Edit tour

Windows Analysis Report
AvastSvc.exe

Overview

General Information

Sample name:	AvastSvc.exe
Analysis ID:	1427809
MD5:	a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1:	049813b955db1dd90952657ae2bd34250153563e
SHA256:	85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains functionality to dynamically determine API calls

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

AvastSvc.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\AvastSvc.exe" MD5: A72036F635CECF0DCB1E9C6F49A8FA5B)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: AvastSvc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: AvastSvc.exe

Static PE information: certificate valid

Source: AvastSvc.exe

Static PE information: DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: d:\Workspace\workspace\ProductionClients-ForRelease\AVBranding\avast\CONFIG\Release\label_exp\WinClient\BUILDS\Release\x86\wsc_proxy.pdb source: AvastSvc.exe

Source: AvastSvc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: AvastSvc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AvastSvc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: AvastSvc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AvastSvc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: AvastSvc.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AvastSvc.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: AvastSvc.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AvastSvc.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: AvastSvc.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AvastSvc.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AvastSvc.exe	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: AvastSvc.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: AvastSvc.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AvastSvc.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: AvastSvc.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: AvastSvc.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AvastSvc.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AvastSvc.exe	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: AvastSvc.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0B
Source: AvastSvc.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AvastSvc.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: AvastSvc.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: AvastSvc.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: AvastSvc.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: AvastSvc.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: AvastSvc.exe	String found in binary or memory: http://ocsp.digicert.com0P
Source: AvastSvc.exe	String found in binary or memory: http://www.avast.com0
Source: AvastSvc.exe	String found in binary or memory: http://www.avast.com0/
Source: AvastSvc.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AvastSvc.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: AvastSvc.exe, 00000000.00000002.1632241273.0000000000BB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewsc_proxy.exeB vs AvastSvc.exe
Source: AvastSvc.exe, 00000000.00000000.1631633603.0000000000BB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewsc_proxy.exeB vs AvastSvc.exe
Source: AvastSvc.exe	Binary or memory string: OriginalFilenamewsc_proxy.exeB vs AvastSvc.exe

Source: AvastSvc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean2.winEXE@1/0@0/0

Source: AvastSvc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AvastSvc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\AvastSvc.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\AvastSvc.exe	Section loaded: wsc.dll			Jump to behavior

Source: AvastSvc.exe

Static PE information: certificate valid

Source: AvastSvc.exe

Static PE information: DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: AvastSvc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: d:\Workspace\workspace\ProductionClients-ForRelease\AVBranding\avast\CONFIG\Release\label_exp\WinClient\BUILDS\Release\x86\wsc_proxy.pdb source: AvastSvc.exe

Source: C:\Users\user\Desktop\AvastSvc.exe

Code function: 0_2_00BB1000 EntryPoint,LoadLibraryW,GetProcAddress,GetCommandLineW,FreeLibrary,GetLastError,FreeLibrary,GetLastError,ExitProcess,

0_2_00BB1000

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\AvastSvc.exe

Code function: 0_2_00BB1000 EntryPoint,LoadLibraryW,GetProcAddress,GetCommandLineW,FreeLibrary,GetLastError,FreeLibrary,GetLastError,ExitProcess,

0_2_00BB1000

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AvastSvc.exe	0%	ReversingLabs
AvastSvc.exe	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.avast.com0/	0%	URL Reputation	safe
http://www.avast.com0/	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.avast.com0/	AvastSvc.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.avast.com0	AvastSvc.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427809
Start date and time:	2024-04-18 07:59:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AvastSvc.exe
Detection:	CLEAN
Classification:	clean2.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.63643271839735
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AvastSvc.exe
File size:	61'648 bytes
MD5:	a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1:	049813b955db1dd90952657ae2bd34250153563e
SHA256:	85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
SHA512:	e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2
SSDEEP:	768:Q/WQ3/TymxfsHYPry0bgYh3LKgMoCDGFh9D:Q+QvT7xUHYPDbgYVLWofD
TLSH:	545392129E001505D8AA0F30E0ADBA1E16237FFA1674825B3E39FC9DFE6D77B2850B54
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J/..+A..+A..+A..S...+A..+@..+A.tuH..+A.su...+A.tuC..+A.Rich.+A.................PE..L....~.X...................................

