Loading ...

Play interactive tourEdit tour

Analysis Report shlprouter.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:181824
Start date:10.10.2019
Start time:03:37:21
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 45s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:shlprouter.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.bank.evad.winEXE@6/0@0/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 68.6% (good quality ratio 64.3%)
  • Quality average: 79.4%
  • Quality standard deviation: 30.1%
HCA Information:
  • Successful, ratio: 81%
  • Number of executed functions: 112
  • Number of non-executed functions: 180
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold840 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Execution through API1Valid Accounts1Valid Accounts1Software Packing1Input Capture1System Time Discovery1Remote File Copy1Input Capture1Data Encrypted12Remote File Copy1
Replication Through Removable MediaService Execution2Modify Existing Service11Access Token Manipulation1Deobfuscate/Decode Files or Information1Network SniffingSecurity Software Discovery41Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol22
Drive-by CompromiseWindows Management InstrumentationNew Service12New Service12File Deletion1Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol12
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading2Account ManipulationSystem Information Discovery42Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceValid Accounts1Brute ForceQuery Registry1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionProcess Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: shlprouter.exeAvira: detection malicious, Label: TR/AD.Emotet.daed
Source: shlprouter.exeJoe Sandbox ML: detected
Multi AV Scanner detection for submitted fileShow sources
Source: shlprouter.exeVirustotal: Detection: 58%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 3.0.magnifymspterm.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.daed
Source: 0.0.shlprouter.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.daed
Source: 4.0.magnifymspterm.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.daed
Source: 1.0.shlprouter.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.daed

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,1_2_001E207B
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,1_2_001E215A
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E1F11 CryptExportKey,1_2_001E1F11
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E1F56 CryptGetHashParam,1_2_001E1F56
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_001E1F75
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,1_2_001E1FFC
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,4_2_001E207B
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E1F11 CryptExportKey,4_2_001E1F11
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,4_2_001E1F75
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_001E1FFC
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,4_2_001E215A
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E1F56 CryptGetHashParam,4_2_001E1F56

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.5:49713 -> 91.121.116.137:443
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 91.121.116.137 91.121.116.137
Source: Joe Sandbox ViewIP Address: 80.79.23.144 80.79.23.144
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /ringin/splash/ HTTP/1.1Referer: http://80.79.23.144/ringin/splash/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 80.79.23.144:443Content-Length: 634Connection: Keep-AliveCache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 91.121.116.137
Source: unknownTCP traffic detected without corresponding DNS query: 91.121.116.137
Source: unknownTCP traffic detected without corresponding DNS query: 91.121.116.137
Source: unknownTCP traffic detected without corresponding DNS query: 80.79.23.144
Source: unknownTCP traffic detected without corresponding DNS query: 80.79.23.144
Source: unknownTCP traffic detected without corresponding DNS query: 80.79.23.144
Source: unknownTCP traffic detected without corresponding DNS query: 80.79.23.144
Source: unknownTCP traffic detected without corresponding DNS query: 80.79.23.144
Source: unknownTCP traffic detected without corresponding DNS query: 80.79.23.144
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E1383 InternetReadFile,4_2_001E1383
