Windows Analysis Report
RpcSsv.exe

Overview

General Information

Sample name: RpcSsv.exe
Analysis ID: 1431645
MD5: 523613a7b9dfa398cbd5ebd2dd0f4f38
SHA1: 3e92f697d642d68bb766cc93e3130b36b2da2bab
SHA256: 3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571
Infos:

Detection

Netcat
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Netcat
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: RpcSsv.exe ReversingLabs: Detection: 34%
Source: RpcSsv.exe Virustotal: Detection: 39% Perma Link
Source: RpcSsv.exe Static PE information: certificate valid

Spreading
barindex
Yara detected Netcat
Source: Yara match File source: RpcSsv.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1611099098.0000000000409000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RpcSsv.exe PID: 7592, type: MEMORYSTR
Source: C:\Users\user\Desktop\RpcSsv.exe Code function: 0_2_0040425F _errno,listen,getsockname,inet_ntoa,htons,recvfrom,connect,accept,shutdown,closesocket,getsockname,inet_ntoa,htons,inet_ntoa,_errno,_errno,shutdown,closesocket, 0_2_0040425F
Source: RpcSsv.exe String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: RpcSsv.exe String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: RpcSsv.exe String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: RpcSsv.exe String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: RpcSsv.exe String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: RpcSsv.exe String found in binary or memory: http://eternallybored.org/misc/netcat/
Source: RpcSsv.exe String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: RpcSsv.exe String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: RpcSsv.exe String found in binary or memory: http://www.globalsign.net/repository/0
Source: RpcSsv.exe String found in binary or memory: http://www.globalsign.net/repository/03
Source: RpcSsv.exe String found in binary or memory: http://www.globalsign.net/repository09
Detected potential crypto function
Source: C:\Users\user\Desktop\RpcSsv.exe Code function: 0_2_004011B0 0_2_004011B0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\RpcSsv.exe Code function: String function: 004034EB appears 186 times
Source: C:\Users\user\Desktop\RpcSsv.exe Code function: String function: 004035DB appears 145 times
Source: classification engine Classification label: mal52.spre.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: RpcSsv.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RpcSsv.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RpcSsv.exe ReversingLabs: Detection: 34%
Source: RpcSsv.exe Virustotal: Detection: 39%
Source: unknown Process created: C:\Users\user\Desktop\RpcSsv.exe "C:\Users\user\Desktop\RpcSsv.exe"
Source: C:\Users\user\Desktop\RpcSsv.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RpcSsv.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RpcSsv.exe Section loaded: wsock32.dll Jump to behavior
Source: RpcSsv.exe Static PE information: certificate valid
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\RpcSsv.exe API coverage: 7.5 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: RpcSsv.exe, 00000000.00000002.2854248497.000000000073B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\RpcSsv.exe Code function: 0_2_0040C554 RtlLookupFunctionEntry,SetUnhandledExceptionFilter,TlsGetValue,VirtualProtect, 0_2_0040C554
Source: C:\Users\user\Desktop\RpcSsv.exe Code function: 0_2_00406C60 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00406C60
Source: C:\Users\user\Desktop\RpcSsv.exe Code function: 0_2_00405FD1 SetUnhandledExceptionFilter, 0_2_00405FD1
Source: C:\Users\user\Desktop\RpcSsv.exe Code function: 0_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleHandleA,GetProcAddress,_acmdln,__initenv,GetStartupInfoA,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetModuleHandleA, 0_2_004011B0
Source: C:\Users\user\Desktop\RpcSsv.exe Code function: 0_2_00406B60 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00406B60
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\RpcSsv.exe Code function: 0_2_0040425F _errno,listen,getsockname,inet_ntoa,htons,recvfrom,connect,accept,shutdown,closesocket,getsockname,inet_ntoa,htons,inet_ntoa,_errno,_errno,shutdown,closesocket, 0_2_0040425F
Source: C:\Users\user\Desktop\RpcSsv.exe Code function: 0_2_00403EC7 _errno,WSASetLastError,socket,socket,_dup,setsockopt,htons,bind,_errno,inet_ntoa,_sleep,_errno,inet_ntoa,htons,connect,WSASetLastError,_errno,WSAGetLastError,shutdown,closesocket,_errno,WSASetLastError, 0_2_00403EC7
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431645 Sample: RpcSsv.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 52 10 Multi AV Scanner detection for submitted file 2->10 12 Yara detected Netcat 2->12 6 RpcSsv.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos