Windows Analysis Report
AvastSvc.exe

Overview

General Information

Sample name: AvastSvc.exe
Analysis ID: 1427809
MD5: a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1: 049813b955db1dd90952657ae2bd34250153563e
SHA256: 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to dynamically determine API calls
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: AvastSvc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: AvastSvc.exe Static PE information: certificate valid
Source: AvastSvc.exe Static PE information: DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: d:\Workspace\workspace\ProductionClients-ForRelease\AVBranding\avast\CONFIG\Release\label_exp\WinClient\BUILDS\Release\x86\wsc_proxy.pdb source: AvastSvc.exe
Source: AvastSvc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: AvastSvc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AvastSvc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: AvastSvc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AvastSvc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: AvastSvc.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AvastSvc.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: AvastSvc.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AvastSvc.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: AvastSvc.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AvastSvc.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AvastSvc.exe String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: AvastSvc.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: AvastSvc.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AvastSvc.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: AvastSvc.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: AvastSvc.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AvastSvc.exe String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AvastSvc.exe String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: AvastSvc.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0B
Source: AvastSvc.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AvastSvc.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: AvastSvc.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: AvastSvc.exe String found in binary or memory: http://ocsp.digicert.com0I
Source: AvastSvc.exe String found in binary or memory: http://ocsp.digicert.com0N
Source: AvastSvc.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: AvastSvc.exe String found in binary or memory: http://ocsp.digicert.com0P
Source: AvastSvc.exe String found in binary or memory: http://www.avast.com0
Source: AvastSvc.exe String found in binary or memory: http://www.avast.com0/
Source: AvastSvc.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AvastSvc.exe String found in binary or memory: https://www.digicert.com/CPS0
Sample file is different than original file name gathered from version info
Source: AvastSvc.exe, 00000000.00000002.1632241273.0000000000BB2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewsc_proxy.exeB vs AvastSvc.exe
Source: AvastSvc.exe, 00000000.00000000.1631633603.0000000000BB2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewsc_proxy.exeB vs AvastSvc.exe
Source: AvastSvc.exe Binary or memory string: OriginalFilenamewsc_proxy.exeB vs AvastSvc.exe
Uses 32bit PE files
Source: AvastSvc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean2.winEXE@1/0@0/0
Source: AvastSvc.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AvastSvc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\AvastSvc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\AvastSvc.exe Section loaded: wsc.dll Jump to behavior
Source: AvastSvc.exe Static PE information: certificate valid
Source: AvastSvc.exe Static PE information: DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: AvastSvc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\Workspace\workspace\ProductionClients-ForRelease\AVBranding\avast\CONFIG\Release\label_exp\WinClient\BUILDS\Release\x86\wsc_proxy.pdb source: AvastSvc.exe
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AvastSvc.exe Code function: 0_2_00BB1000 EntryPoint,LoadLibraryW,GetProcAddress,GetCommandLineW,FreeLibrary,GetLastError,FreeLibrary,GetLastError,ExitProcess, 0_2_00BB1000
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AvastSvc.exe Code function: 0_2_00BB1000 EntryPoint,LoadLibraryW,GetProcAddress,GetCommandLineW,FreeLibrary,GetLastError,FreeLibrary,GetLastError,ExitProcess, 0_2_00BB1000
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1427809 Sample: AvastSvc.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 2 4 AvastSvc.exe 2->4         started       
No contacted IP infos