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /ringin/splash/ HTTP/1.1Referer: http://80.79.23.144/ringin/splash/Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 80.79.23.144:443Content-Length: 634Connection: Keep-AliveCache-Control: no-cache
Urls found in memory or binary dataShow sources
Source: magnifymspterm.exe, 00000004.00000002.2136816962.00000000006A0000.00000004.00000001.sdmp, magnifymspterm.exe, 00000004.00000002.2136190897.000000000019A000.00000004.00000001.sdmp, magnifymspterm.exe, 00000004.00000003.1835289784.00000000006A0000.00000004.00000001.sdmpString found in binary or memory: http://80.79.23.144/ringin/splash/
Source: magnifymspterm.exe, 00000004.00000002.2136816962.00000000006A0000.00000004.00000001.sdmpString found in binary or memory: http://80.79.23.144:443/ringin/splash/
Source: magnifymspterm.exe, 00000004.00000002.2136816962.00000000006A0000.00000004.00000001.sdmpString found in binary or memory: http://80.79.23.144:443/ringin/splash/4
Source: magnifymspterm.exe, 00000004.00000002.2136724768.0000000000660000.00000004.00000020.sdmpString found in binary or memory: http://80.79.23.144:443/ringin/splash/5j
Source: magnifymspterm.exe, 00000004.00000002.2136816962.00000000006A0000.00000004.00000001.sdmpString found in binary or memory: http://80.79.23.144:443/ringin/splash/~
Source: magnifymspterm.exe, 00000004.00000002.2136816962.00000000006A0000.00000004.00000001.sdmp, magnifymspterm.exe, 00000004.00000002.2136724768.0000000000660000.00000004.00000020.sdmpString found in binary or memory: http://91.121.116.137:443/iplk/health/pdf/merge/
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: shlprouter.exe, 00000000.00000002.1719664940.00000000006D0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001EC2E21_2_001EC2E2
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001EC2E24_2_001EC2E2

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_001E1F75
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,4_2_001E1F75

System Summary:

barindex
Contains functionality to delete servicesShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001EC4AE GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,1_2_001EC4AE
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E1D2B CreateProcessAsUserW,CreateProcessW,1_2_001E1D2B
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeMutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\user\Desktop\shlprouter.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\user\Desktop\shlprouter.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M3C4E0000
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\shlprouter.exeFile deleted: C:\Windows\SysWOW64\magnifymspterm.exe:Zone.IdentifierJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_004121A30_2_004121A3
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_00403A000_2_00403A00
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040B8D90_2_0040B8D9
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040B08C0_2_0040B08C
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_004189520_2_00418952
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040AA400_2_0040AA40
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_004183E00_2_004183E0
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040AB980_2_0040AB98
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040A3A40_2_0040A3A4
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040CC700_2_0040CC70
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040B4A40_2_0040B4A4
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0041A4B80_2_0041A4B8
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040F5030_2_0040F503
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040BD0E0_2_0040BD0E
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0041966C0_2_0041966C
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_00418EC40_2_00418EC4
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001D28C10_2_001D28C1
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001D30E80_2_001D30E8
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001D30E40_2_001D30E4
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001E2F820_2_001E2F82
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001E37A90_2_001E37A9
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001E37A50_2_001E37A5
