Loading ...

Play interactive tourEdit tour

Analysis Report radarrs.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:210035
Start date:21.02.2020
Start time:14:43:42
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 35s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:radarrs.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal88.troj.evad.winEXE@3/0@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 52.5% (good quality ratio 48.6%)
  • Quality average: 80%
  • Quality standard deviation: 29.7%
HCA Information:
  • Successful, ratio: 97%
  • Number of executed functions: 61
  • Number of non-executed functions: 331
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold880 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API2Hidden Files and Directories1Process Injection2Masquerading12Input Capture1System Time Discovery2Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesHidden Files and Directories1Network SniffingProcess Discovery3Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection2Credentials in FilesSecurity Software Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceFile Deletion1Brute ForceSystem Information Discovery27Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information21Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: radarrs.exeAvira: detection malicious, Label: TR/AD.Emotet.ujrza
Found malware configurationShow sources
Source: p2pnetsh.exe.2196.2.memstrMalware Configuration Extractor: Emotet {"C2 list": ["24.179.13.67/I60EJuiP"]}
Multi AV Scanner detection for submitted fileShow sources
Source: radarrs.exeVirustotal: Detection: 14%Perma Link
Source: radarrs.exeReversingLabs TitaniumCloud: Detection: 74%

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_004163F3 lstrcpy,FindFirstFileA,GetLastError,SetLastError,lstrlen,SetLastError,0_2_004163F3
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_004469FD lstrlen,FindFirstFileA,FindClose,0_2_004469FD
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_004163F3 lstrcpy,FindFirstFileA,GetLastError,SetLastError,lstrlen,SetLastError,2_2_004163F3
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_004469FD lstrlen,FindFirstFileA,FindClose,2_2_004469FD
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00445F35 __EH_prolog,GetFullPathNameA,lstrcpyn,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,lstrcpy,2_2_00445F35

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.5:49779 -> 24.179.13.67:80
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /I60EJuiP/ HTTP/1.1Referer: http://24.179.13.67/I60EJuiP/Content-Type: multipart/form-data; boundary=---------------------------641610007961539User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 24.179.13.67Content-Length: 4644Connection: Keep-AliveCache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 24.179.13.67
Source: unknownTCP traffic detected without corresponding DNS query: 24.179.13.67
Source: unknownTCP traffic detected without corresponding DNS query: 24.179.13.67
Source: unknownTCP traffic detected without corresponding DNS query: 24.179.13.67
Source: unknownTCP traffic detected without corresponding DNS query: 24.179.13.67
Source: unknownTCP traffic detected without corresponding DNS query: 24.179.13.67
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /I60EJuiP/ HTTP/1.1Referer: http://24.179.13.67/I60EJuiP/Content-Type: multipart/form-data; boundary=---------------------------641610007961539User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 24.179.13.67Content-Length: 4644Connection: Keep-AliveCache-Control: no-cache
Urls found in memory or binary dataShow sources
Source: p2pnetsh.exe, 00000002.00000002.2366795874.0000000000753000.00000004.00000020.sdmpString found in binary or memory: http://24.179.13.67/I60EJuiP/
Source: p2pnetsh.exe, 00000002.00000002.2366795874.0000000000753000.00000004.00000020.sdmpString found in binary or memory: http://24.179.13.67/I60EJuiP/A
Source: p2pnetsh.exe, 00000002.00000002.2366795874.0000000000753000.00000004.00000020.sdmpString found in binary or memory: http://24.179.13.67/I60EJuiP/W

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_004400BB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_004400BB
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00458396 GetKeyState,GetKeyState,GetKeyState,0_2_00458396
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0043ACBA __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,0_2_0043ACBA
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00450FD0 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_00450FD0
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_004435AD GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_004435AD
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00455AE0 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_00455AE0
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_004400BB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,2_2_004400BB
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00458396 GetKeyState,GetKeyState,GetKeyState,2_2_00458396
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0043ACBA __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,2_2_0043ACBA
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00450FD0 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,2_2_00450FD0
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_004435AD GetKeyState,GetKeyState,GetKeyState,GetKeyState,2_2_004435AD
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00455AE0 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,2_2_00455AE0

