Windows Analysis Report
imfsbSvc.exe

Overview

General Information

Sample name: imfsbSvc.exe
Analysis ID: 1564516
MD5: ca73da8345de507ac023d52b4b5c1814
SHA1: ef32667de23715ef2903b185c08ed9b5dc7cfeed
SHA256: 5b88f7d36fe435cd6944bda05f1758f64c7d5136a5f529a58522ac3b0dc9743a
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Suspicious New Service Creation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates a process in suspended mode (likely to inject code)
Enables driver privileges
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Spawns drivers

Classification

Source: imfsbSvc.exe Static PE information: certificate valid
Source: imfsbSvc.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbDll.pdb source: imfsbSvc.exe, 00000006.00000002.1640048795.00000000666EE000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: C:\IMF9\sandboxie-master\core\low\obj\amd64\LowLevel.pdb source: imfsbSvc.exe
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbSvc.pdb source: imfsbSvc.exe
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbDll.pdb7 source: imfsbSvc.exe, 00000006.00000002.1640048795.00000000666EE000.00000002.00000001.01000000.00000004.sdmp
Source: imfsbSvc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: imfsbSvc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: imfsbSvc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: imfsbSvc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: imfsbSvc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: imfsbSvc.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: imfsbSvc.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: imfsbSvc.exe String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: imfsbSvc.exe String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: imfsbSvc.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: imfsbSvc.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: imfsbSvc.exe String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: imfsbSvc.exe String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: imfsbSvc.exe String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: imfsbSvc.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: imfsbSvc.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: imfsbSvc.exe String found in binary or memory: http://ocsp.digicert.com0H
Source: imfsbSvc.exe String found in binary or memory: http://ocsp.digicert.com0I
Source: imfsbSvc.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: imfsbSvc.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: imfsbSvc.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: imfsbSvc.exe String found in binary or memory: https://www.digicert.com/CPS0
Enables driver privileges
Source: C:\Users\user\Desktop\imfsbSvc.exe Process token adjusted: Load Driver Jump to behavior
PE file contains executable resources (Code or Archives)
Source: imfsbSvc.exe Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Sample file is different than original file name gathered from version info
Source: imfsbSvc.exe, 00000006.00000002.1640120067.000000006670E000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameimfsbDll.dll vs imfsbSvc.exe
Spawns drivers
Source: C:\Users\user\Desktop\imfsbSvc.exe Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\imfsbDrv Jump to behavior
Source: imfsbSvc.exe Binary string: DropAdminRightsNtAlpcConnectPortNtAlpcSendWaitReceivePortlsarpcsrvsvcwkssvcsamrnetlogon\device\mup\\PIPE\\device\namedpipe\ntsvcsplugplay\RPC Control\%s_NetProxy:Use=%c:Use=NtReplyWaitReceivePort beforeNtReplyWaitReceivePort afterGetProcessIdOfThreadProcessServer::Handler/msg->msgid: %dProcessServer::RunSandboxedHandlerProcessServer::RunSandboxedHandler/ cmd: %sdir: %senv: %sProcessServer::RunSandboxedHandler/CallerPid: %dProcessServer::RunSandboxedHandler/OpenProcess trueCallerInSandbox = trueCallerInSandbox = falsePrimaryTokenHandleCallerPid: %dRunSandboxedStartProcess sucRunSandboxedDupAndCloseHandles sucRunSandboxedDupAndCloseHandles failRunSandboxedStartProcess fail err: %d!PrimaryTokenHandleOpenProcess fail, err: %d*SYSTEM**THREAD*ProcessServer::RunSandboxedStartProcesscrflags2 != (*crflags)*COMSRV*cmd is *COMSRV*CallerProcessId: %dRunSandboxedComServer fail, !cmdCreateProcessAsUser cmd: %sCreateProcessAsUser LastError: %dSetThreadTokenSetThreadToken !ok LastError: %dok && StartProgramInSandboxSbieApi_CallTwo rc != 0 LastError: %d! ok TerminateProcess 1020!StartProgramInSandbox 1021!ok 1022\imfsbSvc.exe" Sandboxie_ComProxy_ComServer:pstorec.dllPStoreCreateInstanceGlobalSettingsUserSettings_UserSettings_PortableUserSettings_%08XMicrosoft Base Cryptographic Provider v1.0[%d / %08X]EditAdminOnlyEditPassword]
Source: imfsbSvc.exe Binary string: F.urlURLInternetShortcut ""00000000_SBIE_COMSRV_EXE00000000_SBIE_COMSRV_CMDiexplore.exewmplayer.exewinamp.exekmplayer.exe/Enqueue%S [HR=%08X/%d]"%s" "%s"O:SYG:SYD:(A;;GA;;;SY)%s-internal-%dDriverAssist::MsgWorkerThreadMsgWorkerThread msgid: %d[11 / %d]*?*?*?*[33 / %08X]\Software\Microsoft\Windows\CurrentVersion\ExplorerLogon User Name%S [%d / %d][%08X]\Registry\Machine\System\CurrentControlSet\Services\imfsbDrvSeLoadDriverPrivilege5.40%SLOWLEVEL.textzzzzLdrInitializeThunk\imfsbDll.dllLdrLoadDllLdrGetProcedureAddressNtRaiseHardErrorRtlFindActivationContextSectionStringkernel32.dll\32ERROR_NOT_READYInjectLow_OpenProcess failNtDeviceIoControlFileInjectLow_SendHandle failInjectLow_BuildTramp failInjectLow_CopySyscalls failInjectLow_CopyData failInjectLow_WriteJump fail!msg->bHostInjectGuiServer::GetInstance()->InitProcess failSbieApi_CallOne API_INJECT_COMPLETE sucerrlvl err: %d%S [%02X / %d]hProcesserrlvlInjectLow_OpenProcessOpenProcess suctime.dwLowDateTime == msg->create_time\Device\SandboxieDriverApi%S [%02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X %02X]kernel32.dllntdll.dllLogFile%04d-%02d-%02d %02d:%02d:%02d %sMultiLog
Source: classification engine Classification label: mal48.evad.winEXE@9/2@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2472:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
Source: imfsbSvc.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\sc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create rJxyS binpath= "C:\Users\user\Desktop\imfsbSvc.exe" >> C:\servicereg.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create rJxyS binpath= "C:\Users\user\Desktop\imfsbSvc.exe"
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start rJxyS >> C:\servicestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start rJxyS
Source: unknown Process created: C:\Users\user\Desktop\imfsbSvc.exe C:\Users\user\Desktop\imfsbSvc.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create rJxyS binpath= "C:\Users\user\Desktop\imfsbSvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start rJxyS Jump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exe Section loaded: imfsbdll.dll Jump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\imfsbSvc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: imfsbSvc.exe Static PE information: certificate valid
Source: imfsbSvc.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: imfsbSvc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: imfsbSvc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: imfsbSvc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: imfsbSvc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: imfsbSvc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: imfsbSvc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: imfsbSvc.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: imfsbSvc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbDll.pdb source: imfsbSvc.exe, 00000006.00000002.1640048795.00000000666EE000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: C:\IMF9\sandboxie-master\core\low\obj\amd64\LowLevel.pdb source: imfsbSvc.exe
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbSvc.pdb source: imfsbSvc.exe
Source: Binary string: C:\IMF9\sandboxie-master\Bin\x64\SbieRelease\imfsbDll.pdb7 source: imfsbSvc.exe, 00000006.00000002.1640048795.00000000666EE000.00000002.00000001.01000000.00000004.sdmp
Source: imfsbSvc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: imfsbSvc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: imfsbSvc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: imfsbSvc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: imfsbSvc.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create rJxyS binpath= "C:\Users\user\Desktop\imfsbSvc.exe"

