Edit tour

Windows Analysis Report
WidgetService.exe

Overview

General Information

Sample name:WidgetService.exe
Analysis ID:1615686
MD5:035bbf7bade95a68863d179f16b39f12
SHA1:4672705dead726ecae3b92f3efdb29b9e522e758
SHA256:6b461f80456244e0684cd1c75e14b572d37af79c6951aa93ed3ff53b2dafddad
Infos:

Detection

Score:0
Range:0 - 100
Confidence:80%

Signatures

Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • WidgetService.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\WidgetService.exe" MD5: 035BBF7BADE95A68863D179F16B39F12)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: WidgetService.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\__w\1\s\src\x64\Release\WidgetService\WidgetService.pdbkk source: WidgetService.exe
Source: Binary string: C:\__w\1\s\src\x64\Release\WidgetService\WidgetService.pdb source: WidgetService.exe
Source: classification engineClassification label: clean0.winEXE@1/0@0/0
Source: WidgetService.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WidgetService.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\WidgetService.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\WidgetService.exeSection loaded: kernel.appcore.dllJump to behavior
Source: WidgetService.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: WidgetService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WidgetService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WidgetService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WidgetService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WidgetService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WidgetService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: WidgetService.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: WidgetService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\__w\1\s\src\x64\Release\WidgetService\WidgetService.pdbkk source: WidgetService.exe
Source: Binary string: C:\__w\1\s\src\x64\Release\WidgetService\WidgetService.pdb source: WidgetService.exe
Source: WidgetService.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WidgetService.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WidgetService.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WidgetService.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WidgetService.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping1
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1615686 Sample: WidgetService.exe Startdate: 15/02/2025 Architecture: WINDOWS Score: 0 4 WidgetService.exe 2->4         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
WidgetService.exe0%ReversingLabs
WidgetService.exe1%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1615686
Start date and time:2025-02-15 04:11:03 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:WidgetService.exe
Detection:CLEAN
Classification:clean0.winEXE@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 2.19.106.160, 13.107.246.45, 172.202.163.200
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):5.99837894449585
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:WidgetService.exe
File size:208'896 bytes
MD5:035bbf7bade95a68863d179f16b39f12
SHA1:4672705dead726ecae3b92f3efdb29b9e522e758
SHA256:6b461f80456244e0684cd1c75e14b572d37af79c6951aa93ed3ff53b2dafddad
SHA512:150064fe121fef5fecdb9e91bef9c4e396d0a35755552190c937e4c47408d2215ddc6856e9b974bafef026efa8e3edc3bcbb1cca1b01adc1cbef2a2ceb964979
SSDEEP:3072:1m2Au9Vkqmcs4E2U+ymigeR2DZFjhHLIj1QPoPYjy4uyTmTDmGnrviJ:1m2A0kUE2Gm/FtHQryT+6Grv
TLSH:A014594272AD00D5E16B913D88465A06F6B274258760A3CB27B1433F2F777D5BEBEB80
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................._...............................3.......[.............Rich............PE..d.....t....
Icon Hash:90cececece8e8eb0
Entrypoint:0x140017010
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x674B3CB [Thu Jun 7 14:31:39 1973 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:5a7730a9edfdb7256d3229753a2e26f3
Instruction
dec eax
sub esp, 28h
call 00007F0220FDB5D8h
dec eax
add esp, 28h
jmp 00007F0220FDAC1Fh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F0220FDADB2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F0220FDADB5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F0220FDADADh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F0220FDA6F6h
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ecx
mov ebx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F0220FDAD11h
Programming Language:
  • [IMP] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2c39c0x154.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x558.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x340000x2154.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x380000x678.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x242b00xa8.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x241700x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x1f0000x548.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1d24c0x1d400fa7e2a5d0e402a5f25a265e16b1c1405False0.48740484775641024data6.25778019094595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x1f0000xe6f60xe800c1cd986b80a87ee7e64aa77df25578aeFalse0.3227202316810345data4.396564133439631IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x2e0000x56100x4000c835d390a0ea0192733ca9b9c3bc8212False0.10247802734375DOS executable (block device driver)4.717060273121439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x340000x21540x22004ec40985ef49a09b83e32bcc5844dedbFalse0.45760569852941174data5.226852890729573IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x370000x5580x600181e80f5ebe989db5027bff332e6be59False0.4055989583333333data3.748396552001894IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x380000x6780x8008999c18af03de77936421c6f7d8b6e93False0.46533203125data4.869660414978786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x370a00x34cdataEnglishUnited States0.4372037914691943
RT_MANIFEST0x373f00x166XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.61731843575419
DLLImport
KERNEL32.dllOutputDebugStringW, GetCurrentThreadId, FormatMessageW, IsDebuggerPresent, SetLastError, GetLastError, InitOnceBeginInitialize, InitOnceComplete, Sleep, SetEvent, CloseHandle, CreateEventExW, AllocConsole, CreateFileW, SetStdHandle, LocalFree, GetModuleFileNameA, CreateSemaphoreExW, HeapFree, ReleaseSemaphore, GetModuleHandleExW, WaitForSingleObject, ReleaseMutex, WaitForSingleObjectEx, OpenSemaphoreW, HeapAlloc, GetProcAddress, CreateMutexExW, GetCurrentProcessId, GetProcessHeap, GetModuleHandleW, FreeLibrary, WideCharToMultiByte, DebugBreak, TrySubmitThreadpoolCallback, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, InterlockedPushEntrySList, RaiseException, RtlPcToFileHeader, RtlUnwindEx, InitializeSListHead, GetStartupInfoW, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, QueryPerformanceCounter, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, LCMapStringEx, GetSystemTimeAsFileTime
api-ms-win-core-com-l1-1-0.dllCoCreateFreeThreadedMarshaler, CoInitializeEx, CoWaitForMultipleObjects, CoResumeClassObjects, CoRevokeClassObject, CoRegisterClassObject
api-ms-win-eventing-provider-l1-1-0.dllEventUnregister, EventWriteTransfer, EventRegister, EventSetInformation
api-ms-win-core-registry-l1-1-0.dllRegGetValueW
api-ms-win-shcore-obsolete-l1-1-0.dllCommandLineToArgvW
api-ms-win-core-winrt-error-l1-1-0.dllRoFailFastWithErrorContext, GetRestrictedErrorInfo, SetRestrictedErrorInfo
OLEAUT32.dllGetErrorInfo, SysStringLen, SetErrorInfo, SysFreeString
api-ms-win-crt-runtime-l1-1-0.dllexit, _exit, _initterm, _get_wide_winmain_command_line, _c_exit, _configure_wide_argv, _register_thread_local_exe_atexit_callback, _set_app_type, abort, _initterm_e, _seh_filter_exe, _cexit, _crt_atexit, _invalid_parameter_noinfo, _errno, _invalid_parameter_noinfo_noreturn, _register_onexit_function, _initialize_onexit_table, terminate, _initialize_wide_environment
api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __acrt_iob_func, freopen_s, __stdio_common_vswprintf, fgetpos, __stdio_common_vswprintf_s, fputc, fread, fsetpos, _fseeki64, fwrite, __p__commode, setvbuf, ungetc, fflush, ungetwc, fputwc, fgetwc, fgetc, fclose, _get_stream_buffer_pointers
api-ms-win-crt-string-l1-1-0.dll_wcsdup, islower, wcsnlen, isupper, wcsncmp, strcpy_s, __strncnt, iswspace
api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, _callnewh, calloc, malloc, free
api-ms-win-crt-filesystem-l1-1-0.dll_unlock_file, _lock_file
api-ms-win-crt-locale-l1-1-0.dll_unlock_locales, _lock_locales, setlocale, ___lc_locale_name_func, ___mb_cur_max_func, _configthreadlocale, __pctype_func, ___lc_codepage_func
api-ms-win-crt-math-l1-1-0.dll__setusermatherr, ceilf
api-ms-win-core-winrt-error-l1-1-1.dllRoOriginateLanguageException
api-ms-win-core-winrt-l1-1-0.dllRoGetActivationFactory
DescriptionData
CompanyNameMicrosoft Corporation
FileDescriptionWidgetService.exe
FileVersion0.5.0.0
InternalNameWidgetService.exe
LegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.
OriginalFilenameWidgetService.exe
ProductNameWidgets Platform Runtime
ProductVersion0.5
Translation0x0409 0x04b0
Language of compilation systemCountry where language is spokenMap
EnglishUnited States
No network behavior found
050100s020406080100

Click to jump to process

050100sMB

Click to jump to process

Target ID:0
Start time:22:11:32
Start date:14/02/2025
Path:C:\Users\user\Desktop\WidgetService.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\WidgetService.exe"
Imagebase:0x7ff7d4720000
File size:208'896 bytes
MD5 hash:035BBF7BADE95A68863D179F16B39F12
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

No disassembly