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_004121A31_2_004121A3
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_00403A001_2_00403A00
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040B8D91_2_0040B8D9
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040B08C1_2_0040B08C
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_004189521_2_00418952
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040AA401_2_0040AA40
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_004183E01_2_004183E0
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040AB981_2_0040AB98
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040A3A41_2_0040A3A4
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040CC701_2_0040CC70
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040B4A41_2_0040B4A4
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0041A4B81_2_0041A4B8
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040F5031_2_0040F503
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040BD0E1_2_0040BD0E
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0041966C1_2_0041966C
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_00418EC41_2_00418EC4
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001D28C11_2_001D28C1
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001D30E81_2_001D30E8
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001D30E41_2_001D30E4
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E2F821_2_001E2F82
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E37A91_2_001E37A9
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E37A51_2_001E37A5
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001D28C13_2_001D28C1
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001D30E83_2_001D30E8
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001D30E43_2_001D30E4
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001E2F823_2_001E2F82
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001E37A93_2_001E37A9
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001E37A53_2_001E37A5
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001D28C14_2_001D28C1
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001D30E84_2_001D30E8
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001D30E44_2_001D30E4
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E2F824_2_001E2F82
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E37A94_2_001E37A9
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E37A54_2_001E37A5
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: String function: 0040CC10 appears 78 times
Source: C:\Users\user\Desktop\shlprouter.exeCode function: String function: 00407BBD appears 40 times
PE file contains strange resourcesShow sources
Source: shlprouter.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: shlprouter.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: shlprouter.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: shlprouter.exe, 00000001.00000002.1742076240.00000000021B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs shlprouter.exe
Source: shlprouter.exe, 00000001.00000002.1742042105.0000000002170000.00000002.00000001.sdmpBinary or memory string: originalfilename vs shlprouter.exe
Source: shlprouter.exe, 00000001.00000002.1742042105.0000000002170000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs shlprouter.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\shlprouter.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\shlprouter.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeSection loaded: wow64log.dllJump to behavior
Yara signature matchShow sources
Source: 00000003.00000002.1739918584.00000000001E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1719111997.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2136207461.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1741401346.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1719223620.00000000001E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2136239749.00000000001E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1739875679.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1741428380.00000000001E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Classification labelShow sources
Source: classification engineClassification label: mal84.bank.evad.winEXE@6/0@0/2
Contains functionality to create servicesShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_001EC57E
