EchoTrail

sc.exe

Author: Microsoft

Source: Wild

Threat: LOLBin

Summary

sc.exe is a command-line utility used to control a Windows service. It can query whether a service is running and start or stop a service. It contains many other commands used to interact with the Service Control Manager.

EchoTrail Prevalence Score (EPS)

95.65

Rank Analysis

Host Prevalence

93.8%

Execution Rank

12th

Behavioral Analysis

Top Hashes

34128709cb5bc2b222dc6f25561a07b1f90689800a84931ac5d37c50a548f908

48.32 %

Top Paths

C:\Windows\System32

97.97 %

Top Network Ports

389

41.29 %

Ancestry Analysis

Top GrandParents

Top Parents

Top Children

Security Analysis

Intel

When sc.exe is used in a malicious scenario, it is commonly stopping (sc.exe stop [service_name]) or starting (sc.exe start [service_name]) services. Some legitimate administration or installation scripts require "sc start/stop" to modify a service's run status. In these cases, it is fairly simple to baseline normal and hopefully legitimate sc.exe start/stop usage. It should be rare to see sc.exe stopping or starting services in a manual fashion, which is usually evident by the fact that the specific sc.exe command line does not exist elsewhere in that environment or that the timestamps of activities before the suspicious sc.exe are seconds apart versus milliseconds apart (the former indicating manual human interaction; the latter indicating scripted/automatic activity).