Joe Sandbox Cloud Basic Analysis Report
Play interactive tourEdit tour

Analysis Report HealthService.exe

Overview

General Information

Sample Name:HealthService.exe
Analysis ID:402486
MD5:367ce58d39d978524559d0805192e8d7
SHA1:d7e37b78d56d8b504016c32934ac15dd2d9f6176
SHA256:1eaec2e5990f4694bdf4d228ac3543caba79ae38952f5ff504517304f9e1e9f2
Infos:

Most interesting Screenshot:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Program does not show much activity (idle)
Tries to load missing DLLs

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Sample is a service DLL but no service has been registered
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Startup

  • System is w10x64
  • HealthService.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\HealthService.exe' MD5: 367CE58D39D978524559D0805192E8D7)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: HealthService.exeStatic PE information: certificate valid
Source: HealthService.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: HealthService.pdb source: HealthService.exe
Source: Binary string: HealthService.pdb11H source: HealthService.exe
Source: C:\Users\user\Desktop\HealthService.exeSection loaded: healthservice.dll
Source: C:\Users\user\Desktop\HealthService.exeSection loaded: healthserviceruntime.dll
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\HealthService.exeCode function: 0_2_00007FF7D5876070 StartServiceCtrlDispatcherW,RegQueryValueExW,RegCloseKey,
Source: C:\Users\user\Desktop\HealthService.exeCode function: 0_2_00007FF7D5876070 StartServiceCtrlDispatcherW,RegQueryValueExW,RegCloseKey,
Source: C:\Users\user\Desktop\HealthService.exeCode function: 0_2_00007FF7D5871700 CoUninitialize,UnregisterTraceGuids,HealthServiceMain,StartServiceCtrlDispatcherW,GetLastError,CoUninitialize,UnregisterTraceGuids,
Source: HealthService.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HealthService.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: HealthService.exeStatic PE information: certificate valid
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: HealthService.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: HealthService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HealthService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HealthService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HealthService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HealthService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HealthService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: HealthService.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: HealthService.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: HealthService.pdb source: HealthService.exe
Source: Binary string: HealthService.pdb11H source: HealthService.exe
Source: C:\Users\user\Desktop\HealthService.exeCode function: 0_2_00007FF7D5876070 StartServiceCtrlDispatcherW,RegQueryValueExW,RegCloseKey,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\HealthService.exeCode function: 0_2_00007FF7D5872A40 GetSystemInfo,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\HealthService.exeCode function: 0_2_00007FF7D5871B3C InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclW,SetSecurityDescriptorDacl,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,CoInitializeSecurity,LocalFree,CloseHandle,
Source: C:\Users\user\Desktop\HealthService.exeCode function: 0_2_00007FF7D5872FA4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsService Execution2Windows Service3Windows Service3DLL Side-Loading1OS Credential DumpingSystem Time Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobDLL Side-Loading1DLL Side-Loading1RootkitLSASS MemorySystem Information Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 402486 Sample: HealthService.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 1 4 HealthService.exe 2->4         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
HealthService.exe0%VirustotalBrowse
HealthService.exe0%MetadefenderBrowse
HealthService.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:32.0.0 Black Diamond
Analysis ID:402486
Start date:03.05.2021
Start time:08:24:03
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 27s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:HealthService.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winEXE@1/0@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 75.4% (good quality ratio 36.8%)
  • Quality average: 33.9%
  • Quality standard deviation: 40%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
  • Execution Graph export aborted for target HealthService.exe, PID 6952 because there are no executed function

Simulations

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.269755445996399
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:HealthService.exe
File size:27048
MD5:367ce58d39d978524559d0805192e8d7
SHA1:d7e37b78d56d8b504016c32934ac15dd2d9f6176
SHA256:1eaec2e5990f4694bdf4d228ac3543caba79ae38952f5ff504517304f9e1e9f2
SHA512:b44feecabd84cd785205c3850eb6f9e31726770563e6182a1bb8e9e3312a57c20c8ab2c5c8dbf2608435cf91651af194e596d2f30aaca9a84ea2204c7fc7703b
SSDEEP:384:26ACH80K1MsWuQUKXzFp2zu0vJ7nyPmOgWf/uOWzdHRN77xJXlGshI:2zOU+p21nHZR7LE1
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.i=...n...n...n...n...nD..n...nD..n...nD..n...nD..n...n...n...n...n...n...n...n...n...n...n...nRich...n........PE..d......_...