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_001EC57E
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001E1943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_001E1943
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001EC57E OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_001EC57E
PE file has an executable .text section and no other executable sectionShow sources
Source: shlprouter.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\shlprouter.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\shlprouter.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: shlprouter.exeVirustotal: Detection: 58%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-19513
Source: C:\Windows\SysWOW64\magnifymspterm.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_3-4603
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\shlprouter.exe 'C:\Users\user\Desktop\shlprouter.exe'
Source: unknownProcess created: C:\Users\user\Desktop\shlprouter.exe --9d1d7940
Source: unknownProcess created: C:\Windows\SysWOW64\magnifymspterm.exe C:\Windows\SysWOW64\magnifymspterm.exe
Source: unknownProcess created: C:\Windows\SysWOW64\magnifymspterm.exe --1447b0a7
Source: C:\Users\user\Desktop\shlprouter.exeProcess created: C:\Users\user\Desktop\shlprouter.exe --9d1d7940Jump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess created: C:\Windows\SysWOW64\magnifymspterm.exe --1447b0a7Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\shlprouter.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
PE file contains a debug data directoryShow sources
Source: shlprouter.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\User\Desktop\2013\EMASZXCDE\ReleaseMinSize\EMASZXCDE.pdb source: shlprouter.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001E179C LoadLibraryA,GetProcAddress,0_2_001E179C
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_00408A3B push ecx; ret 0_2_00408A4E
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040CC55 push ecx; ret 0_2_0040CC68
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001DE01E push ecx; retf 0_2_001DE01F
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001DE0FE push ecx; retf 0_2_001DE0FF
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001DE264 push eax; retf 0_2_001DE26B
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001DDFF0 push eax; retf 0_2_001DDFF3
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_00408A3B push ecx; ret 1_2_00408A4E
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040CC55 push ecx; ret 1_2_0040CC68
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001DE01E push ecx; retf 1_2_001DE01F
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001DE0FE push ecx; retf 1_2_001DE0FF
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001DE264 push eax; retf 1_2_001DE26B
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001DDFF0 push eax; retf 1_2_001DDFF3
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001DE01E push ecx; retf 3_2_001DE01F
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001DE264 push eax; retf 3_2_001DE26B
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001DE0FE push ecx; retf 3_2_001DE0FF
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001DDFF0 push eax; retf 3_2_001DDFF3
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001DE01E push ecx; retf 4_2_001DE01F
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001DE264 push eax; retf 4_2_001DE26B
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001DE0FE push ecx; retf 4_2_001DE0FF
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001DDFF0 push eax; retf 4_2_001DDFF3

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeExecutable created and started: C:\Windows\SysWOW64\magnifymspterm.exeJump to behavior
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\shlprouter.exePE file moved: C:\Windows\SysWOW64\magnifymspterm.exeJump to behavior

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001EC57E OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_001EC57E

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeFile opened: C:\Windows\SysWOW64\magnifymspterm.exe:Zone.Identifier read attributes | deleteJump to behavior
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040A3A4 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040A3A4
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-4696
