Edit tour

Windows Analysis Report
esrv.exe

Overview

General Information

Sample name:	esrv.exe
Analysis ID:	1383215
MD5:	fafb7bacc95631d54e911f32990448a2
SHA1:	ce791c30cac0abb3fbf2d9575154b1518241293e
SHA256:	d5c478b28391ced98a8a9b76d6b450502e5914f9e47e59b641cd71cd8dcff3c0
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Contain functionality to detect virtual machines

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Analysis Advice

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

esrv.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\esrv.exe" -install MD5: FAFB7BACC95631D54E911F32990448A2)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esrv.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\esrv.exe" /install MD5: FAFB7BACC95631D54E911F32990448A2)

conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esrv.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\esrv.exe" /load MD5: FAFB7BACC95631D54E911F32990448A2)

conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Cryptography
• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\esrv.exe

Code function: 0_2_00007FF774699DC0 memset,memset,mbstowcs_s,WinVerifyTrust,memset,GetLastError,GetCurrentThreadId,CryptQueryObject,memset,GetLastError,GetCurrentThreadId,CryptMsgGetParam,memset,GetLastError,GetCurrentThreadId,LocalAlloc,memset,GetLastError,GetCurrentThreadId,CryptMsgGetParam,memset,GetLastError,GetCurrentThreadId,CryptMsgGetParam,memset,GetLastError,GetCurrentThreadId,LocalAlloc,memset,GetLastError,GetCurrentThreadId,CryptMsgGetParam,memset,GetLastError,GetCurrentThreadId,lstrcmpA,CryptDecodeObject,memset,GetLastError,GetCurrentThreadId,LocalAlloc,memset,GetLastError,GetCurrentThreadId,CryptDecodeObject,memset,GetLastError,GetCurrentThreadId,wcsnlen,LocalAlloc,memset,GetLastError,GetCurrentThreadId,wcsnlen,LocalAlloc,memset,GetLastError,GetCurrentThreadId,wcsnlen,LocalAlloc,memset,GetLastError,GetCurrentThreadId,wcsnlen,LocalAlloc,memset,GetLastError,GetCurrentThreadId,wcsnlen,LocalAlloc,memset,GetLastError,GetCurrentThreadId,CertCloseStore,CryptMsgClose,memset,GetLastError,GetCurrentThreadId,memset,GetLastError,GetCurrentThreadId,memset,GetLastError,GetCurrentThreadId,memset,GetLastError,GetCurrentThreadId,CertCloseStore,CryptMsgClose,

Source: esrv.exe

Static PE information: certificate valid

Source: esrv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv\esrv.pdb source: esrv.exe
Source:	Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv\esrv.pdbLL*LGCTL source: esrv.exe

Source: C:\Users\user\Desktop\esrv.exe

Code function: 0_2_00007FF77468F320 memset,memset,mbstowcs_s,QueryPerformanceFrequency,QueryPerformanceCounter,GetDiskFreeSpaceExW,memset,memset,FindFirstFileW,wcsnlen,wcsncmp,wcsncmp,QueryPerformanceCounter,FindNextFileW,GetLastError,FindClose,FindClose,

Source: esrv.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: esrv.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: esrv.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: esrv.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: esrv.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: esrv.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: esrv.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: esrv.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: esrv.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: esrv.exe	String found in binary or memory: http://ocsp.sectigo.com0#
Source: esrv.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: C:\Users\user\Desktop\esrv.exe

Code function: 0_2_00007FF77468FEF0 GetCurrentProcess,GetCurrentProcess,NtQueryInformationProcess,OpenProcess,OpenProcessToken,GetTokenInformation,GetLastError,GlobalAlloc,GetTokenInformation,GlobalFree,GetTokenInformation,GetLastError,GlobalAlloc,GetTokenInformation,ConvertSidToStringSidW,wcstombs_s,GlobalFree,CloseHandle,wcsstr,wcsnlen,wcsstr,LocalFree,CloseHandle,CloseHandle,GlobalFree,LocalFree,CloseHandle,

Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774618150
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774614530
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774699DC0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF7746289A0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF77468FEF0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF77468D6D0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF77462A2D0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF77465DEB0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF7746176A0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF77469BB90
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF77468F320
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774613F20
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF77462EF20
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF7746573F0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF7746783F0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774615BA0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF77462AC80
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774629C60
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774659020
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774675D00
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774616CD0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF7746798D0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774612CC0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF77461ECA0
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF77462D0A0

Source: C:\Users\user\Desktop\esrv.exe	Code function: String function: 00007FF7746110A0 appears 31 times
Source: C:\Users\user\Desktop\esrv.exe	Code function: String function: 00007FF774628660 appears 114 times

