Edit tour

Windows Analysis Report
winexesvc.exe

Overview

General Information

Sample name:	winexesvc.exe
Analysis ID:	1545305
MD5:	1fd9ccecac8794f39d826fdd8a62e6bc
SHA1:	76e6864d8f35530b8d8573b3cebb7921222788dc
SHA256:	ae59aedc4d89d7b22db5dc65cd0b2ff68b20b74863d44f53fd346de739081694
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Sigma detected: Suspicious New Service Creation

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

PE file contains sections with non-standard names

Yara detected Winexe tool

Yara signature match

Classification

Process Tree

System is w7x64

cmd.exe (PID: 3508 cmdline: cmd /c sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" >> C:\servicereg.log 2>&1 MD5: AD7B9C14083B52BC532FBA5948342B98)

sc.exe (PID: 3532 cmdline: sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" MD5: D2F7A0ADC2EE0F65AB1F19D2E00C16B8)

cmd.exe (PID: 3616 cmdline: cmd /c sc start QkjJP >> C:\servicestart.log 2>&1 MD5: AD7B9C14083B52BC532FBA5948342B98)

sc.exe (PID: 3640 cmdline: sc start QkjJP MD5: D2F7A0ADC2EE0F65AB1F19D2E00C16B8)

winexesvc.exe (PID: 3648 cmdline: C:\Users\user\Desktop\winexesvc.exe MD5: 1FD9CCECAC8794F39D826FDD8A62E6BC)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
winexesvc.exe	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
winexesvc.exe	Winexe_RemoteExecution	Winexe tool used by Sofacy group several APT cases	Florian Roth	0x45c7:$s1: \\.\pipe\ahexec 0x4617:$s1: \\.\pipe\ahexec 0x4668:$s1: \\.\pipe\ahexec 0x478d:$s1: \\.\pipe\ahexec 0x47a4:$s2: implevel
winexesvc.exe	Sofacy_Bundestag_Winexe	Winexe tool used by Sofacy group in Bundestag APT	Florian Roth	0x45c7:$s1: \\.\pipe\ahexec 0x4617:$s1: \\.\pipe\ahexec 0x4668:$s1: \\.\pipe\ahexec 0x478d:$s1: \\.\pipe\ahexec 0x47a4:$s2: implevel

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.607983896.0000000000406000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
00000006.00000000.345578951.0000000000406000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
Process Memory Space: winexesvc.exe PID: 3648	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" , CommandLine: sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: cmd /c sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" >> C:\servicereg.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3508, ParentProcessName: cmd.exe, ProcessCommandLine: sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" , ProcessId: 3532, ProcessName: sc.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" , CommandLine: sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: cmd /c sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" >> C:\servicereg.log 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3508, ParentProcessName: cmd.exe, ProcessCommandLine: sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" , ProcessId: 3532, ProcessName: sc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: winexesvc.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: winexesvc.exe

ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: winexesvc.exe

Joe Sandbox ML: detected

System Summary

Malicious sample detected (through community Yara rule)

Source: winexesvc.exe, type: SAMPLE	Matched rule: Winexe tool used by Sofacy group several APT cases Author: Florian Roth
Source: winexesvc.exe, type: SAMPLE	Matched rule: Winexe tool used by Sofacy group in Bundestag APT Author: Florian Roth

Source: C:\Windows\SysWOW64\sc.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior

Source: Yara match	File source: winexesvc.exe, type: SAMPLE
Source: Yara match	File source: 00000006.00000002.607983896.0000000000406000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.345578951.0000000000406000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winexesvc.exe PID: 3648, type: MEMORYSTR