Source: C:\Users\user\Desktop\shlprouter.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-19611
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\shlprouter.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,1_2_001EC2E2
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,4_2_001EC2E2
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-17342
Found large amount of non-executed APIsShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeAPI coverage: 9.8 %
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: magnifymspterm.exe, 00000004.00000002.2136816962.00000000006A0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Program exit pointsShow sources
Source: C:\Users\user\Desktop\shlprouter.exeAPI call chain: ExitProcess graph end nodegraph_0-17343
Source: C:\Users\user\Desktop\shlprouter.exeAPI call chain: ExitProcess graph end nodegraph_0-19543
Source: C:\Users\user\Desktop\shlprouter.exeAPI call chain: ExitProcess graph end nodegraph_1-17287
Source: C:\Users\user\Desktop\shlprouter.exeAPI call chain: ExitProcess graph end nodegraph_1-19492
Source: C:\Windows\SysWOW64\magnifymspterm.exeAPI call chain: ExitProcess graph end nodegraph_3-4633
Source: C:\Windows\SysWOW64\magnifymspterm.exeAPI call chain: ExitProcess graph end nodegraph_4-4566
Source: C:\Windows\SysWOW64\magnifymspterm.exeAPI call chain: ExitProcess graph end nodegraph_4-4576
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040F984 IsDebuggerPresent,0_2_0040F984
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_00416373 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00416373
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001E179C LoadLibraryA,GetProcAddress,0_2_001E179C
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_004040A0 mov eax, dword ptr fs:[00000030h]0_2_004040A0
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_00403940 mov eax, dword ptr fs:[00000030h]0_2_00403940
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001D0C0C mov eax, dword ptr fs:[00000030h]0_2_001D0C0C
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001D0467 mov eax, dword ptr fs:[00000030h]0_2_001D0467
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001D1743 mov eax, dword ptr fs:[00000030h]0_2_001D1743
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001E1E04 mov eax, dword ptr fs:[00000030h]0_2_001E1E04
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001E12CD mov eax, dword ptr fs:[00000030h]0_2_001E12CD
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_004040A0 mov eax, dword ptr fs:[00000030h]1_2_004040A0
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_00403940 mov eax, dword ptr fs:[00000030h]1_2_00403940
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001D0C0C mov eax, dword ptr fs:[00000030h]1_2_001D0C0C
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001D0467 mov eax, dword ptr fs:[00000030h]1_2_001D0467
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001D1743 mov eax, dword ptr fs:[00000030h]1_2_001D1743
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E1E04 mov eax, dword ptr fs:[00000030h]1_2_001E1E04
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_001E12CD mov eax, dword ptr fs:[00000030h]1_2_001E12CD
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001D0C0C mov eax, dword ptr fs:[00000030h]3_2_001D0C0C
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001D0467 mov eax, dword ptr fs:[00000030h]3_2_001D0467
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001D1743 mov eax, dword ptr fs:[00000030h]3_2_001D1743
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001E1E04 mov eax, dword ptr fs:[00000030h]3_2_001E1E04
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 3_2_001E12CD mov eax, dword ptr fs:[00000030h]3_2_001E12CD
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001D0C0C mov eax, dword ptr fs:[00000030h]4_2_001D0C0C
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001D0467 mov eax, dword ptr fs:[00000030h]4_2_001D0467
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001D1743 mov eax, dword ptr fs:[00000030h]4_2_001D1743
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E1E04 mov eax, dword ptr fs:[00000030h]4_2_001E1E04
Source: C:\Windows\SysWOW64\magnifymspterm.exeCode function: 4_2_001E12CD mov eax, dword ptr fs:[00000030h]4_2_001E12CD
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040EDDB GetProcessHeap,0_2_0040EDDB