Source: C:\Users\user\Desktop\esrv.exe	Section loaded: libcrypto-3-x64.dll
Source: C:\Users\user\Desktop\esrv.exe	Section loaded: libcrypto-3-x64.dll
Source: C:\Users\user\Desktop\esrv.exe	Section loaded: libcrypto-3-x64.dll

Source: classification engine

Classification label: sus36.evad.winEXE@6/0@0/0

Source: C:\Users\user\Desktop\esrv.exe

Code function: 0_2_00007FF774613F20 memset,memset,malloc,GetTcpTable2,free,malloc,memset,GetTcpTable2,GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,free,CloseHandle,OpenProcess,K32GetProcessImageFileNameW,wcsnlen,wcsnlen,wcsnlen,wcsncmp,wcsnlen,wcsnlen,wcsncmp,wcsnlen,realloc,CloseHandle,Process32NextW,#15,free,CloseHandle,

Source: C:\Users\user\Desktop\esrv.exe

Code function: 0_2_00007FF7746887E0 #2,#2,CoInitializeEx,CoCreateInstance,#6,#6,CoUninitialize,

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03

Source: esrv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\esrv.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: esrv.exe	String found in binary or memory: esrv --start --daq --channels "1 2 5-10 18-15 50" --default_suffixes "decimals = 2"...
Source: esrv.exe	String found in binary or memory: --START_OPTIONS_FILE
Source: esrv.exe	String found in binary or memory: --HELP
Source: esrv.exe	String found in binary or memory: --HELP
Source: esrv.exe	String found in binary or memory: Usage: esrv --start --daq --device <dev_name> [--device_options <options>]
Source: esrv.exe	String found in binary or memory: --START
Source: esrv.exe	String found in binary or memory: --STOP
Source: esrv.exe	String found in binary or memory: Usage: esrv --pause [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --reset [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: --ADDRESS
Source: esrv.exe	String found in binary or memory: Usage: esrv --stop [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --stop [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --restart [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: sc start USER_ESRV_SVC_QUEENCREEK --start --run_as_users --unregister_port %u
Source: esrv.exe	String found in binary or memory: Usage: esrv --flush [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --resume [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --synch [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Context-sensitive help is available for each command, i.e., "esrv --start --help"
Source: esrv.exe	String found in binary or memory: Context-sensitive help is available for each command, i.e., "esrv --start --help"
Source: esrv.exe	String found in binary or memory: Context-sensitive help is available for each command, i.e., "esrv --start --help"
Source: esrv.exe	String found in binary or memory: --flush \| --ranges \| --version \| --device_control \| --status \| --help ]
Source: esrv.exe	String found in binary or memory: --flush \| --ranges \| --version \| --device_control \| --status \| --help ]
Source: esrv.exe	String found in binary or memory: Usage: esrv [ --start \| --restart \| --stop \| --pause \| --resume \| --reset \| --synch \|
Source: esrv.exe	String found in binary or memory: Usage: esrv [ --start \| --restart \| --stop \| --pause \| --resume \| --reset \| --synch \|
Source: esrv.exe	String found in binary or memory: --START_OPTIONS_HANDLE
Source: esrv.exe	String found in binary or memory: Usage: esrv --status [option] [--address <address>] [--port <port>]
Source: esrv.exe	String found in binary or memory: Or esrv --start --library <lib_name> [--device_options <options>] [--interface_options <options>] [channel] [--diagnostic] [--pause <t>]
Source: esrv.exe	String found in binary or memory: Usage: esrv --start --device <dev_name> [--device_options <options>] [--interface_options <options>] [channel] [--diagnostic] [--pause <t>]
Source: esrv.exe	String found in binary or memory: Usage: esrv --device_control <command> [--address <address>]
Source: esrv.exe	String found in binary or memory: Usage: esrv --restart [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --device_control <command> [--address <address>]
Source: esrv.exe	String found in binary or memory: Usage: esrv --stop [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --stop [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Context-sensitive help is available for each command, i.e., "esrv --start --help"
Source: esrv.exe	String found in binary or memory: Context-sensitive help is available for each command, i.e., "esrv --start --help"
Source: esrv.exe	String found in binary or memory: Context-sensitive help is available for each command, i.e., "esrv --start --help"
Source: esrv.exe	String found in binary or memory: --flush \| --ranges \| --version \| --device_control \| --status \| --help ]
Source: esrv.exe	String found in binary or memory: --flush \| --ranges \| --version \| --device_control \| --status \| --help ]
Source: esrv.exe	String found in binary or memory: Usage: esrv [ --start \| --restart \| --stop \| --pause \| --resume \| --reset \| --synch \|
Source: esrv.exe	String found in binary or memory: Usage: esrv [ --start \| --restart \| --stop \| --pause \| --resume \| --reset \| --synch \|
Source: esrv.exe	String found in binary or memory: Usage: esrv --start --daq --device <dev_name> [--device_options <options>]
Source: esrv.exe	String found in binary or memory: esrv --start --daq --channels "1 2 5-10 18-15 50" --default_suffixes "decimals = 2"...
Source: esrv.exe	String found in binary or memory: Usage: esrv --flush [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --start --device <dev_name> [--device_options <options>] [--interface_options <options>] [channel] [--diagnostic] [--pause <t>]
Source: esrv.exe	String found in binary or memory: Or esrv --start --library <lib_name> [--device_options <options>] [--interface_options <options>] [channel] [--diagnostic] [--pause <t>]
Source: esrv.exe	String found in binary or memory: Usage: esrv --status [option] [--address <address>] [--port <port>]
Source: esrv.exe	String found in binary or memory: Usage: esrv --synch [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --resume [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --reset [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --pause [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: --STOP
Source: esrv.exe	String found in binary or memory: --ADDRESS
Source: esrv.exe	String found in binary or memory: --INSTALL
Source: esrv.exe	String found in binary or memory: --INSTALL_DIR
Source: esrv.exe	String found in binary or memory: --INSTALL_OPTIONS_FILE
Source: esrv.exe	String found in binary or memory: --INSTALL_OPTIONS_HANDLE
Source: esrv.exe	String found in binary or memory: --INSTALL_OPTIONS_REGISTRY_KEY
Source: esrv.exe	String found in binary or memory: --INSTALL_OPTIONS_CONF_FOLDER
Source: esrv.exe	String found in binary or memory: --STOP_ON_USER_SWITCHING
Source: esrv.exe	String found in binary or memory: --START_OPTIONS_FILE
Source: esrv.exe	String found in binary or memory: --START_OPTIONS_HANDLE
Source: esrv.exe	String found in binary or memory: --START_OPTIONS_REGISTRY_KEY
Source: esrv.exe	String found in binary or memory: --START_OPTIONS_CONF_FOLDER
Source: esrv.exe	String found in binary or memory: \| command of ESRV itself. Use esrv --stop --help for more \|
Source: esrv.exe	String found in binary or memory: \| command of ESRV itself. Use esrv --stop --help for more \|
Source: esrv.exe	String found in binary or memory: \| command of ESRV itself. Use esrv --stop --help for more \|
Source: esrv.exe	String found in binary or memory: \| running. However, a better option is to use the --stop \|
Source: esrv.exe	String found in binary or memory: ...Registering read_yokogawa_wt210_current Function. [SERVER]...Registering open_yokogawa_wt210 Function. [SERVER]C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c...Registering read_yokogawa_mw100_channel Function. [SERVER]...Registering close_yokogawa_mw100 Function. [SERVER]...Checking Folder [%s] Scan Time vs [%u] ms Dependency. [COMMON].read_device_all_measurements...Registering open_yokogawa_mw100 Function. [SERVER]...Checking Folder [%s] Depth vs [%llu] Level(s) Dependency. [COMMON].%s\esrv-%04d-%02d-%02d%c%02d-%02d-%02d-%03d.log--LOG_ERROR_TRACES...Checking Folder [%s] Files Count vs [%llu] Files(s) Dependency. [COMMON]....Checking Folder [%s] Min Size vs [%llu] Byte(s) Dependency. [COMMON]....Checking Folder [%s] Max Size vs [%llu] Byte(s) Dependency. [COMMON].C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c%s\esrv-%04d-%02d-%02d%c%02d-%02d-%02d-%03d.log--LOG_ERROR_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_EVENT_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_EVENT_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_CALL_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.cA Folder Dependency Has Been Specified By User. [COMMON]...Sending INTERRUPT Message. [SH-SERVER]parse_device_option_stringclose_device--LOG_CALL_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_API_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_API_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_REM_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_REM_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_EXIT_TRACES...Shutting Down Socket Inter-Process Communication. [SH-SERVER]...Loading Device delayed close_device Function. [SERVER]open_device%sC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_EXIT_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_ENTER_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_ENTER_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_ALL_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c--LOG_ALL_TRACESC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.cInvalid Folder.ReleaseC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c%sC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\driver.c%ssc start USER_ESRV_SVC_QUEENCREEK --start --run_as_users --unregister_port %u
Source: esrv.exe	String found in binary or memory: --START
Source: esrv.exe	String found in binary or memory: Usage: esrv --resume [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --pause [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --restart [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --status [option] [--address <address>] [--port <port>]
