Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

bfsvc.exe

PE32+ executable (GUI) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy:	6.35497393259666
Filename:	bfsvc.exe
Filesize:	2789712
MD5:	60a339532f6a5290d435acbd30cb1992
SHA1:	49ac28641a0448d4179eb870c1af4327a1799650
SHA256:	ee7926b30c734b49f373b88b3f0d73a761b832585ac235eda68cf9435c931269
SHA512:	5fe71e5f3df06c257da11fdc9186188ec021df67be86ec4a7286156f3a5f27fd1bc7a9a3e42672a7c92b1c8ca291f110d8b08c6282a4dd25afae890c97c1fe08
SSDEEP:	49152:SWloiaXmVQDg/xrTYp3Rp8Z7iOOSaIOzd9nLgUvSSP88O5Z2Cfz8kIL+hlaDOjiH:SWv0yOSQbnLLSSP8L5IzY8FkT8
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........o..E...E...E.....+.J.....).......(.S.......H.......D.......G.......f...E...e....W..S....W..L....W..#....W..A....W%.D...E.M.D..

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection	Security Software Discovery
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality for read data from the clipboard	Key, Mouse, Clipboard, Microphone and Screen Capturing	Security Software Discovery Clipboard Data
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging	Security Software Discovery
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to modify clipboard data	Key, Mouse, Clipboard, Microphone and Screen Capturing
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Contains functionality to retrieve information about pressed keystrokes	Key, Mouse, Clipboard, Microphone and Screen Capturing
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found large amount of non-executed APIs	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information Obfuscated Files or Information Security Software Discovery
PE / OLE file has an invalid certificate	System Summary
Potential key logger detected (key state polling based)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to instantiate COM classes	System Summary	Security Software Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query system information	Malware Analysis System Evasion	Security Software Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	Security Software Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary	System Information Discovery
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading Security Software Discovery
PE file contains a debug data directory	System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\~SF8771.tmp

data

modified

Details

File:	C:\Users\user\AppData\Local\Temp\~SF8771.tmp
Category:	modified
Dump:	~SF8771.tmp.6.dr
ID:	dr_0
Target ID:	6
Process:	C:\Users\user\Desktop\bfsvc.exe
Type:	data
Entropy:	7.9989319921201245
Encrypted:	true
Ssdeep:	3072:UmHqdQxxy7SdsuzoCJbpYiUxOuTT5N+6N3/51Qg+b3TYtTJYkGVE+z4i2OqJI+y:UeqexM7SdooUxOy7Nh1Qg+HYtTWkMVcI
Size:	174548
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\bfsvc.exe

"C:\Users\user\Desktop\bfsvc.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1424
Target ID:	6
Parent PID:	4056
Name:	bfsvc.exe
Path:	C:\Users\user\Desktop\bfsvc.exe
Commandline:	"C:\Users\user\Desktop\bfsvc.exe"
Size:	2789712
MD5:	60A339532F6A5290D435ACBD30CB1992
Time:	03:19:06
Date:	04/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x140000000
Modulesize:	2740224
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
PE / OLE file has an invalid certificate	System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
PE file contains a debug data directory	System Summary
PE file imports many functions	System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

190000

heap

page read and write

70E000

stack

page read and write

80E000

stack

page read and write

14B000

stack

page read and write

510000

heap

page read and write

140000000

unkown

page readonly

519000

heap

page read and write

140000000

unkown

page readonly

55A000

heap

page read and write

148000

stack

page read and write

1401BE000

unkown

page write copy

14026F000

unkown

page read and write

140001000

unkown

page execute read

242F000

heap

page read and write

336E000

heap

page read and write

4D0000

direct allocation

page execute and read and write

1FE0000

direct allocation

page execute and read and write

140288000

unkown

page readonly

1401BE000

unkown

page read and write

2110000

heap

page read and write

1A0000

heap

page read and write

30D5000

heap

page read and write

1FD9000

direct allocation

page execute and read and write

35F0000

unclassified section

page read and write

557000

heap

page read and write

1D0000

heap

page read and write

14025F000

unkown

page read and write

51C000

heap

page read and write

2410000

heap

page read and write

140271000

unkown

page readonly

140288000

unkown

page readonly

140001000

unkown

page execute read

516000

heap

page read and write

2280000

heap

page read and write

1FE3000

direct allocation

page execute and read and write

2E4E000

heap

page read and write

1FB1000

direct allocation

page execute and read and write

14025E000

unkown

page write copy

140260000

unkown

page write copy

140271000

unkown

page readonly

There are 30 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
bfsvc.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportbfsvc.exe

Files

Processes

Memdumps

IOC Report
bfsvc.exe