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040A62F SetUnhandledExceptionFilter,0_2_0040A62F
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_0040A660 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040A660
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040A62F SetUnhandledExceptionFilter,1_2_0040A62F
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 1_2_0040A660 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0040A660

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_00416083
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,0_2_00416157
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,0_2_00415903
Source: C:\Users\user\Desktop\shlprouter.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___ge0_2_00414990
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _LcidFromHexString,GetLocaleInfoW,0_2_00415AC7
Source: C:\Users\user\Desktop\shlprouter.exeCode function: EnumSystemLocalesW,0_2_00415B77
Source: C:\Users\user\Desktop\shlprouter.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,0_2_0041438E
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_00413BA4
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_00415BB7
Source: C:\Users\user\Desktop\shlprouter.exeCode function: EnumSystemLocalesW,0_2_0040C44D
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_00415C34
Source: C:\Users\user\Desktop\shlprouter.exeCode function: GetLocaleInfoW,0_2_0040C48A
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_00415CB7
Source: C:\Users\user\Desktop\shlprouter.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,0_2_00408D3E
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_00415EAC
Source: C:\Users\user\Desktop\shlprouter.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,0_2_0040C6BA
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00415FD6
Source: C:\Users\user\Desktop\shlprouter.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,0_2_00413F86
Source: C:\Users\user\Desktop\shlprouter.exeCode function: GetLocaleInfoW,_GetPrimaryLen,1_2_00416083
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,1_2_00416157
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,1_2_00415903
Source: C:\Users\user\Desktop\shlprouter.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___ge1_2_00414990
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _LcidFromHexString,GetLocaleInfoW,1_2_00415AC7
Source: C:\Users\user\Desktop\shlprouter.exeCode function: EnumSystemLocalesW,1_2_00415B77
Source: C:\Users\user\Desktop\shlprouter.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,1_2_0041438E
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,1_2_00413BA4
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_00415BB7
Source: C:\Users\user\Desktop\shlprouter.exeCode function: EnumSystemLocalesW,1_2_0040C44D
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_00415C34
Source: C:\Users\user\Desktop\shlprouter.exeCode function: GetLocaleInfoW,1_2_0040C48A
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,1_2_00415CB7
Source: C:\Users\user\Desktop\shlprouter.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,1_2_00408D3E
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,1_2_00415EAC
Source: C:\Users\user\Desktop\shlprouter.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,1_2_0040C6BA
Source: C:\Users\user\Desktop\shlprouter.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_00415FD6
Source: C:\Users\user\Desktop\shlprouter.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,1_2_00413F86
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001DC637 cpuid 0_2_001DC637
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\shlprouter.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\magnifymspterm.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_004020B0 GetLocalTime,GetDC,BeginPath,GetStockObject,SelectObject,SelectObject,MoveToEx,MoveToEx,AngleArc,EndPath,FillPath,SelectObject,MoveToEx,__libm_sse2_sin_precise,__libm_sse2_cos_precise,LineTo,LineTo,SelectObject,MoveToEx,__libm_sse2_sin_precise,__libm_sse2_cos_precise,LineTo,SelectObject,MoveToEx,__libm_sse2_sin_precise,__libm_sse2_cos_precise,LineTo,SelectObject,ReleaseDC,0_2_004020B0
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\shlprouter.exeCode function: 0_2_001E2398 RtlGetVersion,GetNativeSystemInfo,0_2_001E2398
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\magnifymspterm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
