Edit tour
Windows
Analysis Report
elevation_service.exe
Overview
General Information
| Sample Name: | elevation_service.exe |
| Analysis ID: | 1266893 |
| MD5: | 00b82a84331b50fd0c49af2664bb20f1 |
| SHA1: | eb4eb12c53c65a39e3503aec761f9999d1e9a5e1 |
| SHA256: | 0a3ef578ee9e034215f95495566844f15a283bf8a27c112ce4ed2d2949fa38cb |
| Infos: | |
 | |
Detection
| Score: | 2 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 40% |
Signatures
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Classification
Analysis Advice
| Initial sample is implementing a service and should be registered / started as service |
| Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
| Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") |
- System is w10x64native
cmd.exe (PID: 11020 cmdline: cmd /c sc create wZR RZ binpath = "C:\User s\user\Des ktop\eleva tion_servi ce.exe" >> C:\servic ereg.log 2 >&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 11032 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) 
sc.exe (PID: 11088 cmdline: sc create wZRRZ binp ath= "C:\U sers\user\ Desktop\el evation_se rvice.exe" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
- cmd.exe (PID: 10060 cmdline:
cmd /c sc start wZRR Z >> C:\se rvicestart .log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 10212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - sc.exe (PID: 11236 cmdline:
sc start w ZRRZ MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
- elevation_service.exe (PID: 11220 cmdline:
C:\Users\u ser\Deskto p\elevatio n_service. exe MD5: 00B82A84331B50FD0C49AF2664BB20F1)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Boot Survival
- • Malware Analysis System Evasion
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Code function: | 6_2_00007FF6172A275E | |
| Source: | Code function: | 6_2_00007FF6172A1760 | |
| Source: | Code function: | 6_2_00007FF6172A3260 | |
| Source: | Code function: | 6_2_00007FF6172A3C60 | |
| Source: | Code function: | 6_2_00007FF6172A4090 | |
| Source: | Code function: | 6_2_00007FF6172A3EF0 | |
| Source: | Code function: | 6_2_00007FF6172A6120 | |
| Source: | Code function: | 6_2_00007FF6172A3B00 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Classification label: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 6_2_00007FF6172A4B53 | |
| Source: | Code function: | 6_2_00007FF6172A4B53 | |
| Source: | Code function: | 6_2_00007FF6172A7F1C | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 6_2_00007FF617357084 | |
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 2 Command and Scripting Interpreter | 1 Windows Service | 1 Windows Service | 11 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | 1 Service Execution | 1 DLL Side-Loading | 11 Process Injection | 1 DLL Side-Loading | LSASS Memory | 2 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | 1 DLL Side-Loading | 1 Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 0% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
⊘No contacted IP infos
| Joe Sandbox Version: | 38.0.0 Beryl |
| Analysis ID: | 1266893 |
| Start date and time: | 2023-07-05 05:02:36 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 6m 36s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301 |
| Number of analysed new started processes analysed: | 8 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | elevation_service.exe |
| Detection: | CLEAN |
| Classification: | clean2.winEXE@9/2@0/0 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe - Excluded IPs from analysis (wh
itelisted): 20.190.159.23, 40. 126.31.71, 40.126.31.67, 20.19 0.159.64, 20.190.159.75, 20.19 0.159.71, 40.126.31.69, 20.190 .159.68 - Excluded domains from analysis
(whitelisted): client.wns.win dows.com, prdv4a.aadg.msidenti ty.com, login.live.com, www.tm .v4.a.prd.aadg.akadns.net, log in.msa.msidentity.com, www.tm. lg.prod.aadmsa.trafficmanager. net - Execution Graph export aborted
for target elevation_service. exe, PID 11220 because there a re no executed function - Not all processes where analyz
ed, report is missing behavior information
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 28 |
| Entropy (8bit): | 3.678439190827718 |
