Loading ...

Play interactive tourEdit tour

Analysis Report dKRGkCq

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:219062
Start date:31.03.2020
Start time:02:07:11
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:dKRGkCq (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal96.bank.evad.winEXE@6/0@0/5
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 46.6% (good quality ratio 36.8%)
  • Quality average: 63.7%
  • Quality standard deviation: 38.5%
HCA Information:
  • Successful, ratio: 95%
  • Number of executed functions: 118
  • Number of non-executed functions: 121
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MusNotifyIcon.exe, UsoClient.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold960 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API1Hidden Files and Directories1Valid Accounts1File Deletion1Input Capture1System Time Discovery11Remote File Copy1Input Capture1Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaService Execution12Valid Accounts1Access Token Manipulation1Obfuscated Files or Information1Network SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationModify Existing Service11Process Injection1Masquerading11Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskNew Service2New Service2Hidden Files and Directories1Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol22SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessValid Accounts1Account ManipulationSystem Information Discovery24Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceAccess Token Manipulation1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: dKRGkCq.exeAvira: detection malicious, Label: HEUR/AGEN.1036970
Multi AV Scanner detection for submitted fileShow sources
Source: dKRGkCq.exeVirustotal: Detection: 83%Perma Link
Source: dKRGkCq.exeMetadefender: Detection: 72%Perma Link
Source: dKRGkCq.exeReversingLabs: Detection: 96%
Machine Learning detection for sampleShow sources
Source: dKRGkCq.exeJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_02442279 CryptExportKey,1_2_02442279
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_024422C9 CryptGetHashParam,1_2_024422C9
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_024422F5 CryptAcquireContextW,1_2_024422F5
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_02442314 CryptReleaseContext,1_2_02442314
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_02442335 CryptImportKey,LocalFree,CryptReleaseContext,1_2_02442335
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_02442399 CryptGenKey,CryptDestroyKey,CryptReleaseContext,1_2_02442399
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_024423B7 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,1_2_024423B7
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_02442466 CryptEncrypt,CryptDestroyHash,1_2_02442466
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_02442406 CryptDuplicateHash,1_2_02442406
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_024424F6 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash,1_2_024424F6
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_02442496 CryptDestroyHash,1_2_02442496
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_02442595 CryptVerifySignatureW,CryptDestroyHash,1_2_02442595
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_01172496 CryptDestroyHash,3_2_01172496
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_01172315 CryptDecodeObjectEx,CryptReleaseContext,3_2_01172315
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_01172335 CryptImportKey,LocalFree,CryptReleaseContext,3_2_01172335
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_01172399 CryptGenKey,CryptDestroyKey,CryptReleaseContext,3_2_01172399
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_011723B7 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,3_2_011723B7
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_01172279 CryptExportKey,3_2_01172279
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_01172595 CryptVerifySignatureW,CryptDestroyHash,3_2_01172595
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_01172406 CryptDuplicateHash,3_2_01172406
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_01172466 CryptEncrypt,CryptDestroyHash,3_2_01172466
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_011724F6 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash,3_2_011724F6
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_011722C9 CryptGetHashParam,3_2_011722C9

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.6:49931 -> 83.136.245.190:8080
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.6:49931 -> 83.136.245.190:8080
Source: global trafficTCP traffic: 192.168.2.6:49940 -> 80.102.228.132:8090
Source: global trafficTCP traffic: 192.168.2.6:49941 -> 91.126.37.22:7080
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.2.6:49930 -> 140.207.113.106:443
Source: global trafficTCP traffic: 192.168.2.6:49939 -> 85.105.203.77:443
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 140.207.113.106
Source: unknownTCP traffic detected without corresponding DNS query: 140.207.113.106
Source: unknownTCP traffic detected without corresponding DNS query: 140.207.113.106
Source: unknownTCP traffic detected without corresponding DNS query: 83.136.245.190
Source: unknownTCP traffic detected without corresponding DNS query: 83.136.245.190
Source: unknownTCP traffic detected without corresponding DNS query: 83.136.245.190
Source: unknownTCP traffic detected without corresponding DNS query: 85.105.203.77
Source: unknownTCP traffic detected without corresponding DNS query: 85.105.203.77
Source: unknownTCP traffic detected without corresponding DNS query: 85.105.203.77
Source: unknownTCP traffic detected without corresponding DNS query: 80.102.228.132
Source: unknownTCP traffic detected without corresponding DNS query: 80.102.228.132
Source: unknownTCP traffic detected without corresponding DNS query: 80.102.228.132
Source: unknownTCP traffic detected without corresponding DNS query: 91.126.37.22
Source: unknownTCP traffic detected without corresponding DNS query: 91.126.37.22
Source: unknownTCP traffic detected without corresponding DNS query: 91.126.37.22
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_01171628 InternetReadFile,3_2_01171628
Urls found in memory or binary dataShow sources
Source: controlnirmala.exe, 00000003.00000002.1443222984.00000000006FB000.00000004.00000001.sdmpString found in binary or memory: http://91.126.37.22:7080/
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: dKRGkCq.exe, 00000000.00000002.1022710402.00000000003EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_0244D1191_2_0244D119
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_0117D1193_2_0117D119

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_02442335 CryptImportKey,LocalFree,CryptReleaseContext,1_2_02442335
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_01172335 CryptImportKey,LocalFree,CryptReleaseContext,3_2_01172335