shlprouter.exe58%VirustotalBrowse
shlprouter.exe100%AviraTR/AD.Emotet.daed
shlprouter.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.0.magnifymspterm.exe.400000.0.unpack100%AviraTR/AD.Emotet.daedDownload File
0.0.shlprouter.exe.400000.0.unpack100%AviraTR/AD.Emotet.daedDownload File
4.0.magnifymspterm.exe.400000.0.unpack100%AviraTR/AD.Emotet.daedDownload File
1.0.shlprouter.exe.400000.0.unpack100%AviraTR/AD.Emotet.daedDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://80.79.23.144:443/ringin/splash/~0%Avira URL Cloudsafe
http://91.121.116.137:443/iplk/health/pdf/merge/0%Avira URL Cloudsafe
http://80.79.23.144:443/ringin/splash/5j0%Avira URL Cloudsafe
https://80.79.23.144:443/ringin/splash/0%Avira URL Cloudsafe
http://80.79.23.144:443/ringin/splash/0%Avira URL Cloudsafe
http://80.79.23.144:443/ringin/splash/40%Avira URL Cloudsafe
http://80.79.23.144/ringin/splash/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1739918584.00000000001E1000.00000020.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0xe11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000000.00000002.1719111997.00000000001D0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000004.00000002.2136207461.00000000001D0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000001.00000002.1741401346.00000000001D0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000000.00000002.1719223620.00000000001E1000.00000020.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0xe11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000004.00000002.2136239749.00000000001E1000.00000020.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0xe11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000003.00000002.1739875679.00000000001D0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000001.00000002.1741428380.00000000001E1000.00000020.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0xe11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
91.121.116.137Fattura 8896571.docGet hashmaliciousBrowse
  • 91.121.116.137:443/enable/nsip/xian/
Fattura 8896571.docGet hashmaliciousBrowse
  • 91.121.116.137:443/teapot/publish/
Fattura 8896571.docGet hashmaliciousBrowse
  • 91.121.116.137:443/attrib/xian/loadan/
80.79.23.144091729_20191009.docGet hashmaliciousBrowse
  • 80.79.23.144:443/iplk/health/free/
091729_20191009.docGet hashmaliciousBrowse
  • 80.79.23.144:443/guids/vermont/jit/merge/
Fattura N 000082-19 HCZ 09-10-2019.docGet hashmaliciousBrowse
  • 80.79.23.144:443/attrib/pdf/
Fattura N 000082-19 HCZ 09-10-2019.docGet hashmaliciousBrowse
  • 80.79.23.144:443/merge/
Fattura N 000082-19 HCZ 09-10-2019.docGet hashmaliciousBrowse
  • 80.79.23.144:443/cone/xian/loadan/merge/
http://www.saleemibookdepot.com/hpkikf/LLC/fqj2uihuh9te8_bculdpib-726470310041/Get hashmaliciousBrowse
  • 80.79.23.144:443/usbccid/cone/free/
https://www.elibdesign.co.il/wp-content/yKiXqyQZcygxYAAKT/Get hashmaliciousBrowse
  • 80.79.23.144:443/stubs/entries/
https://ctni.co.uk/wp-admin/esp/bBItbZBcBQOoEwafxb/Get hashmaliciousBrowse
  • 80.79.23.144:443/img/odbc/loadan/
VIRUS_N.299 DBF 07.10.2019.docGet hashmaliciousBrowse
  • 80.79.23.144:443/enable/publish/loadan/
FATTURA N 000047-19 OJY 07-10-2019.DOCGet hashmaliciousBrowse
  • 80.79.23.144:443/free/publish/xian/merge/
VIRUS_N.299 DBF 07.10.2019.docGet hashmaliciousBrowse
  • 80.79.23.144:443/scripts/tpt/jit/merge/
FATTURA N 000047-19 OJY 07-10-2019.DOCGet hashmaliciousBrowse
  • 80.79.23.144:443/srvc/ban/
FATTURA N 000047-19 OJY 07-10-2019.DOCGet hashmaliciousBrowse
  • 80.79.23.144:443/schema/
VIRUS_N.299 DBF 07.10.2019.docGet hashmaliciousBrowse
  • 80.79.23.144:443/rtm/nsip/loadan/
FATTURA N 000047-19 OJY 07-10-2019.DOCGet hashmaliciousBrowse
  • 80.79.23.144:443/devices/sess/loadan/merge/
FATTURA N 000047-19 OJY 07-10-2019.DOCGet hashmaliciousBrowse
  • 80.79.23.144:443/loadan/iplk/jit/merge/
Copia Fattura.docGet hashmaliciousBrowse
  • 80.79.23.144:443/odbc/
Copia Fattura.docGet hashmaliciousBrowse
  • 80.79.23.144:443/iplk/walk/jit/
NOTICE_2019_10_03_06195.doc.old.docGet hashmaliciousBrowse
  • 80.79.23.144:443/between/arizona/loadan/
NOTICE_2019_10_03_06195.doc.old.docGet hashmaliciousBrowse
  • 80.79.23.144:443/devices/glitch/

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownhttp://dna789537.typeform.comGet hashmaliciousBrowse
  • 104.18.27.190
