Windows Analysis Report
elevation_service.exe

Overview

General Information

Sample name: elevation_service.exe
Analysis ID: 1428994
MD5: c93c02a0adb87cce4c3f1eded22889d9
SHA1: 5e0eed96333f4d1be22ceec37a3f98b095b50b93
SHA256: 6012fd82669bfd308bd6ac1c2b1b14821cc20c68881c496e838654b618199791
Infos:

Detection

Score: 18
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Sigma detected: Suspicious New Service Creation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Source: elevation_service.exe Static PE information: certificate valid
Source: elevation_service.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe
Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe
Source: elevation_service.exe String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: elevation_service.exe String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Detected potential crypto function
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234F3070 6_2_00007FF7234F3070
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234D4494 6_2_00007FF7234D4494
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234D408C 6_2_00007FF7234D408C
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234FC88C 6_2_00007FF7234FC88C
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF72343CC28 6_2_00007FF72343CC28
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF72343A820 6_2_00007FF72343A820
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234D7050 6_2_00007FF7234D7050
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF72343BC40 6_2_00007FF72343BC40
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234338E0 6_2_00007FF7234338E0
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234B2110 6_2_00007FF7234B2110
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF723433D10 6_2_00007FF723433D10
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF723469510 6_2_00007FF723469510
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF72343B900 6_2_00007FF72343B900
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234D24B0 6_2_00007FF7234D24B0
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234D489C 6_2_00007FF7234D489C
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF72343BB72 6_2_00007FF72343BB72
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF723433B70 6_2_00007FF723433B70
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF723431760 6_2_00007FF723431760
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234F3358 6_2_00007FF7234F3358
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF723433780 6_2_00007FF723433780
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234F3750 6_2_00007FF7234F3750
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF723432FE0 6_2_00007FF723432FE0
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234D2FA0 6_2_00007FF7234D2FA0
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234D4290 6_2_00007FF7234D4290
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234FEA20 6_2_00007FF7234FEA20
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF72343CE50 6_2_00007FF72343CE50
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234D1F00 6_2_00007FF7234D1F00
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234D4AA0 6_2_00007FF7234D4AA0
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234D4698 6_2_00007FF7234D4698
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF72343AEC0 6_2_00007FF72343AEC0
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF72343DEC0 6_2_00007FF72343DEC0
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF72343A560 6_2_00007FF72343A560
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF723431D60 6_2_00007FF723431D60
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234D3538 6_2_00007FF7234D3538
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234DF1DC 6_2_00007FF7234DF1DC
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234359E0 6_2_00007FF7234359E0
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7235145F0 6_2_00007FF7235145F0
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234325D0 6_2_00007FF7234325D0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\elevation_service.exe Code function: String function: 00007FF72351350C appears 71 times
PE file contains more sections than normal
Source: elevation_service.exe Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: elevation_service.exe Binary or memory string: OriginalFilename vs elevation_service.exe
Source: classification engine Classification label: clean18.winEXE@9/2@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\SysWOW64\sc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: elevation_service.exe String found in binary or memory: partition_alloc/address_space
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create OZgQJ binpath= "C:\Users\user\Desktop\elevation_service.exe" >> C:\servicereg.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create OZgQJ binpath= "C:\Users\user\Desktop\elevation_service.exe"
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start OZgQJ >> C:\servicestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start OZgQJ
Source: unknown Process created: C:\Users\user\Desktop\elevation_service.exe C:\Users\user\Desktop\elevation_service.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create OZgQJ binpath= "C:\Users\user\Desktop\elevation_service.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start OZgQJ Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: elevation_service.exe Static PE information: certificate valid
Source: initial sample Static PE information: Valid certificate with Microsoft Issuer
Source: elevation_service.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: elevation_service.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: elevation_service.exe Static file information: File size 1838024 > 1048576
Source: elevation_service.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15c800
Source: elevation_service.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: elevation_service.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: elevation_service.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: elevation_service.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: elevation_service.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: elevation_service.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: elevation_service.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: elevation_service.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe
Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe
Source: elevation_service.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: elevation_service.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: elevation_service.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: elevation_service.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: elevation_service.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: elevation_service.exe Static PE information: section name: .gxfg
Source: elevation_service.exe Static PE information: section name: .retplne
Source: elevation_service.exe Static PE information: section name: LZMADEC
Source: elevation_service.exe Static PE information: section name: _RDATA
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create OZgQJ binpath= "C:\Users\user\Desktop\elevation_service.exe"
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\elevation_service.exe API coverage: 9.1 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234E1D9C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00007FF7234E1D9C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF723487204 _Init_thread_header,GetProcessHeap,_Init_thread_header, 6_2_00007FF723487204
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234CE438 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00007FF7234CE438
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234E1D9C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00007FF7234E1D9C
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create OZgQJ binpath= "C:\Users\user\Desktop\elevation_service.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start OZgQJ Jump to behavior
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF723510928 IsValidSid,GetSecurityDescriptorDacl,SetSecurityDescriptorDacl, 6_2_00007FF723510928
Source: C:\Users\user\Desktop\elevation_service.exe Code function: 6_2_00007FF7234CE6E4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_00007FF7234CE6E4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428994 Sample: elevation_service.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 18 23 Sigma detected: Suspicious New Service Creation 2->23 6 cmd.exe 2 2->6         started        9 cmd.exe 2 2->9         started        11 elevation_service.exe 2->11         started        process3 file4 21 C:\servicereg.log, ASCII 6->21 dropped 13 conhost.exe 6->13         started        15 sc.exe 1 6->15         started        17 conhost.exe 9->17         started        19 sc.exe 1 9->19         started        process5
No contacted IP infos