E-Banking Fraud:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000000.00000002.2004838605.0000000000A81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2004796547.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.2367192907.0000000000BE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.2367169094.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0043E01A NtdllDefWindowProc_A,CallWindowProcA,0_2_0043E01A
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_004403F7 NtdllDefWindowProc_A,0_2_004403F7
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00450862 NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,0_2_00450862
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0043EECE GetClassInfoA,NtdllDefWindowProc_A,0_2_0043EECE
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0043F741 NtdllDefWindowProc_A,0_2_0043F741
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0043E01A NtdllDefWindowProc_A,CallWindowProcA,2_2_0043E01A
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_004403F7 NtdllDefWindowProc_A,2_2_004403F7
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00450862 NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,2_2_00450862
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0043EECE GetClassInfoA,NtdllDefWindowProc_A,2_2_0043EECE
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0043F741 NtdllDefWindowProc_A,2_2_0043F741
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\radarrs.exeFile created: C:\Windows\SysWOW64\p2pnetsh\Jump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\radarrs.exeFile deleted: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exe:Zone.IdentifierJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_004245500_2_00424550
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0044172F0_2_0044172F
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0041FC2A0_2_0041FC2A
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_004245502_2_00424550
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0044172F2_2_0044172F
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0041FC2A2_2_0041FC2A
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00429FE32_2_00429FE3
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00BD531F2_2_00BD531F
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00BE59E02_2_00BE59E0
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: String function: 0043FA45 appears 33 times
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: String function: 00427157 appears 31 times
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: String function: 0043CBC4 appears 46 times
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: String function: 00425FB0 appears 66 times
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: String function: 0043673A appears 51 times
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: String function: 00401980 appears 47 times
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: String function: 00427F15 appears 44 times
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: String function: 0045BD99 appears 49 times
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: String function: 00424B40 appears 350 times
Source: C:\Users\user\Desktop\radarrs.exeCode function: String function: 00427F15 appears 42 times
Source: C:\Users\user\Desktop\radarrs.exeCode function: String function: 0043FA45 appears 32 times
Source: C:\Users\user\Desktop\radarrs.exeCode function: String function: 0043CBC4 appears 42 times
Source: C:\Users\user\Desktop\radarrs.exeCode function: String function: 00425FB0 appears 62 times
Source: C:\Users\user\Desktop\radarrs.exeCode function: String function: 0043673A appears 46 times
Source: C:\Users\user\Desktop\radarrs.exeCode function: String function: 00401980 appears 45 times
Source: C:\Users\user\Desktop\radarrs.exeCode function: String function: 0045BD99 appears 48 times
Source: C:\Users\user\Desktop\radarrs.exeCode function: String function: 00424B40 appears 320 times
PE file contains strange resourcesShow sources
Source: radarrs.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: radarrs.exe, 00000000.00000002.2006098291.0000000002EF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs radarrs.exe
Source: radarrs.exe, 00000000.00000002.2006385073.0000000002FE0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs radarrs.exe
Source: radarrs.exe, 00000000.00000002.2006385073.0000000002FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs radarrs.exe
Classification labelShow sources
Source: classification engineClassification label: mal88.troj.evad.winEXE@3/0@0/1
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0044B4F7 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_0044B4F7
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00BE42A0 CreateToolhelp32Snapshot,Process32NextW,2_2_00BE42A0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0043DC83 __EH_prolog,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,0_2_0043DC83
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MC6905D30
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeMutant created: \Sessions\1\BaseNamedObjects\Global\IC6905D30
Reads ini filesShow sources
Source: C:\Users\user\Desktop\radarrs.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\radarrs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: radarrs.exeVirustotal: Detection: 14%
Source: radarrs.exeReversingLabs TitaniumCloud: Detection: 74%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\radarrs.exe 'C:\Users\user\Desktop\radarrs.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exe C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exe
Source: C:\Users\user\Desktop\radarrs.exeProcess created: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exe C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: ?.pdbPQ source: radarrs.exe
