SettingSyncHost.exe

  • File Path: C:\Windows\SysWOW64\SettingSyncHost.exe
  • Description: Host Process for Setting Synchronization

Hashes

Type Hash
MD5 80F1E4DC853D07994906F68CF156EE70
SHA1 C98AB79658ACDEC113B44B9757E53E275F35A991
SHA256 93F35856509E6332E6B1DDC883E960A103B14FF2C12B66CDFF2FED33F3C7659C
SHA384 53B29D9D49E7313315D36BA5E3D5D02A7110D775F90C019C4B85E8A636BB41D5999EC03946E842690868828BDE6DE456
SHA512 4C455EF80F32E31E7A30B6FE2C5781ECD917AA0AF2B56A9AAA6B60C065B7F4F928ACC5D4D538034981F1ED84096511CD928D45892509C3BA6483B0BCD71FBFC9
SSDEEP 24576:2vTLPZyX8XFy/1rRjJjpkmra8jADkpVx7yDZffo6Sjli:WTLPZyXawnkUdjDM9o68i
IMP 8872E42058372AAB0AB5AC752E0ADDD2
PESHA1 18A887262133D16CCB15CAC8DF711739D2EBE73C
PE256 E791994011860240EBAF0271D24F07ADC49C60D1413FF41BC6C116E84248E2C4

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\SettingSyncHost.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: SettingSyncHost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/93f35856509e6332e6b1ddc883e960a103b14ff2c12b66cdff2fed33f3c7659c/detection

Possible Misuse

The following table contains possible examples of SettingSyncHost.exe being misused. While SettingSyncHost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_using_settingsynchost_as_lolbin.yml title: Using SettingSyncHost.exe as LOLBin DRL 1.0
sigma proc_creation_win_using_settingsynchost_as_lolbin.yml description: Detects using SettingSyncHost.exe to run hijacked binary DRL 1.0
sigma proc_creation_win_using_settingsynchost_as_lolbin.yml - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin DRL 1.0
LOLBAS SettingSyncHost.yml Name: SettingSyncHost.exe  
LOLBAS SettingSyncHost.yml - Command: SettingSyncHost -LoadAndRunDiagScript anything  
LOLBAS SettingSyncHost.yml - Command: SettingSyncHost -LoadAndRunDiagScriptNoCab anything  
LOLBAS SettingSyncHost.yml - Path: C:\Windows\System32\SettingSyncHost.exe  
LOLBAS SettingSyncHost.yml - Path: C:\Windows\SysWOW64\SettingSyncHost.exe  
LOLBAS SettingSyncHost.yml - IOC: SettingSyncHost.exe should not be run on a normal workstation  
LOLBAS SettingSyncHost.yml - Link: https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/  

MIT License. Copyright (c) 2020-2021 Strontic.