http://click.icptrack.com/icp/relay.php?r=30000099&msgid=6080008&act=F00B&c=1778479&destination=https%3A%2F%2F091020191045.azureedge.net/testGet hashmaliciousBrowse
  • 40.123.16.21
Profile Properties Project Proposal.pdfGet hashmaliciousBrowse
  • 3.3.0.2
SCAN08364720 #45836(PDF).pdf.htmGet hashmaliciousBrowse
  • 198.7.58.222
changing-american-families.pdfGet hashmaliciousBrowse
  • 3.3.0.2
https://u12003579.ct.sendgrid.net/wf/click?upn=R2yM0As7GsE3XQjcHokWWmr-2Fyq3uiCrlMY5ruCa9nKaxFfGFz-2FjjhpS0-2FYdpAHxh1egTyYr1N1q4XZhNWqZk4Umg06FgNCQHC5yNWDEHQsk-3D_vi-2BtvAE60BrIVVVZJCsaxyggZGLEnqVa6oIzKHnRejyamXH1IDRGVPeo2oQQjVQ9bvGpEfU3DUUbYhrwFKqaBMF5-2BYefbRZpp74aIZEsqes7A7mylvp3hy0DCz5RytLeCI4z1EQ9SOI4MAxSK-2FBQxZUCwi6JVZedGt41M-2FN7ROKQ0ZDIgUI-2BDK-2BLtLYSq5VCGB8WrQ7uGhm3-2FmHhvbACf-2Fsatb5jD2FLlF40HsDez5lceL0bAFdFNG1BiieCqYUuGet hashmaliciousBrowse
  • 52.222.173.95
https://mediasignonline.com/itelds/fire-3Get hashmaliciousBrowse
  • 74.120.188.204
https://omegavehicleservices.com/wp-includes/owa/owa.vcccd.edu.htmlGet hashmaliciousBrowse
  • 72.47.244.96
https://voiceplaybackauth.z13.web.core.windows.net/Get hashmaliciousBrowse
  • 52.239.152.65
Fin-Report-xls-19.htmlGet hashmaliciousBrowse
  • 143.95.80.178
https://mkjhelp.net//cgi--bin/PPDDFGet hashmaliciousBrowse
  • 81.169.145.81
https://app.box.com/s/cbmjqykrzeazvzo4jv68i2g1dbqudg5qGet hashmaliciousBrowse
  • 147.75.84.181
Physiotherapy Board Payment and Draft Proposal.pdfGet hashmaliciousBrowse
  • 3.3.0.2
http://www.tamildbox.topGet hashmaliciousBrowse
  • 34.98.67.61
https://annuragenmbiopro.com/@%23&%5e%5e%23&&%5e%23%25@$$@%25%25%23%5e%23%5e%23&%23%5e%23%25%5e%23&**$&%5e&*()(*&%5e%23(*&%5e$$@%25%25%23%5e%5e%25$%25%23%5e%25%23Get hashmaliciousBrowse
  • 104.206.225.200
https://claims-southhollandmanorhrc.org/adobe/email/securityGet hashmaliciousBrowse
  • 142.11.209.226
ACCESS IMPORTANT FILE.pdfGet hashmaliciousBrowse
  • 3.3.0.2
https://devoslaan.top/oneGet hashmaliciousBrowse
  • 104.18.51.6
tiempo.apkGet hashmaliciousBrowse
  • 204.236.227.23
https://smarturl.it/ectywi?email=kvy1@netvigator.comGet hashmaliciousBrowse
  • 96.125.178.145
unknownhttp://dna789537.typeform.comGet hashmaliciousBrowse
  • 104.18.27.190
http://click.icptrack.com/icp/relay.php?r=30000099&msgid=6080008&act=F00B&c=1778479&destination=https%3A%2F%2F091020191045.azureedge.net/testGet hashmaliciousBrowse
  • 40.123.16.21
Profile Properties Project Proposal.pdfGet hashmaliciousBrowse
  • 3.3.0.2
SCAN08364720 #45836(PDF).pdf.htmGet hashmaliciousBrowse
  • 198.7.58.222
changing-american-families.pdfGet hashmaliciousBrowse
  • 3.3.0.2
https://u12003579.ct.sendgrid.net/wf/click?upn=R2yM0As7GsE3XQjcHokWWmr-2Fyq3uiCrlMY5ruCa9nKaxFfGFz-2FjjhpS0-2FYdpAHxh1egTyYr1N1q4XZhNWqZk4Umg06FgNCQHC5yNWDEHQsk-3D_vi-2BtvAE60BrIVVVZJCsaxyggZGLEnqVa6oIzKHnRejyamXH1IDRGVPeo2oQQjVQ9bvGpEfU3DUUbYhrwFKqaBMF5-2BYefbRZpp74aIZEsqes7A7mylvp3hy0DCz5RytLeCI4z1EQ9SOI4MAxSK-2FBQxZUCwi6JVZedGt41M-2FN7ROKQ0ZDIgUI-2BDK-2BLtLYSq5VCGB8WrQ7uGhm3-2FmHhvbACf-2Fsatb5jD2FLlF40HsDez5lceL0bAFdFNG1BiieCqYUuGet hashmaliciousBrowse
  • 52.222.173.95
https://mediasignonline.com/itelds/fire-3Get hashmaliciousBrowse
  • 74.120.188.204
https://omegavehicleservices.com/wp-includes/owa/owa.vcccd.edu.htmlGet hashmaliciousBrowse
  • 72.47.244.96
https://voiceplaybackauth.z13.web.core.windows.net/Get hashmaliciousBrowse
  • 52.239.152.65
Fin-Report-xls-19.htmlGet hashmaliciousBrowse
  • 143.95.80.178
https://mkjhelp.net//cgi--bin/PPDDFGet hashmaliciousBrowse
  • 81.169.145.81
https://app.box.com/s/cbmjqykrzeazvzo4jv68i2g1dbqudg5qGet hashmaliciousBrowse
  • 147.75.84.181
Physiotherapy Board Payment and Draft Proposal.pdfGet hashmaliciousBrowse
  • 3.3.0.2
http://www.tamildbox.topGet hashmaliciousBrowse
  • 34.98.67.61
https://annuragenmbiopro.com/@%23&%5e%5e%23&&%5e%23%25@$$@%25%25%23%5e%23%5e%23&%23%5e%23%25%5e%23&**$&%5e&*()(*&%5e%23(*&%5e$$@%25%25%23%5e%5e%25$%25%23%5e%25%23Get hashmaliciousBrowse
  • 104.206.225.200
https://claims-southhollandmanorhrc.org/adobe/email/securityGet hashmaliciousBrowse
  • 142.11.209.226
ACCESS IMPORTANT FILE.pdfGet hashmaliciousBrowse
  • 3.3.0.2
https://devoslaan.top/oneGet hashmaliciousBrowse
  • 104.18.51.6
tiempo.apkGet hashmaliciousBrowse
  • 204.236.227.23
https://smarturl.it/ectywi?email=kvy1@netvigator.comGet hashmaliciousBrowse
  • 96.125.178.145

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.