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x140002dec
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0x5F8BACCE [Sun Oct 18 02:47:42 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:0ba5fcb0a2a5e8cff9c7b1ae3cde3769

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 3/4/2020 7:39:47 PM 3/3/2021 7:39:47 PM
Subject Chain
  • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:AAEE394B1087AC1044A13D09468CDF1E
Thumbprint SHA-1:2485A7AFA98E178CB8F30C9838346B514AEA4769
Thumbprint SHA-256:C0772D3C9E20C3F4EBB09F5816D6DADA0D8FA86563C2D68898539EC1CD355A1B
Serial:3300000187721772155940C709000000000187
Instruction
dec eax
sub esp, 28h
call 00007F2C14902774h
dec eax
add esp, 28h
jmp 00007F2C149023B3h
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [000011F9h]
jne 00007F2C149025D3h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F2C149025C4h
rep ret
dec eax
ror ecx, 10h
jmp 00007F2C14902A0Eh
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [ecx]
cmp dword ptr [eax], E06D7363h
jne 00007F2C149025DEh
cmp dword ptr [eax+18h], 04h
jne 00007F2C149025D8h
mov ecx, dword ptr [eax+20h]
lea eax, dword ptr [ecx-19930520h]
cmp eax, 02h
jbe 00007F2C149025D1h
cmp ecx, 01994000h
je 00007F2C149025C9h
xor eax, eax
dec eax
add esp, 28h
ret
call 00007F2C14902AA6h
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
dec eax
lea ecx, dword ptr [FFFFFFB5h]
call 00007F2C14902A99h
xor eax, eax
dec eax
add esp, 28h
ret
int3
int3
int3
int3
int3
int3
int3
jmp dword ptr [0000338Ch]
int3
int3
int3
int3
int3
int3
jmp dword ptr [00003370h]
int3
int3
int3
int3
int3
int3
int3
int3
xor eax, eax
ret
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x62680xa0.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x70000x760.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x50000x1bc.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x46000x23a8
IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000x2c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x10400x38.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x14b00x70.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x60000x268.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x26980x2800False0.55654296875data5.89204632443IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x40000x6880x200False0.09375data0.501447008098IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata0x50000x1bc0x200False0.548828125data3.52123880887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata0x60000xb320xc00False0.368489583333data4.09000092762IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x70000x7600x800False0.40478515625data4.0477508662IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x80000x2c0x200False0.109375data0.52660705461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
RT_VERSION0x73080x454dataEnglishUnited States
RT_MANIFEST0x70a00x268XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
DLLImport
ADVAPI32.dllTraceMessage, GetTraceLoggerHandle, GetTraceEnableLevel, GetTraceEnableFlags, RegisterTraceGuidsW, UnregisterTraceGuids, InitializeSecurityDescriptor, CreateWellKnownSid, SetEntriesInAclW, SetSecurityDescriptorDacl, OpenProcessToken, GetTokenInformation, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, StartServiceCtrlDispatcherW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey
KERNEL32.dllGetSystemInfo, CreateProcessW, CloseHandle, LocalFree, GetCurrentProcess, GetLastError, SetErrorMode, EncodePointer, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, DecodePointer, IsDebuggerPresent, IsProcessorFeaturePresent, SetPriorityClass, InitializeCriticalSectionAndSpinCount
MSVCR120.dll_exit, memset, __crtCapturePreviousContext, __crtTerminateProcess, __crtUnhandledException, __crt_debugger_hook, _onexit, __dllonexit, _calloc_crt, _unlock, _lock, __crtSetUnhandledExceptionFilter, ?terminate@@YAXXZ, _commode, _fmode, _wcmdln, __C_specific_handler, _initterm, _initterm_e, __setusermatherr, _configthreadlocale, _cexit, exit, __set_app_type, __wgetmainargs, _amsg_exit, __crtGetShowWindowMode, _XcptFilter
ole32.dllCoInitializeEx, CoUninitialize, CoInitializeSecurity
OLEAUT32.dllSetOaNoCache
HealthService.dllHealthServiceMain
HealthServiceRuntime.dllInitializeProcessSecurity, DisableCOMExceptionHandling
DescriptionData
LegalCopyrightCopyright Microsoft Corp.
InternalNameHealthService.exe
FileVersion10.20.18053.0
CompanyNameMicrosoft Corp.
PrivateBuildBuilt by cdmbld on CDMBLDAZ023.
LegalTrademarksMicrosoft is a registered trademark of Microsoft Corporation.
ProductNameMicrosoft Monitoring Agent
ProductVersion10.20.18053.0
FileDescriptionMicrosoft Monitoring Agent Service
OriginalFilenameHealthService.exe
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: HealthService.exe PID: 6952 Parent PID: 5880

General

Start time:08:24:54
Start date:03/05/2021
Path:C:\Users\user\Desktop\HealthService.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\HealthService.exe'
Imagebase:0x7ff7d5870000
File size:27048 bytes
MD5 hash:367CE58D39D978524559D0805192E8D7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Disassembly

Code Analysis