File Icon


Icon Hash:	7353332b29709d70

Static PE Info

General

Entrypoint:	0x401000
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x58DA7EF1 [Tue Mar 28 15:19:13 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	f1cc6c4c6182edcc39d0ba2695016c63

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert High Assurance Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	06/09/2016 01:00:00 04/10/2019 13:00:00
Subject Chain	CN=AVAST Software s.r.o., O=AVAST Software s.r.o., L=Praha 4, C=CZ
Version:	3
Thumbprint MD5:	F039F1B2345F3BC7DE619BB19E09E9C4
Thumbprint SHA-1:	AD4C5429E10F4FF6C01840C20ABA344D7401209F
Thumbprint SHA-256:	D21DA76E1948EE8387E64CA2F40716F03956C37783C400DBDF7A4EC800E664E5
Serial:	07C70F7CAB145BC1ED385FBE69FA3130

Entrypoint Preview

Instruction
push esi
push edi
push 00402020h
call dword ptr [00402004h]
mov esi, eax
test esi, esi
je 00007FBEACB05759h
push 00402030h
push esi
call dword ptr [00402008h]
mov edi, eax
test edi, edi
je 00007FBEACB05736h
call dword ptr [00402014h]
push eax
call edi
push esi
mov edi, eax
call dword ptr [00402010h]
jmp 00007FBEACB0573Bh
call dword ptr [00402000h]
push esi
mov edi, eax
call dword ptr [00402010h]
jmp 00007FBEACB0572Ah
call dword ptr [00402000h]
mov edi, eax
push edi
call dword ptr [0040200Ch]
int3
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3 build 24213

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2234	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3000	0x9bf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa848	0x4888
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd000	0x1c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2040	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x20	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a	0x200	08d433f45f0b45acb1cdca808cb8424c	False	0.162109375	data	1.2370797166834018	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x2e6	0x400	f05dce7a168bd703f1bcb6d640f08b29	False	0.4453125	data	3.5915140879039704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3000	0x9bf8	0x9c00	5bde6fd548bfad1197ef2188fc2857e7	False	0.3876702724358974	data	4.557751122780278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd000	0x1c	0x200	b29aade97afb03862757154847bd06a6	False	0.080078125	data	0.3824768143356774	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x32d0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3073170731707317
RT_ICON	0x3938	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.4260752688172043
RT_ICON	0x3c20	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5743243243243243
RT_ICON	0x3d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.24893390191897655
RT_ICON	0x4bf0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.2549638989169675
RT_ICON	0x5498	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.26878612716763006
RT_ICON	0x5a00	0x1f22	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.991969887076537
RT_ICON	0x7928	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.1612033195020747
RT_ICON	0x9ed0	0x1464	Device independent bitmap graphic, 35 x 70 x 32, image size 5180	English	United States	0.2590038314176245
RT_ICON	0xb338	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.20356472795497185
RT_ICON	0xc3e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.43617021276595747
RT_GROUP_ICON	0xc848	0xa0	data	English	United States	0.63125
RT_VERSION	0xc8e8	0x310	data	English	United States	0.45918367346938777

Imports

DLL	Import
KERNEL32.dll	GetLastError, LoadLibraryW, GetProcAddress, ExitProcess, FreeLibrary, GetCommandLineW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	07:59:58
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\AvastSvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AvastSvc.exe"
Imagebase:	0xbb0000
File size:	61'648 bytes
MD5 hash:	A72036F635CECF0DCB1E9C6F49A8FA5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	44.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	7
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00BB1000 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(wsc.dll), ref: 00BB1007
GetProcAddress.KERNEL32(00000000,_run@4), ref: 00BB1019
GetCommandLineW.KERNEL32 ref: 00BB1025
FreeLibrary.KERNEL32(00000000), ref: 00BB1031
GetLastError.KERNEL32 ref: 00BB1039
FreeLibrary.KERNEL32(00000000), ref: 00BB1042
GetLastError.KERNEL32 ref: 00BB104A
ExitProcess.KERNEL32 ref: 00BB1053

Strings

_run@4, xrefs: 00BB1013
wsc.dll, xrefs: 00BB1002

Memory Dump Source

Source File: 00000000.00000002.1632158967.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000000.00000002.1632039349.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1632241273.0000000000BB2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bb0000_AvastSvc.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressCommandExitLineLoadProcProcess
String ID: _run@4$wsc.dll
API String ID: 1457960283-2886225941
Opcode ID: 01e53b858a28572f1dce61573145831238a832bd36ff6f68412156e05482489d
Instruction ID: c37546d77886e1e3fecc0a28357323239accd381c5cb5d131b1da4c47edaba4a
Opcode Fuzzy Hash: 01e53b858a28572f1dce61573145831238a832bd36ff6f68412156e05482489d
Instruction Fuzzy Hash: 76E03031501654DB93293BB89C6C9BB39AAEF857523D50A54F802C3220DEF4C801D761

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AvastSvc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: AvastSvc.exePID: 7000, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: AvastSvc.exePID: 7000, Parent PID: 2580COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 00BB1000 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 29libraryloaderCOMMON

Control-flow Graph

Windows Analysis Report
AvastSvc.exe

Function 00BB1000 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 29
libraryloaderCOMMON