Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

imfsbSvc.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.337397239640206
Filename:	imfsbSvc.exe
Filesize:	347344
MD5:	ca73da8345de507ac023d52b4b5c1814
SHA1:	ef32667de23715ef2903b185c08ed9b5dc7cfeed
SHA256:	5b88f7d36fe435cd6944bda05f1758f64c7d5136a5f529a58522ac3b0dc9743a
SHA512:	b5140ef135e8cafc7a6c3b7aaa514612e3ea6a25653c925385421c2bbba75cd51bd228ac5c671de383555658573293c1e20a93950ae1be52e86da6780aee4339
SSDEEP:	6144:ZEtNasNqZsBotlNFVK12krBAixDbJeRG+2RzV5F0Xmbv9OiLLMyc5:ZEtNYZ3tlNFVo24AixPJqavLZc5
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......f..."..."...".....1.'.....3.......2.,....8..#.......*.......6............g..+....g..:.......!..."...........#.......7.....?.#..

Signature Hits	Behavior Group	Mitre Attack
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Enables driver privileges	System Summary	LSASS Driver
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Spawns drivers	System Summary
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\servicereg.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\servicereg.log
Category:	modified
Dump:	servicereg.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\SysWOW64\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.678439190827718
Encrypted:	false
Ssdeep:	3:4A4AnXjzSv:4HAnXjg
Size:	28
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious New Service Creation	System Summary
Sigma detected: New Service Creation Using Sc.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\servicestart.log

ASCII text, with CRLF line terminators

modified

Details

File:	C:\servicestart.log
Category:	modified
Dump:	servicestart.log.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\SysWOW64\cmd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.524264899601009
Encrypted:	false
Ssdeep:	6:lg3D/8F/dldgVKBRjGxVVLvH2s/u8qLLFmLaZnsHgm66//V+NmBNefq:lgAddrgV0qVbH2suZLQqOVKmBNcq
Size:	421
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\cmd.exe

cmd /c sc create rJxyS binpath= "C:\Users\user\Desktop\imfsbSvc.exe" >> C:\servicereg.log 2>&1

Details

Is windows:	true
Is dropped:	false
PID:	6588
Target ID:	0
Parent PID:	4412
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd /c sc create rJxyS binpath= "C:\Users\user\Desktop\imfsbSvc.exe" >> C:\servicereg.log 2>&1
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	07:04:41
Date:	28/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious New Service Creation	System Summary
Sigma detected: New Service Creation Using Sc.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\sc.exe

sc create rJxyS binpath= "C:\Users\user\Desktop\imfsbSvc.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6944
Target ID:	2
Parent PID:	6588
Name:	sc.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\sc.exe
Commandline:	sc create rJxyS binpath= "C:\Users\user\Desktop\imfsbSvc.exe"
Size:	61440
MD5:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Time:	07:04:41
Date:	28/11/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xb70000
Modulesize:	77824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious New Service Creation	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: New Service Creation Using Sc.EXE	System Summary
Spawns processes	System Summary	Process Injection
Uses sc.exe to modify the status of services	Boot Survival	Service Execution Windows Service

C:\Windows\SysWOW64\cmd.exe

cmd /c sc start rJxyS >> C:\servicestart.log 2>&1

Details

Is windows:	true
Is dropped:	false
PID:	732
Target ID:	3
Parent PID:	4412
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd /c sc start rJxyS >> C:\servicestart.log 2>&1
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	07:04:42
Date:	28/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious New Service Creation	System Summary
Sigma detected: New Service Creation Using Sc.EXE	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\sc.exe

sc start rJxyS

Details

Is windows:	true
Is dropped:	false
PID:	5252
Target ID:	5
Parent PID:	732
Name:	sc.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\sc.exe
Commandline:	sc start rJxyS
Size:	61440
MD5:	D9D7684B8431A0D10D0E76FE9F5FFEC8
Time:	07:04:42
Date:	28/11/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xb70000
Modulesize:	77824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious New Service Creation	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: New Service Creation Using Sc.EXE	System Summary
Spawns processes	System Summary	Process Injection
Uses sc.exe to modify the status of services	Boot Survival	Service Execution Windows Service