Source: Binary string: c:\Users\User\Desktop\2003\13.2.20\ODBCAccess_demo\ODBCExample\Release\ODBCExample.pdb source: radarrs.exe, p2pnetsh.exe
Source: Binary string: c:\Users\User\Desktop\2003\13.2.20\ODBCAccess_demo\ODBCExample\Release\ODBCExample.pdbPQH source: radarrs.exe, 00000000.00000002.2003983193.0000000000401000.00000040.00020000.sdmp, p2pnetsh.exe, 00000002.00000002.2366202117.0000000000401000.00000040.00020000.sdmp
Source: Binary string: ?.pdb source: radarrs.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00406A20 LoadLibraryW,GetProcAddress,0_2_00406A20
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00424030 push eax; ret 0_2_00424044
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00424030 push eax; ret 0_2_0042406C
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00424B40 push eax; ret 0_2_00424B5E
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00424030 push eax; ret 2_2_00424044
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00424030 push eax; ret 2_2_0042406C
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00424B40 push eax; ret 2_2_00424B5E
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00425FEB push ecx; ret 2_2_00425FFB
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00BD9A9D push ecx; retf 2_2_00BD9AA3
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\Desktop\radarrs.exeExecutable created and started: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeJump to behavior
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\radarrs.exePE file moved: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\radarrs.exeFile opened: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0041425E IsIconic,GetWindowPlacement,GetWindowRect,0_2_0041425E
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0044A8F7 GetParent,GetParent,IsIconic,GetParent,0_2_0044A8F7
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00406BA0 IsIconic,0_2_00406BA0
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00406DA0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_00406DA0
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00455B83 IsWindowVisible,IsIconic,0_2_00455B83
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0041425E IsIconic,GetWindowPlacement,GetWindowRect,2_2_0041425E
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0044A8F7 GetParent,GetParent,IsIconic,GetParent,2_2_0044A8F7
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00406BA0 IsIconic,2_2_00406BA0
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00406DA0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,2_2_00406DA0
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00455B83 IsWindowVisible,IsIconic,2_2_00455B83
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0044DF7C __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,2_2_0044DF7C
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\radarrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\radarrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\radarrs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\radarrs.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-47354
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-58838
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\radarrs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_004163F3 lstrcpy,FindFirstFileA,GetLastError,SetLastError,lstrlen,SetLastError,0_2_004163F3
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_004469FD lstrlen,FindFirstFileA,FindClose,0_2_004469FD
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_004163F3 lstrcpy,FindFirstFileA,GetLastError,SetLastError,lstrlen,SetLastError,2_2_004163F3
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_004469FD lstrlen,FindFirstFileA,FindClose,2_2_004469FD
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00445F35 __EH_prolog,GetFullPathNameA,lstrcpyn,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,lstrcpy,2_2_00445F35
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0042446C VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_0042446C
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: p2pnetsh.exe, 00000002.00000002.2366795874.0000000000753000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: p2pnetsh.exe, 00000002.00000002.2366795874.0000000000753000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWxQy%SystemRoot%\system32\mswsock.dll
Program exit pointsShow sources
Source: C:\Users\user\Desktop\radarrs.exeAPI call chain: ExitProcess graph end nodegraph_0-47068
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeAPI call chain: ExitProcess graph end nodegraph_2-58536
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00406A20 LoadLibraryW,GetProcAddress,0_2_00406A20
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_00406860 mov eax, dword ptr fs:[00000030h]0_2_00406860
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00406860 mov eax, dword ptr fs:[00000030h]2_2_00406860
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00405E40 mov eax, dword ptr fs:[00000030h]2_2_00405E40
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00BD0467 mov eax, dword ptr fs:[00000030h]2_2_00BD0467
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00BD2F7F mov eax, dword ptr fs:[00000030h]2_2_00BD2F7F
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00BD3D1F mov eax, dword ptr fs:[00000030h]2_2_00BD3D1F
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00BE43E0 mov eax, dword ptr fs:[00000030h]2_2_00BE43E0
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_00BE3640 mov eax, dword ptr fs:[00000030h]2_2_00BE3640
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0042831A SetUnhandledExceptionFilter,0_2_0042831A
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0042832E SetUnhandledExceptionFilter,0_2_0042832E
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0042831A SetUnhandledExceptionFilter,2_2_0042831A
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0042832E SetUnhandledExceptionFilter,2_2_0042832E