Source: winexesvc.exe, type: SAMPLE	Matched rule: Winexe_RemoteExecution date = 2015-06-19, author = Florian Roth, description = Winexe tool used by Sofacy group several APT cases, score = , reference = http://dokumente.linksfraktion.de/inhalt/report-orig.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d
Source: winexesvc.exe, type: SAMPLE	Matched rule: Sofacy_Bundestag_Winexe date = 2015-06-19, author = Florian Roth, description = Winexe tool used by Sofacy group in Bundestag APT, score = , reference = http://dokumente.linksfraktion.de/inhalt/report-orig.pdf, hash = 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d

Source: classification engine

Classification label: mal72.winEXE@7/3@0/0

Source: winexesvc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\sc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: winexesvc.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" >> C:\servicereg.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start QkjJP >> C:\servicestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start QkjJP
Source: unknown	Process created: C:\Users\user\Desktop\winexesvc.exe C:\Users\user\Desktop\winexesvc.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start QkjJP	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sc.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\winexesvc.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: winexesvc.exe

Static PE information: section name: .xdata

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe"

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start QkjJP			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Service Execution	1 Windows Service	1 Windows Service	11 Process Injection	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 DLL Side-Loading	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
winexesvc.exe	68%	ReversingLabs	Win32.Trojan.Generic
winexesvc.exe	100%	Avira	SPR/Winexe.AJ
winexesvc.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545305
Start date and time:	2024-10-30 11:52:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run name:	Run as Windows Service
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	winexesvc.exe
Detection:	MAL
Classification:	mal72.winEXE@7/3@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: winexesvc.exe

Simulations

Behavior and APIs

Time	Type	Description
06:53:45	API Interceptor	2x Sleep call for process: sc.exe modified

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	28
Entropy (8bit):	3.678439190827718
Encrypted:	false
SSDEEP:	3:4A4AnXjzSv:4HAnXjg
MD5:	A8F4D690C5BDE96AD275C7D4ABE0E3D3
SHA1:	7C62C96EFD2CA4F3C3EBF0B24C9B5B4C04A4570A
SHA-256:	596CCC911C1772735AAC6A6B756A76D3D55BCECD006B980CF147090B2243FA7B
SHA-512:	A875EBE3C5CDF222FF9D08576F4D996AF827A1C86B3E758CE23F6B33530D512A82CE8E39E519837512080C6212A0A19B3385809BE5F5001C4E488DD79550B852
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	[SC] CreateService SUCCESS..

C:\servicestart.log

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	421
Entropy (8bit):	3.539127209260343
Encrypted:	false
SSDEEP:	6:lg3D/8F6+gVKBRjGxVVLvH2s/u8qLLFmLaZnsHgm66//V+NmK5fq:lgAngV0qVbH2suZLQqOVKmsq
MD5:	AC0B3E3C581E17FD64BED302F0700F35
SHA1:	5AD14638C3BADFD0FD59B928ECEF08CEB0AFB317
SHA-256:	38D1DA12945BA6D0A068154004A8F365C7D251D7F5DFBAE290B29FA9C540A1A1
SHA-512:	D4FF906AE8AF520302C059176E0925C1FCE9B9E37C7CA6D1243C8CE46CCE045E2CD3C0B5D348C0C34B8C344431FE8BB69F553B3E146A92A014FD0A922AFE5B75
Malicious:	false
Reputation:	low
Preview:	..SERVICE_NAME: QkjJP .. TYPE : 10 WIN32_OWN_PROCESS .. STATE : 2 START_PENDING .. (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN).. WIN32_EXIT_CODE : 0 (0x0).. SERVICE_EXIT_CODE : 0 (0x0).. CHECKPOINT : 0x0.. WAIT_HINT : 0x7d0.. PID : 3648.. FLAGS : ..