| Encrypted: | false |
| SSDEEP: | 3:4A4AnXjzSv:4HAnXjg |
| MD5: | A8F4D690C5BDE96AD275C7D4ABE0E3D3 |
| SHA1: | 7C62C96EFD2CA4F3C3EBF0B24C9B5B4C04A4570A |
| SHA-256: | 596CCC911C1772735AAC6A6B756A76D3D55BCECD006B980CF147090B2243FA7B |
| SHA-512: | A875EBE3C5CDF222FF9D08576F4D996AF827A1C86B3E758CE23F6B33530D512A82CE8E39E519837512080C6212A0A19B3385809BE5F5001C4E488DD79550B852 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 410 |
| Entropy (8bit): | 3.4446506181384065 |
| Encrypted: | false |
| SSDEEP: | 6:lg3D/8FQTgVKBRjrvnsn8qLLFmLaZnsHgm66//Vh//mIefq:lgAuTgV0HvGZLQqOVxmIcq |
| MD5: | BD64D2D159C17334BC9F394099E3533D |
| SHA1: | 7B79545731CE49037959254E6DEFCBBB70E2980E |
| SHA-256: | 08E1366334EA20862F3123AEA10A75BEC11FAD4EBADB1CFB12724CA66E3D0CA2 |
| SHA-512: | C5C25616204F7CD31F565F61A0E2C9D57A9A2EB92C66FB77CE63224028E57561B79E33070BC1F9324BA3BF1851C628EE2F2730D1D2798A8A894B326E7FEE67CF |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 6.516571851319777 |
| TrID: |
|
| File name: | elevation_service.exe |
| File size: | 1'722'136 bytes |
| MD5: | 00b82a84331b50fd0c49af2664bb20f1 |
| SHA1: | eb4eb12c53c65a39e3503aec761f9999d1e9a5e1 |
| SHA256: | 0a3ef578ee9e034215f95495566844f15a283bf8a27c112ce4ed2d2949fa38cb |
| SHA512: | 65d242b068835db40fed569cd3648525291d3dce39a596dd1a669f405da045d489553e9f41dee1f5a030c1329d4c1780749ac77e9790f3a6eb1d73f7519416c7 |
| SSDEEP: | 49152:WbKaD0LfC4uq8zk5ZVXIt511WhcjCI7gTg8:KHrD6Gt5Vj8 |
| TLSH: | 1D857B13F28941E8D06EC1B4874AA132E962BC591B35B6DF0690B36A2F77EE45F3D710 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....m.c.........."..........T......pp.........@....................................L.....`........................................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x1400b7070 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x140000000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
| DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x63976DEC [Mon Dec 12 18:07:40 2022 UTC] |
| TLS Callbacks: | 0x4005fdc0, 0x1, 0x40068850, 0x1, 0x400b59c0, 0x1, 0x4005edc0, 0x1 |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 2 |
| File Version Major: | 5 |
| File Version Minor: | 2 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 2 |
| Import Hash: | 803a08f42b07f48508203cc8414cb6f2 |
| Signature Valid: | true |
| Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | DC429A22AA63D23DB8E84F53D05D1D48 |
| Thumbprint SHA-1: | 2673EA6CC23BEFFDA49AC715B121544098A1284C |
| Thumbprint SHA-256: | 7D3D117664F121E592EF897973EF9C159150E3D736326E9CD2755F71E0FEBC0C |
| Serial: | 0E4418E2DEDE36DD2974C3443AFB5CE5 |
| Instruction |
|---|
| dec eax |
| sub esp, 28h |
| call 00007F888CD857D0h |
| dec eax |
| add esp, 28h |
| jmp 00007F888CD8563Fh |
| int3 |
| int3 |
| dec eax |
| mov dword ptr [esp+20h], ebx |
| push ebp |
| dec eax |
| mov ebp, esp |
| dec eax |
| sub esp, 20h |
| dec eax |
| mov eax, dword ptr [000CAF90h] |
| dec eax |
| mov ebx, 2DDFA232h |
| cdq |
| sub eax, dword ptr [eax] |
| add byte ptr [eax+3Bh], cl |
| ret |
| jne 00007F888CD85836h |
| dec eax |
| and dword ptr [ebp+18h], 00000000h |
| dec eax |
| lea ecx, dword ptr [ebp+18h] |
| call dword ptr [000BDB02h] |
| dec eax |
| mov eax, dword ptr [ebp+18h] |
| dec eax |
| mov dword ptr [ebp+10h], eax |
| call dword ptr [000BDA0Ch] |
| mov eax, eax |
| dec eax |
| xor dword ptr [ebp+10h], eax |
| call dword ptr [000BD9F0h] |
| mov eax, eax |
| dec eax |
| lea ecx, dword ptr [ebp+20h] |
| dec eax |
| xor dword ptr [ebp+10h], eax |
| call dword ptr [000BDC18h] |
| mov eax, dword ptr [ebp+20h] |
| dec eax |
| lea ecx, dword ptr [ebp+10h] |
| dec eax |
| shl eax, 20h |
| dec eax |
| xor eax, dword ptr [ebp+20h] |
| dec eax |
| xor eax, dword ptr [ebp+10h] |
| dec eax |
| xor eax, ecx |
| dec eax |