Source: esrv.exe	String found in binary or memory: Usage: esrv --device_control <command> [--address <address>]
Source: esrv.exe	String found in binary or memory: esrv --start --daq --channels "1 2 5-10 18-15 50" --default_suffixes "decimals = 2"...
Source: esrv.exe	String found in binary or memory: Usage: esrv --start --daq --device <dev_name> [--device_options <options>]
Source: esrv.exe	String found in binary or memory: Usage: esrv --flush [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --synch [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --reset [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --stop [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Usage: esrv --stop [--address <address>] [--port <port>] [--diagnostic]
Source: esrv.exe	String found in binary or memory: Or esrv --start --library <lib_name> [--device_options <options>] [--interface_options <options>] [channel] [--diagnostic] [--pause <t>]
Source: esrv.exe	String found in binary or memory: Usage: esrv --start --device <dev_name> [--device_options <options>] [--interface_options <options>] [channel] [--diagnostic] [--pause <t>]
Source: esrv.exe	String found in binary or memory: Context-sensitive help is available for each command, i.e., "esrv --start --help"
Source: esrv.exe	String found in binary or memory: Context-sensitive help is available for each command, i.e., "esrv --start --help"
Source: esrv.exe	String found in binary or memory: Context-sensitive help is available for each command, i.e., "esrv --start --help"
Source: esrv.exe	String found in binary or memory: --flush \| --ranges \| --version \| --device_control \| --status \| --help ]
Source: esrv.exe	String found in binary or memory: --flush \| --ranges \| --version \| --device_control \| --status \| --help ]
Source: esrv.exe	String found in binary or memory: Usage: esrv [ --start \| --restart \| --stop \| --pause \| --resume \| --reset \| --synch \|
Source: esrv.exe	String found in binary or memory: Usage: esrv [ --start \| --restart \| --stop \| --pause \| --resume \| --reset \| --synch \|
Source: esrv.exe	String found in binary or memory: --HELP
Source: esrv.exe	String found in binary or memory: --HELP
Source: esrv.exe	String found in binary or memory: "%s"C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\build_config_reports\esrv_build_config_report.cC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\build_config_reports\esrv_build_config_report.cC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\build_config_reports\esrv_build_config_report.cC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.c--INTERFACE_OPTIONSC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.c--INTERFACE_OPTIONSC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.c--DEVICE_OPTIONSC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.c--DEVICE_OPTIONSC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.c--STARTC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.c--STARTC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cMissing DAQ Channel.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cNULLC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cInvalid DAQ Channel Range Option.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cNULLC:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cPlease Review Your Start Key / Values Specifications.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cPlease Review Your Start Key / Values Specifications.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cInconsistent Dependency Folder Options.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cToo Few Argument(s) For DAQ Mode.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cMissing Device Name.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cInstance Must Be Server Or Client.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cSyntax: run_for=<n>.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cSyntax: run_for=<n>.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cSyntax: run_for=<n>.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cSyntax: run_for=<n>.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cUnknown Command.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cSuspicious Token. Is It A Channel Info?C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cMissing Affinity Mask.C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_ipc.cMissing Install Options Handle."C:\Jenkins\Workspace\BUILD\GitRepos\iecsdk\_src\energy_server\_drivers\esrv\esrv_
Source: esrv.exe	String found in binary or memory: %s esrv --start --daq --channels "1 2 5-10 18-15 50" --default_suffixes "decimals = 2"...
Source: esrv.exe	String found in binary or memory: --ADDRESSInvalid Flush Shadow Time.%sMissing Delay Value. baud={1200\|2400\|4800\|9600\|19200\|38400\|57600\|115200\|230400}
Source: esrv.exe	String found in binary or memory: --ADDRESS%sMissing Watchdog Time Limit Value. [--offset_counter <o> \| [--offset_pause <t>] --offset_counter_samples <s>]
Source: esrv.exe	String found in binary or memory: %s%s%s%dOr esrv --start --library <lib_name> [--device_options <options>] [--interface_options <options>] [channel] [--diagnostic] [--pause <t>]

