Windows Analysis Report
winexesvc.exe

Overview

General Information

Sample name: winexesvc.exe
Analysis ID: 1545305
MD5: 1fd9ccecac8794f39d826fdd8a62e6bc
SHA1: 76e6864d8f35530b8d8573b3cebb7921222788dc
SHA256: ae59aedc4d89d7b22db5dc65cd0b2ff68b20b74863d44f53fd346de739081694
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Sigma detected: Suspicious New Service Creation
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
PE file contains sections with non-standard names
Yara detected Winexe tool
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: winexesvc.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: winexesvc.exe ReversingLabs: Detection: 68%
Machine Learning detection for sample
Source: winexesvc.exe Joe Sandbox ML: detected

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: winexesvc.exe, type: SAMPLE Matched rule: Winexe tool used by Sofacy group several APT cases Author: Florian Roth
Source: winexesvc.exe, type: SAMPLE Matched rule: Winexe tool used by Sofacy group in Bundestag APT Author: Florian Roth
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\sc.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Yara detected Winexe tool
Source: Yara match File source: winexesvc.exe, type: SAMPLE
Source: Yara match File source: 00000006.00000002.607983896.0000000000406000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.345578951.0000000000406000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: winexesvc.exe PID: 3648, type: MEMORYSTR
Yara signature match
Source: winexesvc.exe, type: SAMPLE Matched rule: Winexe_RemoteExecution date = 2015-06-19, author = Florian Roth, description = Winexe tool used by Sofacy group several APT cases, score = , reference = http://dokumente.linksfraktion.de/inhalt/report-orig.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d
Source: winexesvc.exe, type: SAMPLE Matched rule: Sofacy_Bundestag_Winexe date = 2015-06-19, author = Florian Roth, description = Winexe tool used by Sofacy group in Bundestag APT, score = , reference = http://dokumente.linksfraktion.de/inhalt/report-orig.pdf, hash = 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d
Source: classification engine Classification label: mal72.winEXE@7/3@0/0
Source: winexesvc.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\sc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: winexesvc.exe ReversingLabs: Detection: 68%
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" >> C:\servicereg.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe"
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start QkjJP >> C:\servicestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start QkjJP
Source: unknown Process created: C:\Users\user\Desktop\winexesvc.exe C:\Users\user\Desktop\winexesvc.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start QkjJP Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\winexesvc.exe Section loaded: ntmarta.dll Jump to behavior
PE file contains sections with non-standard names
Source: winexesvc.exe Static PE information: section name: .xdata
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start QkjJP Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545305 Sample: winexesvc.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 72 19 Malicious sample detected (through community Yara rule) 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 2 other signatures 2->25 6 cmd.exe 1 2->6         started        9 cmd.exe 1 2->9         started        11 winexesvc.exe 1 2->11         started        process3 file4 17 C:\servicereg.log, ASCII 6->17 dropped 13 sc.exe 6->13         started        15 sc.exe 9->15         started        process5
No contacted IP infos