C:\winexesvc.log

Download File

Process:	C:\Users\user\Desktop\winexesvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	119
Entropy (8bit):	4.413601333371317
Encrypted:	false
SSDEEP:	3:hffFjB2AxtEgNywZffF3BAXnxWJ7vDNffFkCvU3M3ZSv:htMa5ywpt32XU7bttq3qc
MD5:	532EE6EC463F75DEB115A5BB22649094
SHA1:	5AAB8E1E019161DCE508053E1B620B2E6B6B3032
SHA-256:	9AADBD4E2166AB2CC08C7E97F290AA1D6A7B632AA0BE80CA10705817FEB043B7
SHA-512:	619C6EA721D19AB5D9C8F41496791CBD602473AA8113E554466015725AA5253E921E3AE402A361477D29BC5B350D319C12A29B7191346D2677EDC5DA1165CAC3
Malicious:	false
Reputation:	low
Preview:	winexesvc: StartServiceCtrlDispatcher 0..winexesvc: RegisterServiceCtrlHandler..winexesvc: Returning the Main Thread ..

Static File Info

General

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.417890025339215
TrID:	Win64 Executable (generic) (12005/4) 74.80% Generic Win/DOS Executable (2004/3) 12.49% DOS Executable Generic (2002/1) 12.47% VXD Driver (31/22) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	winexesvc.exe
File size:	28'672 bytes
MD5:	1fd9ccecac8794f39d826fdd8a62e6bc
SHA1:	76e6864d8f35530b8d8573b3cebb7921222788dc
SHA256:	ae59aedc4d89d7b22db5dc65cd0b2ff68b20b74863d44f53fd346de739081694
SHA512:	4a71543c0382269bcd9918fc9bbf0689dafb79b936f4164a83cb3128a9356f8a0f7a192bad465a2b26286780e4ba06a997cedc71f9ea3c9ca3947e6ca220ccb0
SSDEEP:	384:nahQXjR+T7LgGOLLrkUy3E1hgZNaxVwTNpFKLr+nqEyuQcI6:nawR+T7LgV7gVSwHIPqqEyXc
TLSH:	71D2D62BB293C929C59FD2B47AE75A71A9F97C250878661E0351DA303F09CE49F7CD04
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......[........../......<...0................@......................................m........ ............................