Source: unknown	Process created: C:\Users\user\Desktop\esrv.exe "C:\Users\user\Desktop\esrv.exe" -install
Source: C:\Users\user\Desktop\esrv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\esrv.exe "C:\Users\user\Desktop\esrv.exe" /install
Source: C:\Users\user\Desktop\esrv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\esrv.exe "C:\Users\user\Desktop\esrv.exe" /load
Source: C:\Users\user\Desktop\esrv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: esrv.exe

Static PE information: certificate valid

Source: esrv.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: esrv.exe

Static file information: File size 1082632 > 1048576

Source: esrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: esrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: esrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: esrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: esrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: esrv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: esrv.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: esrv.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv\esrv.pdb source: esrv.exe
Source:	Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv\esrv.pdbLL*LGCTL source: esrv.exe

Source: esrv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: esrv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: esrv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: esrv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: esrv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\esrv.exe

Code function: 0_2_00007FF77462E170 memset,strnlen,mbstowcs_s,LoadLibraryW,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\esrv.exe

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\esrv.exe

Code function: VMware- VBOX VBOX C:\WINDOWS\system32\drivers\VBoxMouse.sys QEMU QEMU QEMU QEMU

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: esrv.exe	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: esrv.exe	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\esrv.exe

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\esrv.exe

Source: esrv.exe	Binary or memory string: VMware-
Source: esrv.exe	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys

Source: C:\Users\user\Desktop\esrv.exe

Code function: 0_2_00007FF774612764 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\esrv.exe

Code function: 0_2_00007FF77462D0A0 memset,memset,memset,memset,SetEvent,GetSystemDirectoryW,isdigit,atoi,memset,GetStdHandle,GetStdHandle,GetStdHandle,InitializeProcThreadAttributeList,GetLastError,memset,GetLastError,GetCurrentThreadId,GetProcessHeap,HeapAlloc,memset,GetLastError,GetCurrentThreadId,memset,InitializeProcThreadAttributeList,memset,GetLastError,GetCurrentThreadId,UpdateProcThreadAttribute,memset,GetLastError,GetCurrentThreadId,CreateProcessW,memset,GetLastError,GetCurrentThreadId,CloseHandle,memset,GetLastError,GetCurrentThreadId,CloseHandle,memset,GetLastError,GetCurrentThreadId,DeleteProcThreadAttributeList,GetProcessHeap,HeapFree,InitializeCriticalSection,memset,GetLastError,GetCurrentThreadId,memset,memcpy,memset,GetLastError,GetCurrentThreadId,WaitForSingleObject,DeleteCriticalSection,SendMessageW,SetEvent,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774611EC4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF774612764 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\esrv.exe	Code function: 0_2_00007FF77461290C SetUnhandledExceptionFilter,

Source: C:\Users\user\Desktop\esrv.exe

Code function: 0_2_00007FF77462EF20 memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,memset,malloc,memset,GetLastError,GetCurrentThreadId,memset,strncmp,memset,mbstowcs_s,strncmp,strncmp,memset,memset,memset,memset,mbstowcs_s,memset,GetLastError,GetCurrentThreadId,malloc,memset,GetLastError,GetCurrentThreadId,memset,CreateEventW,_time64,_ftime64_s,strncpy_s,strncmp,strncmp,strncmp,memset,GetLastError,GetCurrentThreadId,free,memset,memset,GetLastError,GetCurrentThreadId,memset,GetLastError,GetCurrentThreadId,_strdup,memset,GetLastError,GetCurrentThreadId,memset,GetLastError,GetCurrentThreadId,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,__acrt_iob_func,fopen,__acrt_iob_func,fopen,_errno,__acrt_iob_func,AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,memset,GetCurrentProcessId,CreateEventW,FreeSid,LocalFree,CloseHandle,FreeSid,LocalFree,

Source: C:\Users\user\Desktop\esrv.exe

Code function: 0_2_00007FF774612644 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\esrv.exe

Code function: 0_2_00007FF774612BB8 GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	4 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
esrv.exe	0%	Virustotal		Browse
esrv.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://ocsp.sectigo.com0#	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	esrv.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	esrv.exe	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	esrv.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	esrv.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	esrv.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	esrv.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	esrv.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	esrv.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0#	esrv.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1383215
Start date and time:	2024-01-30 10:43:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	esrv.exe
Detection:	SUS
Classification:	sus36.evad.winEXE@6/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, crl.comodoca.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target esrv.exe, PID 7456 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.424944248958161
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	esrv.exe
File size:	1'082'632 bytes
MD5:	fafb7bacc95631d54e911f32990448a2
SHA1:	ce791c30cac0abb3fbf2d9575154b1518241293e
SHA256:	d5c478b28391ced98a8a9b76d6b450502e5914f9e47e59b641cd71cd8dcff3c0
SHA512:	40a79998c110d460ddfa476f2fdcb8147fe119fd9d94828931f6c99728331cc7d8ca505dff79fafaee995ead332c481202476051286318b84947b3fe4ff2516f
SSDEEP:	24576:Q1GPSrRhtcOLx5N/q+q8b6joEt7y/M7erBxKr5leTrvVaHVdGeoEsKw0NfkfHfft:Q1Yk/lb6joEAMCrBxKr5leTrvVaHVdG9
TLSH:	BF353B008F892BEDC921D077E491A31AEFB5BC09437D3263EB594D630F593487A7DA26
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............n...n...n.......n..D....n..D....n.......n.......n.......n.......n..U....n..D....n..D....n...n...o..N....n..N....n..N....n.