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: p2pnetsh.exe, 00000002.00000002.2367245922.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: p2pnetsh.exe, 00000002.00000002.2367245922.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: p2pnetsh.exe, 00000002.00000002.2367245922.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Progman
Source: p2pnetsh.exe, 00000002.00000002.2367245922.0000000000F90000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,0_2_004343C6
Source: C:\Users\user\Desktop\radarrs.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,0_2_004344F6
Source: C:\Users\user\Desktop\radarrs.exeCode function: GetLocaleInfoA,MultiByteToWideChar,0_2_00434482
Source: C:\Users\user\Desktop\radarrs.exeCode function: GetLocaleInfoW,WideCharToMultiByte,0_2_004345A9
Source: C:\Users\user\Desktop\radarrs.exeCode function: GetLocaleInfoA,_strncpy,0_2_00430932
Source: C:\Users\user\Desktop\radarrs.exeCode function: lstrcpy,LoadLibraryA,GetLocaleInfoA,0_2_0045AA06
Source: C:\Users\user\Desktop\radarrs.exeCode function: _strlen,EnumSystemLocalesA,0_2_00430E51
Source: C:\Users\user\Desktop\radarrs.exeCode function: _strlen,_strlen,EnumSystemLocalesA,0_2_00430E88
Source: C:\Users\user\Desktop\radarrs.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,0_2_00430F63
Source: C:\Users\user\Desktop\radarrs.exeCode function: _strlen,EnumSystemLocalesA,0_2_00430F0E
Source: C:\Users\user\Desktop\radarrs.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_00401030
Source: C:\Users\user\Desktop\radarrs.exeCode function: GetLocaleInfoA,0_2_00431A71
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,2_2_004343C6
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,2_2_004344F6
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: GetLocaleInfoA,MultiByteToWideChar,2_2_00434482
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: GetLocaleInfoW,WideCharToMultiByte,2_2_004345A9
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: GetLocaleInfoA,_strncpy,2_2_00430932
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: lstrcpy,LoadLibraryA,GetLocaleInfoA,2_2_0045AA06
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: _strlen,EnumSystemLocalesA,2_2_00430E51
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: _strlen,_strlen,EnumSystemLocalesA,2_2_00430E88
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,2_2_00430F63
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: _strlen,EnumSystemLocalesA,2_2_00430F0E
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,2_2_00401030
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: GetLocaleInfoA,2_2_00431A71
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\radarrs.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\radarrs.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\radarrs.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\radarrs.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\radarrs.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\radarrs.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\radarrs.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_004241D0 GetSystemTimeAsFileTime,__aulldiv,0_2_004241D0
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0042C917 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,0_2_0042C917
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0041402D GetVersionExA,0_2_0041402D
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\radarrs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 00000000.00000002.2004838605.0000000000A81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2004796547.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.2367192907.0000000000BE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.2367169094.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0045EF69 CreateBindCtx,lstrlenW,lstrlen,0_2_0045EF69
Source: C:\Users\user\Desktop\radarrs.exeCode function: 0_2_0045F583 lstrlen,lstrlenW,lstrlenW,lstrlenW,CreateBindCtx,0_2_0045F583
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0045EF69 CreateBindCtx,lstrlenW,lstrlen,2_2_0045EF69
Source: C:\Windows\SysWOW64\p2pnetsh\p2pnetsh.exeCode function: 2_2_0045F583 lstrlen,lstrlenW,lstrlenW,lstrlenW,CreateBindCtx,2_2_0045F583