| mov ecx, FFFFFFFFh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x173f48 | 0x5a | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x173fa2 | 0xf0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1b5000 | 0x1710 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x1a0000 | 0xb124 | .pdata |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x1a1e00 | 0x2918 | .pdata |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1b7000 | 0x1954 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x172e64 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x172d48 | 0x28 | .rdata |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x14d210 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x174838 | 0x7a0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x14bfd6 | 0x14c000 | False | 0.5062395578407379 | data | 6.5637417626753285 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x14d000 | 0x34468 | 0x34600 | False | 0.4221919749403341 | data | 5.6179107276024185 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x182000 | 0x1d714 | 0xfa00 | False | 0.034015625 | data | 1.4621814463254232 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .pdata | 0x1a0000 | 0xb124 | 0xb200 | False | 0.5072638693820225 | data | 5.995875272028912 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .00cfg | 0x1ac000 | 0x28 | 0x200 | False | 0.0625 | data | 0.4339803984665279 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .gxfg | 0x1ad000 | 0x2970 | 0x2a00 | False | 0.42587425595238093 | data | 5.198183877306727 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .retplne | 0x1b0000 | 0x6c | 0x200 | False | 0.08984375 | data | 0.9850533023094143 | |
| .tls | 0x1b1000 | 0x1c1 | 0x200 | False | 0.04296875 | data | 0.1364637916558982 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .voltbl | 0x1b2000 | 0x46 | 0x200 | False | 0.158203125 | data | 1.1423295645151728 | |
| _RDATA | 0x1b3000 | 0xf4 | 0x200 | False | 0.298828125 | data | 2.4312939888528167 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| malloc_h | 0x1b4000 | 0xea | 0x200 | False | 0.4375 | data | 3.6541214822331987 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x1b5000 | 0x1710 | 0x1800 | False | 0.3981119791666667 | data | 4.462261152320793 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x1b7000 | 0x1954 | 0x1a00 | False | 0.3523137019230769 | data | 5.420124655622583 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| TYPELIB | 0x1b5100 | 0xdb4 | data | English | United States | 0.3831242873432155 |
| RT_VERSION | 0x1b5eb8 | 0x480 | data | English | United States | 0.4401041666666667 |
| RT_MANIFEST | 0x1b6338 | 0x3d2 | XML 1.0 document, ASCII text, with very long lines (864) | English | United States | 0.5398773006134969 |
| DLL | Import |
|---|---|
| ADVAPI32.dll | AddAce, CopySid, CreateProcessAsUserW, EventRegister, EventUnregister, EventWrite, GetAclInformation, GetLengthSid, GetSecurityDescriptorControl, GetSecurityDescriptorDacl, GetSecurityDescriptorGroup, GetSecurityDescriptorOwner, GetSecurityDescriptorSacl, GetSidLengthRequired, GetSidSubAuthority, InitializeAcl, InitializeSecurityDescriptor, InitializeSid, IsValidSid, MakeAbsoluteSD, RegCloseKey, RegOpenKeyExW, RegQueryValueExW, RegisterServiceCtrlHandlerW, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetServiceStatus, StartServiceCtrlDispatcherW, SystemFunction036 |
| OLEAUT32.dll | SysAllocStringByteLen, SysStringByteLen |
| USER32.dll | AllowSetForegroundWindow, GetActiveWindow, UnregisterClassW |
| KERNEL32.dll | AcquireSRWLockExclusive, AcquireSRWLockShared, AssignProcessToJobObject, CloseHandle, CompareStringW, CreateDirectoryW, CreateEventW, CreateFileA, CreateFileMappingW, CreateFileW, CreateProcessW, CreateThread, DecodePointer, DeleteCriticalSection, DeleteFileW, DeleteProcThreadAttributeList, DuplicateHandle, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FindNextFileW, FlsAlloc, FlsFree, FlsGetValue, FlsSetValue, FlushFileBuffers, FormatMessageA, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDateFormatW, GetDriveTypeW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileSizeEx, GetFileType, GetFullPathNameW, GetLastError, GetLocalTime, GetLocaleInfoW, GetLogicalProcessorInformation, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetNativeSystemInfo, GetOEMCP, GetProcAddress, GetProcessHeap, GetProcessId, GetProductInfo, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetThreadId, GetThreadPriority, GetTickCount, