe  
LOLBAS SettingSyncHost.yml - Command: SettingSyncHost -LoadAndRunDiagScript anything  
LOLBAS SettingSyncHost.yml - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything  
LOLBAS SettingSyncHost.yml - Path: C:\Windows\System32\SettingSyncHost.exe  
LOLBAS SettingSyncHost.yml - Path: C:\Windows\SysWOW64\SettingSyncHost.exe  
LOLBAS SettingSyncHost.yml - IOC: SettingSyncHost.exe should not be run on a normal workstation  
LOLBAS SettingSyncHost.yml - Link: https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/  

MIT License. Copyright (c) 2020-2021 Strontic.