Malware Configuration

Threatname: Emotet

{"C2 list": ["24.179.13.67/I60EJuiP"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
radarrs.exe14%VirustotalBrowse
radarrs.exe74%ReversingLabs TitaniumCloud FileReputationWin32.Trojan.Emotet
radarrs.exe100%AviraTR/AD.Emotet.ujrza

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.radarrs.exe.400000.0.unpack100%AviraHEUR/AGEN.1004714Download File
2.2.p2pnetsh.exe.400000.0.unpack100%AviraHEUR/AGEN.1004714Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://24.179.13.67/I60EJuiP/A0%Avira URL Cloudsafe
http://24.179.13.67/I60EJuiP/W0%Avira URL Cloudsafe
http://24.179.13.67/I60EJuiP/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2004838605.0000000000A81000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.2004796547.0000000000A70000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000002.00000002.2367192907.0000000000BE1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000002.00000002.2367169094.0000000000BD0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Unpacked PEs

          No yara matches

          Sigma Overview

          No Sigma rule has matched

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          unknownhttps://customweave.com.au/xrnlrpc.php?email=jessie.xiong@mainfreightasia.comGet hashmaliciousBrowse
          • 116.90.58.11
          http://www.smartrecuriters.com/Get hashmaliciousBrowse
          • 172.217.20.230
          Barclays-Private-Bank_v1.1.0pakage.apkGet hashmaliciousBrowse
          • 172.217.20.226
          wVUXdpFkS2.exeGet hashmaliciousBrowse
          • 91.218.114.31
          saBSI.exeGet hashmaliciousBrowse
          • 104.208.16.0
          PO_WJ_EF78.exeGet hashmaliciousBrowse
          • 172.217.23.1
          http://helpnetpist.comGet hashmaliciousBrowse
          • 162.241.60.245
          https://bit.ly/39Nl9WuGet hashmaliciousBrowse
          • 67.199.248.11
          contract_of_settlements.pdf.exeGet hashmaliciousBrowse
          • 13.125.158.238
          http://vip-anthonyinfo.xyz/indexGet hashmaliciousBrowse
          • 107.20.240.232
          https://derethidust1986.blogspot.de/Get hashmaliciousBrowse
          • 52.29.158.67
          A78PlN2Gls.exeGet hashmaliciousBrowse
          • 89.208.229.55
          Inv.943.xlsGet hashmaliciousBrowse
          • 161.117.177.248
          Inv.943.xlsGet hashmaliciousBrowse
          • 161.117.177.248
          invoice.id_08637.xlsGet hashmaliciousBrowse
          • 161.117.177.248
          invoice.id_08637.xlsGet hashmaliciousBrowse
          • 161.117.177.248
          https://u12025999.ct.sendgrid.net/ls/click?upn=97T-2B7MtXqA33ylF-2FrR8muKR80J13oq99Dam-2BVmHQlcjdyRj-2Fs-2BPh-2B3oAmIiJNRzs63a27KKx0ljqJFkYSclhV1xEbLZtop6XOL3eGJjyVaA-3DGJbM_B2dcTDhSQi6Fhub-2Bz-2B8J00D9jmIrw7eDQBiPE04HkkksH6zUxB8BBaJUbPMY5CvyDH1pfK4nS1ywmvVGTxYXf3JhXH3KRYhyMJfyln2HfHbQm-2FVnVGX03vogeirLCcc8A-2BBNGdaC024GX2U-2FLkQx3FEoF3TWp0c8QJ47nUEKDkRlgCTTj6FfemZzoo-2FM2CWeH6c1PIRif4Ufn-2FNJ53-2F6nkNuiLq7JPp6xSGg-2FoGYviw-3DGet hashmaliciousBrowse
          • 69.175.35.82
          https://dimensione-bauhaus.com/wp-admin/user/doccssiigggnn.scrs/okdocusign/ServiceDeskPurchasing-Equipmentced0AccountabilityBDO4j69i60j69i57jOrderSalemicrosoft601647j69i60j69i57j69i60l33666j0j7&sourceidvGet hashmaliciousBrowse
          • 143.204.98.37
          DHL 009876509823566.exeGet hashmaliciousBrowse
          • 192.254.74.210
          http://bit.ly/2HDzqJ9Get hashmaliciousBrowse
          • 67.199.248.11

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.