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: imfsbSvc.exe Binary or memory string: [12 / %D][13 / %D][14 / %D][15 / %D][16 / %D][17 / %D][18 / %D]SANDBOXIE.INIINILOCATION.TMP-%DSBIECTRL_ENABLEAUTOSTARTDEFAULT /OPEN /SYNCSBIECTRL.EXESTARTSERVICE%S [%S]/ENV:00000000_SBIE_%S="%S" /BOX:-%D DEVICE_MAPSERVICE_NAME/HIDE_WINDOW IMFSBSTART.EXE%S_UACPROXY:%08X_%08X_%08X_%08X_@%S*MSI*WINDOWS INSTALLERSHGETSTOCKICONINFOSANDBOXIE_UAC_WINDOWCLASSARIAL" RUNASSHELLEXECUTEEXWWINSTA.DLLWINSTATIONQUERYINFORMATIONWWINSTATIONISSESSIONREMOTEABLEWINSTATIONNAMEFROMLOGONIDWWINSTATIONGETCONNECTIONPROPERTYWINSTATIONFREEPROPERTYVALUEWINSTATIONDISCONNECT
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create rJxyS binpath= "C:\Users\user\Desktop\imfsbSvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start rJxyS Jump to behavior
Source: imfsbSvc.exe Binary or memory string: CicMarshalWndClassProgmanMSTaskSwWClassexcel.exepowerpnt.exe
Source: imfsbSvc.exe Binary or memory string: *GUIPROXY_%08X\imfsbSvc.exe" Sandboxie%s_GuiProxy_%08X,%dWinSta0\Default[%02X / %08X]_GuiProxy_Console,IsHungAppWindowuser32.dllNtUserQueryWindowwin32u.dll_GuiProxy%s_%s_Session_%d_Job_%08XS:(ML;;NW;;;LW)%s_WinSta_%d\%s_Desktop_%dSandboxie_ConsoleReadyEvent_%08XSandboxie_GuiProxy_Console,CloseClipboard %08XShell_TrayWndASIndicator/ignoreuipi$:

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1564516 Sample: imfsbSvc.exe Startdate: 28/11/2024 Architecture: WINDOWS Score: 48 23 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->23 25 Sigma detected: Suspicious New Service Creation 2->25 6 cmd.exe 2 2->6         started        9 cmd.exe 2 2->9         started        11 imfsbSvc.exe 2->11         started        process3 file4 21 C:\servicereg.log, ASCII 6->21 dropped 13 conhost.exe 6->13         started        15 sc.exe 1 6->15         started        17 conhost.exe 9->17         started        19 sc.exe 1 9->19         started        process5
No contacted IP infos