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetVersionExW, GetWindowsDirectoryW, HeapAlloc, HeapDestroy, HeapFree, HeapReAlloc, HeapSetInformation, HeapSize, InitOnceExecuteOnce, InitializeConditionVariable, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeProcThreadAttributeList, InitializeSListHead, InitializeSRWLock, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, IsWow64Process, LCMapStringW, LeaveCriticalSection, LoadLibraryExA, LoadLibraryExW, LocalFree, MapViewOfFile, MoveFileExW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, OutputDebugStringW, QueryFullProcessImageNameA, QueryPerformanceCounter, QueryPerformanceFrequency, QueryThreadCycleTime, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, ReleaseSRWLockShared, RemoveDirectoryW, ResetEvent, RtlCaptureContext, RtlCaptureStackBackTrace, RtlLookupFunctionEntry, RtlPcToFileHeader, RtlUnwind, RtlUnwindEx, RtlVirtualUnwind, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFileAttributesW, SetFilePointer, SetFilePointerEx, SetFileTime, SetHandleInformation, SetLastError, SetStdHandle, SetThreadPriority, SetUnhandledExceptionFilter, Sleep, SleepConditionVariableSRW, SwitchToThread, SystemTimeToFileTime, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, TzSpecificLocalTimeToSystemTime, UnhandledExceptionFilter, UnmapViewOfFile, UnregisterWaitEx, UpdateProcThreadAttribute, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile, lstrcmpiW, lstrlenA |
| ole32.dll | CoAddRefServerProcess, CoImpersonateClient, CoInitializeEx, CoInitializeSecurity, CoRegisterClassObject, CoRegisterInitializeSpy, CoReleaseServerProcess, CoResumeClassObjects, CoRevertToSelf, CoRevokeClassObject, CoRevokeInitializeSpy, CoTaskMemFree, CoUninitialize, IIDFromString |
| CRYPT32.dll | CryptProtectData, CryptUnprotectData |
| RPCRT4.dll | I_RpcOpenClientProcess |
| SHELL32.dll | CommandLineToArgvW, SHGetFolderPathW, SHGetKnownFolderPath, ShellExecuteExW |
| USERENV.dll | CreateEnvironmentBlock, DestroyEnvironmentBlock |
| SHLWAPI.dll | PathMatchSpecW |
| WINMM.dll | timeGetTime |
| Name | Ordinal | Address |
|---|---|---|
| GetHandleVerifier | 1 | 0x14004c830 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 05:07:15 |
| Start date: | 05/07/2023 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x9a0000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 1 |
| Start time: | 05:07:15 |
| Start date: | 05/07/2023 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff652920000 |
| File size: | 875'008 bytes |
| MD5 hash: | 81CA40085FC75BABD2C91D18AA9FFA68 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 2 |
| Start time: | 05:07:15 |
| Start date: | 05/07/2023 |
| Path: | C:\Windows\SysWOW64\sc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x520000 |
| File size: | 61'440 bytes |
| MD5 hash: | D9D7684B8431A0D10D0E76FE9F5FFEC8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 3 |
| Start time: | 05:07:16 |
| Start date: | 05/07/2023 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x9a0000 |
| File size: | 236'544 bytes |
| MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 4 |
| Start time: | 05:07:16 |
| Start date: | 05/07/2023 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff652920000 |
| File size: | 875'008 bytes |
| MD5 hash: | 81CA40085FC75BABD2C91D18AA9FFA68 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Target ID: | 5 |
| Start time: | 05:07:16 |
| Start date: | 05/07/2023 |
| Path: | C:\Windows\SysWOW64\sc.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x520000 |
| File size: | 61'440 bytes |
| MD5 hash: | D9D7684B8431A0D10D0E76FE9F5FFEC8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Target ID: | 6 |
| Start time: | 05:07:16 |
| Start date: | 05/07/2023 |
| Path: | C:\Users\user\Desktop\elevation_service.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6172a0000 |
| File size: | 1'722'136 bytes |
| MD5 hash: | 00B82A84331B50FD0C49AF2664BB20F1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
Download Yara Rule
| C-Code - Quality: 100% |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| C-Code - Quality: 79% |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