File Icon


Icon Hash:	aaf3e3e3918382a0

Static PE Info

General

Entrypoint:	0x401500
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x5B10DDEC [Fri Jun 1 05:47:24 2018 UTC]
TLS Callbacks:	0x403690
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	03de7552640f03c644f177a094a3d6a8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [000054D5h]
mov dword ptr [eax], 00000000h
call 00007F1C7882187Fh
call 00007F1C7881F5AAh
nop
nop
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 60h
mov dword ptr [ebp+10h], ecx
mov eax, dword ptr [ebp+10h]
cmp eax, 02h
je 00007F1C7881F938h
cmp eax, 02h
jnbe 00007F1C7881F920h
cmp eax, 01h
je 00007F1C7881F9D2h
jmp 00007F1C7881FB34h
cmp eax, 03h
je 00007F1C7881F972h
cmp eax, 04h
je 00007F1C7881FAE0h
jmp 00007F1C7881FB21h
dec eax
lea edx, dword ptr [00004A90h]
dec eax
lea ecx, dword ptr [00004A8Ch]
call 00007F1C78822CC9h
dec eax
mov dword ptr [ebp-20h], eax
dec eax
cmp dword ptr [ebp-20h], 00000000h
je 00007F1C7881F937h
dec eax
mov eax, dword ptr [ebp-20h]
inc ecx
mov eax, 00000000h
dec eax
lea edx, dword ptr [00004A80h]
dec eax
mov ecx, eax
call 00007F1C78822C9Dh
dec eax
mov eax, dword ptr [ebp-20h]
dec eax
mov ecx, eax
call 00007F1C78822CA1h
mov dword ptr [00008A7Eh], 00000007h
jmp 00007F1C7881FB10h
dec eax
lea edx, dword ptr [00004A3Eh]
dec eax
lea ecx, dword ptr [00004A3Ah]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb000	0xe50	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x8000	0x2f4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xd020	0x28	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb36c	0x308	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3bd0	0x3c00	825558bffefb5f9070cf6117acd8cd29	False	0.508984375	data	5.788979410905007	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x5000	0x140	0x200	40733cc8d5fa1ab77cd3642f5ea2fbb5	False	0.189453125	data	1.200990673854394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x6000	0x1180	0x1200	4f14740866e5c44926b994410dc11acc	False	0.23546006944444445	data	4.887738829822946	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x8000	0x2f4	0x400	02d779b36bed10a3dedabd076a99a61c	False	0.421875	data	3.2258083420406516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x9000	0x2b8	0x400	3d045eb05e3d4d8447810a83d24ae525	False	0.3037109375	data	3.220938496883115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0xa000	0xa90	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb000	0xe50	0x1000	61f210624a78b04e7d891d6770a0b21d	False	0.31640625	data	3.9049033413598377	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xc000	0x68	0x200	f3b91be8c8166d9cd980037c8b36bb96	False	0.0703125	data	0.2655385886073115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xd000	0x68	0x200	337163d840e7680b1e8d1e77bf863014	False	0.060546875	data	0.19743807838821048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
ADVAPI32.dll	AllocateAndInitializeSid, CreateProcessAsUserA, DuplicateTokenEx, GetUserNameA, ImpersonateNamedPipeClient, InitializeSecurityDescriptor, LogonUserA, OpenProcessToken, OpenThreadToken, RegisterServiceCtrlHandlerA, RevertToSelf, SetEntriesInAclA, SetSecurityDescriptorDacl, SetServiceStatus, StartServiceCtrlDispatcherA
KERNEL32.dll	CloseHandle, ConnectNamedPipe, CreateEventA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, DisconnectNamedPipe, EnterCriticalSection, FlushFileBuffers, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetExitCodeProcess, GetLastError, GetOEMCP, GetOverlappedResult, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LocalAlloc, QueryPerformanceCounter, ReadFile, ResetEvent, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetHandleInformation, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WriteFile
msvcrt.dll	__C_specific_handler, __dllonexit, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _lock, _onexit, _unlock, _vsnprintf, abort, atoi, calloc, exit, fclose, fopen, fprintf, free, fwrite, malloc, memcpy, memset, signal, sprintf, strchr, strlen, strncmp, strstr, vfprintf, _strdup
USERENV.dll	LoadUserProfileA

Target ID:	0
Start time:	06:53:45
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe" >> C:\servicereg.log 2>&1
Imagebase:	0x4a270000
File size:	302'592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:53:45
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc create QkjJP binpath= "C:\Users\user\Desktop\winexesvc.exe"
Imagebase:	0x120000
File size:	37'376 bytes
MD5 hash:	D2F7A0ADC2EE0F65AB1F19D2E00C16B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:53:47
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c sc start QkjJP >> C:\servicestart.log 2>&1
Imagebase:	0x4a150000
File size:	302'592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:53:47
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc start QkjJP
Imagebase:	0x7b0000
File size:	37'376 bytes
MD5 hash:	D2F7A0ADC2EE0F65AB1F19D2E00C16B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:53:47
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\winexesvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\winexesvc.exe
Imagebase:	0x400000
File size:	28'672 bytes
MD5 hash:	1FD9CCECAC8794F39D826FDD8A62E6BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Winexe_tool, Description: Yara detected Winexe tool, Source: 00000006.00000002.607983896.0000000000406000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Winexe_tool, Description: Yara detected Winexe tool, Source: 00000006.00000000.345578951.0000000000406000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report winexesvc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\servicereg.log

C:\servicestart.log

C:\winexesvc.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: cmd.exePID: 3508, Parent PID: 1956

General

Chronological Activities

Analysis Process: sc.exePID: 3532, Parent PID: 3508

General

Chronological Activities

Analysis Process: cmd.exePID: 3616, Parent PID: 1956

General

Chronological Activities

Analysis Process: sc.exePID: 3640, Parent PID: 3616

Windows Analysis Report
winexesvc.exe