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400023e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6531FABA [Fri Oct 20 03:57:46 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	9e3ef860053b4a5b7a966f8deb67383c

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	10/03/2023 00:00:00 09/03/2024 23:59:59
Subject Chain	CN=Intel Corporation, O=Intel Corporation, S=California, C=US
Version:	3
Thumbprint MD5:	97355BCEE41595DF26282461BC9E7C46
Thumbprint SHA-1:	C8109BDD00AA2491212910D0A65DDB9455D2495D
Thumbprint SHA-256:	EFA8AC129CFF59E4C40F85E4D3BFAD47F6F7E8CD79F2F28CD1B798A6CCA74B09
Serial:	70045E1A3A594DFAC651C85B86121879

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FF8ECD48260h
dec eax
add esp, 28h
jmp 00007FF8ECD47E6Fh
int3
int3
dec eax
sub esp, 28h
call 00007FF8ECD487A8h
test eax, eax
je 00007FF8ECD48023h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FF8ECD48007h
dec eax
cmp ecx, eax
je 00007FF8ECD48016h
xor eax, eax
dec eax
cmpxchg dword ptr [00101B98h], ecx
jne 00007FF8ECD47FF0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FF8ECD47FF9h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00101B83h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00101B73h], al
call 00007FF8ECD485AFh
call 00007FF8ECD482C2h
test al, al
jne 00007FF8ECD48006h
xor al, al
jmp 00007FF8ECD48016h
call 00007FF8ECD482B5h
test al, al
jne 00007FF8ECD4800Bh
xor ecx, ecx
call 00007FF8ECD482AAh
jmp 00007FF8ECD47FECh
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00101B38h], 00000000h
mov ebx, ecx
jne 00007FF8ECD48069h
cmp ecx, 01h
jnbe 00007FF8ECD4806Ch
call 00007FF8ECD4870Eh
test eax, eax
je 00007FF8ECD4802Ah
test ebx, ebx
jne 00007FF8ECD48026h
dec eax
lea ecx, dword ptr [00101B22h]
call 00007FF8ECD480FBh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb1050	0x4b0	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb1500	0x294	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c4000	0x434	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1c1000	0x2b80	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x105c00	0x2908	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c5000	0x5e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xaa090	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xaa280	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xaa0f0	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa7000	0xc58	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa520c	0xa5400	ae1dfe1503ad0086e7ce5f86154b5abb	False	0.3630049758888048	data	6.13362247492402	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa7000	0xcf10	0xd000	3622ee2e450ac05e6fa8ddad39697f93	False	0.4045597956730769	data	5.462633122038263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb4000	0x10c440	0x4fc00	f8efafd90f46d6edd202a8ee5be80c38	False	0.12434793789184953	data	5.277525764251878	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1c1000	0x2b80	0x2c00	0c7464ef98119b8bfb8258be43426bf7	False	0.47416548295454547	data	5.6831791439555515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c4000	0x434	0x600	c71aee62396f34e459b5a22a200a9ff6	False	0.3483072916666667	data	4.640719646716049	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c5000	0x5e0	0x600	1cfd1a0441ef91981732554fda6d9489	False	0.5078125	data	5.372241195779603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1c40a0	0x238	data	English	United States	0.5035211267605634
RT_MANIFEST	0x1c42d8	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
KERNEL32.dll	GetSystemDirectoryW, CancelWaitableTimer, GetExitCodeThread, UpdateProcThreadAttribute, GlobalFree, LoadLibraryW, ResetEvent, DeleteProcThreadAttributeList, HeapAlloc, K32EnumProcesses, GetCurrentDirectoryW, LocalFree, GetProcessHeap, CreateProcessW, GetModuleHandleW, FreeLibrary, K32EnumProcessModules, OpenThread, LoadLibraryExW, GetExitCodeProcess, RtlCaptureStackBackTrace, GetSystemPowerStatus, GetLocalTime, GetSystemTime, SetThreadAffinityMask, FormatMessageW, GetCurrentThread, ReadFile, PurgeComm, BuildCommDCBW, GetCommState, SetCommState, FlushFileBuffers, CreateDirectoryW, UnlockFileEx, GetFileAttributesW, SetFilePointerEx, LockFileEx, SwitchToThread, QueryDosDeviceW, SetNamedPipeHandleState, CompareFileTime, FindFirstFileW, SetHandleInformation, GetProcessId, SetProcessAffinityMask, CreateFileW, GetProcessAffinityMask, SetEnvironmentVariableW, SetErrorMode, GetEnvironmentVariableW, FindClose, SuspendThread, ResumeThread, UnmapViewOfFile, GetMaximumProcessorCount, GetLogicalProcessorInformationEx, GetFileAttributesExW, GetMaximumProcessorGroupCount, GetLogicalProcessorInformation, FileTimeToSystemTime, GetDiskFreeSpaceExW, TerminateThread, GlobalAlloc, GetSystemInfo, QueueUserAPC, GetThreadContext, SystemTimeToFileTime, QueryFullProcessImageNameW, CreateDirectoryA, CreateFileMappingW, MapViewOfFile, VirtualQuery, GetModuleFileNameA, VirtualProtect, GetEnvironmentVariableA, lstrcmpA, TryEnterCriticalSection, GetModuleHandleA, GetVersion, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