C:\Users\user\Desktop\imfsbSvc.exe

Details

Is windows:	false
Is dropped:	false
PID:	4960
Target ID:	6
Parent PID:	620
Name:	imfsbSvc.exe
Path:	C:\Users\user\Desktop\imfsbSvc.exe
Commandline:	C:\Users\user\Desktop\imfsbSvc.exe
Size:	347344
MD5:	CA73DA8345DE507AC023D52B4B5C1814
Time:	07:04:42
Date:	28/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6e9c20000
Modulesize:	352256
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspicious New Service Creation	System Summary
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains executable resources (Code or Archives)	System Summary
Sample file is different than original file name gathered from version info	System Summary
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)	System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sigma detected: New Service Creation Using Sc.EXE	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Uses sc.exe to modify the status of services	Boot Survival	Service Execution Windows Service
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary
PE file has a high image base, often used for DLLs	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6824
Target ID:	1
Parent PID:	6588
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:04:41
Date:	28/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2472
Target ID:	4
Parent PID:	732
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:04:42
Date:	28/11/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

61214FF000

stack

page read and write

66680000

unkown

page readonly

31EF000

stack

page read and write

2D48000

heap

page read and write

1C1E7CAB000

heap

page read and write

2F9F000

stack

page read and write

7FF6E9C58000

unkown

page readonly

B4E000

stack

page read and write

2FE0000

heap

page read and write

1C1E7CD1000

heap

page read and write

2ED0000

heap

page read and write

61215FE000

stack

page read and write

6120DFE000

stack

page read and write

73D000

stack

page read and write

1C1E8440000

heap

page read and write

61216FE000

stack

page read and write

1C1E8445000

heap

page read and write

6121DFD000

stack

page read and write

66681000

unkown

page execute read

6121EFE000

stack

page read and write

61210FE000

stack

page read and write

7FF6E9C21000

unkown

page execute read

61219FD000

stack

page read and write

2FDE000

stack

page read and write

B50000

heap

page read and write

1C1E7C90000

heap

page read and write

6121AFD000

stack

page read and write

61212FF000

stack

page read and write

666EE000

unkown

page readonly

6121CFD000

stack

page read and write

6120BFF000

stack

page read and write

6120FFF000

stack

page read and write

B0F000

stack

page read and write

7FF6E9C6E000

unkown

page readonly

7FF6E9C21000

unkown

page execute read

7FF6E9C6E000

unkown

page readonly

6670A000

unkown

page write copy

2FE8000

heap

page read and write

6670B000

unkown

page read and write

61218FD000

stack

page read and write

2D20000

heap

page read and write

3280000

heap

page read and write

1C1E8640000

heap

page read and write

7FF6E9C6C000

unkown

page read and write

7B0000

heap

page read and write

7FF6E9C58000

unkown

page readonly

1C1E8310000

heap

page read and write

6121BFD000

stack

page read and write

1C1E7CDA000

heap

page read and write

6670E000

unkown

page readonly

2E5D000

stack

page read and write

6120EFE000

stack

page read and write

6FD000

stack

page read and write

61213FE000

stack

page read and write

31F0000

heap

page read and write

2BCF000

stack

page read and write

6120CFF000

stack

page read and write

7FE000

stack

page read and write

1C1E85F0000

heap

page read and write

2D40000

heap

page read and write

7FF6E9C20000

unkown

page readonly

61211FE000

stack

page read and write

7A0000

heap

page read and write

2F10000

heap

page read and write

2E9E000

stack

page read and write

1C1E7CA0000

heap

page read and write

7FF45D140000

direct allocation

page read and write

1C1E7E70000

heap

page read and write

7FF6E9C20000

unkown

page readonly

1C1E7CC8000

heap

page read and write

7FF6E9C6C000

unkown

page write copy

2F5E000

stack

page read and write

6120AFC000

stack

page read and write

61217FE000

stack

page read and write

There are 64 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
imfsbSvc.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportimfsbSvc.exe

Files

Processes

Memdumps

IOC Report
imfsbSvc.exe