, SetProcessShutdownParameters, InitializeProcThreadAttributeList, GetModuleFileNameW, WriteFile, CreateWaitableTimerW, __C_specific_handler, QueryThreadCycleTime, TerminateProcess, LocalAlloc, GetCurrentProcess, SetPriorityClass, HeapFree, SetLastError, SetWaitableTimer, GetProcessShutdownParameters, CreatePipe, K32GetModuleFileNameExW, SetConsoleCtrlHandler, RaiseException, GetStdHandle, SetConsoleTextAttribute, GetConsoleScreenBufferInfo, GenerateConsoleCtrlEvent, CreateEventW, QueryPerformanceCounter, QueryPerformanceFrequency, SetThreadPriority, CreateSemaphoreW, GetCurrentThreadId, WaitForSingleObject, GetTempPathW, ReleaseSemaphore, GetCurrentProcessId, DeleteCriticalSection, CloseHandle, Process32FirstW, SetEvent, Process32NextW, GetLastError, CreateToolhelp32Snapshot, OpenProcess, K32GetProcessImageFileNameW, InitializeCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, EnterCriticalSection, GetProcAddress, Sleep, FindNextFileW
USER32.dll	GetWindowThreadProcessId, SendMessageW, DestroyWindow, DefWindowProcW, PostQuitMessage, GetSystemMetrics, LoadCursorW, LoadIconW, TranslateMessage, RegisterClassW, UnregisterPowerSettingNotification, DispatchMessageW, ShowWindow, UpdateWindow, RegisterPowerSettingNotification, PostMessageW, GetMessageW, GetWindowLongPtrW, CreateWindowExW, SetWindowLongPtrW
GDI32.dll	GetStockObject
ADVAPI32.dll	CreateWellKnownSid, RegFlushKey, ImpersonateLoggedOnUser, RegSetValueExW, CheckTokenMembership, RegGetValueW, DuplicateToken, ConvertSidToStringSidW, GetTokenInformation, SetSecurityDescriptorDacl, RegCloseKey, CryptAcquireContextW, EqualSid, CloseServiceHandle, CryptGenRandom, OpenSCManagerW, RegDeleteKeyW, AllocateAndInitializeSid, SetEntriesInAclW, RegCreateKeyExW, OpenProcessToken, FreeSid, InitializeSecurityDescriptor, RegOpenKeyExW, QueryServiceConfigW, OpenServiceW, RegQueryValueExW, CryptReleaseContext, ReportEventW, RevertToSelf
SHELL32.dll	SHGetKnownFolderPath
ole32.dll	CoInitializeSecurity, CoCreateInstance, CoTaskMemFree, CoInitializeEx, CoUninitialize
OLEAUT32.dll	VariantClear, SysAllocString, SysFreeString
libcrypto-3-x64.dll	EVP_MD_CTX_new, EVP_DigestFinal_ex, EVP_MD_get_size, HMAC, EVP_DigestInit_ex, EVP_MD_CTX_free, EVP_DigestUpdate, EVP_md5, EVP_sha256
WS2_32.dll	getpeername, WSAStartup, setsockopt, WSAGetLastError, connect, socket, send, accept, freeaddrinfo, getsockname, htons, WSACleanup, ioctlsocket, shutdown, ntohs, __WSAFDIsSet, bind, closesocket, listen, select, recv, getaddrinfo
IPHLPAPI.DLL	GetTcpTable2, GetIpAddrTable
RPCRT4.dll	UuidCreate, RpcStringFreeW, UuidToStringW
SHLWAPI.dll	StrToInt64ExW
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW
api-ms-win-core-path-l1-1-0.dll	PathCchRemoveFileSpec
bcrypt.dll	BCryptGenRandom
dbghelp.dll	SymGetLineFromAddr64, SymInitialize, MiniDumpWriteDump, SymFromAddr
pdh.dll	PdhMakeCounterPathW, PdhOpenQueryW, PdhEnumObjectsW, PdhRemoveCounter, PdhCollectQueryData, PdhGetFormattedCounterValue, PdhEnumObjectItemsW, PdhGetRawCounterValue, PdhCalculateCounterFromRawValue, PdhLookupPerfNameByIndexW, PdhCloseQuery, PdhAddCounterW
USERENV.dll	ExpandEnvironmentStringsForUserW
ntdll.dll	RtlLookupFunctionEntry, RtlVirtualUnwind, RtlCaptureContext, NtQueryInformationProcess
CRYPT32.dll	CryptMsgClose, CryptQueryObject, CertCloseStore, CryptMsgGetParam, CryptDecodeObject
WINTRUST.dll	WinVerifyTrust
VCRUNTIME140.dll	memset, __current_exception_context, __current_exception, memcmp, memcpy, memmove, wcsstr, strstr
api-ms-win-crt-string-l1-1-0.dll	strncat_s, wcsncmp, wcsnlen, _strdup, towupper, strncpy_s, strncmp, wcsncat_s, wcsncpy_s, strtok_s, wcscat_s, strnlen, isprint, wmemmove_s, toupper, isdigit, wcstok_s
api-ms-win-crt-runtime-l1-1-0.dll	_cexit, _initialize_narrow_environment, _configure_narrow_argv, _initterm, _set_app_type, _seh_filter_exe, _endthread, _initterm_e, _exit, _invalid_parameter_noinfo, __p___argc, _errno, __p___argv, terminate, _wassert, _crt_atexit, _set_invalid_parameter_handler, exit, _get_initial_narrow_environment, _c_exit, _register_thread_local_exe_atexit_callback, _beginthreadex, _initialize_onexit_table, _register_onexit_function
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vswprintf_s, __stdio_common_vsscanf, fwrite, __p__commode, __stdio_common_vfprintf, fclose, __stdio_common_vsprintf_s, fread_s, __stdio_common_vfwprintf, fread, feof, _set_fmode, __stdio_common_vsnprintf_s, fflush, __acrt_iob_func, __stdio_common_vsnwprintf_s, fopen
api-ms-win-crt-heap-l1-1-0.dll	realloc, _set_new_mode, free, malloc
api-ms-win-crt-time-l1-1-0.dll	_gmtime64, _ctime64_s, _ftime64_s, _time64
api-ms-win-crt-filesystem-l1-1-0.dll	_access_s, _access, _unlink, _stat64
api-ms-win-crt-convert-l1-1-0.dll	_itoa_s, atoi, mbstowcs_s, wcstombs, mbstowcs, _atoi64, _itow_s, wcstombs_s, atof, _strtoui64, _ui64toa_s
api-ms-win-crt-utility-l1-1-0.dll	qsort_s, srand, rand
api-ms-win-crt-math-l1-1-0.dll	sin, sqrt, __setusermatherr, tan, cos, pow, log
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Exports

Name	Ordinal	Address
__esrv_depend_on_service_start__	1	0x1400b408c
__esrv_esrv_version_major__	2	0x1400b4094
__esrv_esrv_version_minor__	3	0x1400b4098
__esrv_esrv_version_revision__	4	0x1400b4090
__esrv_esrv_version_update__	5	0x140104050
__esrv_manage_redundant_measurements__	6	0x1400b4040
__esrv_respond_to_power_setting_notifications__	7	0x1400b405c
__esrv_socket_ipc__	8	0x1400b4058
__esrv_use_dynamic_errors__	9	0x1400b4080
__esrv_use_dynamic_watchdog__	10	0x1400b4084
__esrv_use_error_stack__	11	0x1400b4050
__esrv_use_idctl_thread_pool__	12	0x1400b404c
__esrv_use_rdctl_thread_pool__	13	0x1400b4054
__esrv_use_uniform_build_versioning__	14	0x1400b406c
__esrv_watchdog__	15	0x1400b4088
get_environment_variable	16	0x140086e30
get_environment_variable_a	17	0x140086d50
get_environment_variable_w	18	0x140086c70
get_module_file_name	19	0x1400870d0
get_module_file_name_a	20	0x140086ff0
get_module_file_name_w	21	0x140086f10
intel_modeler_customer_lc_name	22	0x1400b4070
intel_modeler_customer_uc_name	23	0x1400b4060
intel_modeler_release	24	0x1400b407c
intel_modeler_win32	25	0x1400b4048
intel_modeler_win64	26	0x1400b4044
p_exception_esrv	27	0x1401c0428
set_current_directory	28	0x1400871e0
set_current_directory_a	29	0x1400871d0
set_current_directory_w	30	0x1400871c0
sh_get_known_folder_path	31	0x140086b70

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	10:44:36
Start date:	30/01/2024
Path:	C:\Users\user\Desktop\esrv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\esrv.exe" -install
Imagebase:	0x7ff774610000
File size:	1'082'632 bytes
MD5 hash:	FAFB7BACC95631D54E911F32990448A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	10:44:36
Start date:	30/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	10:44:38
Start date:	30/01/2024
Path:	C:\Users\user\Desktop\esrv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\esrv.exe" /install
Imagebase:	0x7ff774610000
File size:	1'082'632 bytes
MD5 hash:	FAFB7BACC95631D54E911F32990448A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:44:38
Start date:	30/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	10:44:40
Start date:	30/01/2024
Path:	C:\Users\user\Desktop\esrv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\esrv.exe" /load
Imagebase:	0x7ff774610000
File size:	1'082'632 bytes
MD5 hash:	FAFB7BACC95631D54E911F32990448A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:44:40
Start date:	30/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report esrv.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: esrv.exePID: 7456, Parent PID: 2580

General

File Activities

File Created

Analysis Process: conhost.exePID: 7464, Parent PID: 7456

General

Windows Analysis Report
esrv.exe