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.1022944727.00000000023F1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000002.00000002.1046568355.0000000001A71000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.1443954739.0000000001171000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.1049011516.0000000002441000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0.2.dKRGkCq.exe.23f0000.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
Source: 1.2.dKRGkCq.exe.2440000.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
Source: 3.2.controlnirmala.exe.1170000.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
Source: 2.2.controlnirmala.exe.1a70000.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_0244D010 NtdllDefWindowProc_W,1_2_0244D010
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_0117D010 NtdllDefWindowProc_W,3_2_0117D010
Contains functionality to delete servicesShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_0244F8B0 _snwprintf,OpenServiceW,DeleteService,CloseServiceHandle,1_2_0244F8B0
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_0244210D CreateProcessAsUserW,1_2_0244210D
Deletes files inside the Windows folderShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeFile deleted: C:\Windows\SysWOW64\controlnirmala.exe:Zone.IdentifierJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_023F56EF0_2_023F56EF
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_023F56EF0_2_023F56EF
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_024456EF1_2_024456EF
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_024456EF1_2_024456EF
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 2_2_01A756EF2_2_01A756EF
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 2_2_01A756EF2_2_01A756EF
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_011756EF3_2_011756EF
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_011756EF3_2_011756EF
Sample file is different than original file name gathered from version infoShow sources
Source: dKRGkCq.exe, 00000001.00000002.1050933008.0000000002D80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs dKRGkCq.exe
Source: dKRGkCq.exe, 00000001.00000002.1050933008.0000000002D80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs dKRGkCq.exe
Source: dKRGkCq.exe, 00000001.00000002.1050460697.0000000002C80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs dKRGkCq.exe
Yara signature matchShow sources
Source: 00000000.00000002.1022944727.00000000023F1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000002.00000002.1046568355.0000000001A71000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.1443954739.0000000001171000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.1049011516.0000000002441000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.dKRGkCq.exe.23f0000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.dKRGkCq.exe.2440000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.controlnirmala.exe.1170000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.controlnirmala.exe.1a70000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Classification labelShow sources
Source: classification engineClassification label: mal96.bank.evad.winEXE@6/0@0/5
Contains functionality to create servicesShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: _snwprintf,CreateServiceW,CloseServiceHandle,1_2_0244F959
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: _snwprintf,CreateServiceW,CloseServiceHandle,3_2_0117F95B
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_023F1C10 CreateToolhelp32Snapshot,0_2_023F1C10
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_00258CBC GetMessageTime,FindResourceA,0_2_00258CBC
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_0244F9DB ChangeServiceConfig2W,1_2_0244F9DB
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\controlnirmala.exeMutant created: \BaseNamedObjects\PEM1664
Source: C:\Users\user\Desktop\dKRGkCq.exeMutant created: \Sessions\1\BaseNamedObjects\PEM454
Source: C:\Users\user\Desktop\dKRGkCq.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M7D2AC5C6
Source: C:\Windows\SysWOW64\controlnirmala.exeMutant created: \BaseNamedObjects\Global\I7D2AC5C6
Source: C:\Windows\SysWOW64\controlnirmala.exeMutant created: \BaseNamedObjects\PEM240
Source: C:\Users\user\Desktop\dKRGkCq.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I7D2AC5C6
Source: C:\Users\user\Desktop\dKRGkCq.exeMutant created: \Sessions\1\BaseNamedObjects\PEMB30
PE file has an executable .text section and no other executable sectionShow sources
Source: dKRGkCq.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: dKRGkCq.exeVirustotal: Detection: 83%
Source: dKRGkCq.exeMetadefender: Detection: 72%
Source: dKRGkCq.exeReversingLabs: Detection: 96%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\dKRGkCq.exe 'C:\Users\user\Desktop\dKRGkCq.exe'
Source: unknownProcess created: C:\Users\user\Desktop\dKRGkCq.exe C:\Users\user\Desktop\dKRGkCq.exe
Source: unknownProcess created: C:\Windows\SysWOW64\controlnirmala.exe C:\Windows\SysWOW64\controlnirmala.exe
Source: unknownProcess created: C:\Windows\SysWOW64\controlnirmala.exe C:\Windows\SysWOW64\controlnirmala.exe
Source: C:\Users\user\Desktop\dKRGkCq.exeProcess created: C:\Users\user\Desktop\dKRGkCq.exe C:\Users\user\Desktop\dKRGkCq.exeJump to behavior
Source: C:\Windows\SysWOW64\controlnirmala.exeProcess created: C:\Windows\SysWOW64\controlnirmala.exe C:\Windows\SysWOW64\controlnirmala.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: dKRGkCq.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: dKRGkCq.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: heerhWHW#@1wHJnERbRW.Pdb source: dKRGkCq.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_023F1A36 LoadLibraryA,GetProcAddress,0_2_023F1A36
PE file contains an invalid checksumShow sources
Source: dKRGkCq.exeStatic PE information: real checksum: 0x1000 should be: 0x556d4
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_002678B7 pushad ; retf 0_2_002678C1
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_002676C0 push ecx; retf 0_2_002676C1

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\controlnirmala.exeExecutable created and started: C:\Windows\SysWOW64\controlnirmala.exeJump to behavior
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\dKRGkCq.exePE file moved: C:\Windows\SysWOW64\controlnirmala.exeJump to behavior

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_0244F9F1 StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0244F9F1

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\dKRGkCq.exeFile opened: C:\Windows\SysWOW64\controlnirmala.exe:Zone.Identifier read attributes | deleteJump to behavior

Malware Analysis System Evasion:

barindex
Potential time zone aware malwareShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Users\user\Desktop\dKRGkCq.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Windows\SysWOW64\controlnirmala.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Windows\SysWOW64\controlnirmala.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeRDTSC instruction interceptor: First address: 00000000002598E7 second address: 00000000002598ED instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 mov edi, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dKRGkCq.exeRDTSC instruction interceptor: First address: 00000000002598ED second address: 00000000002598E7 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 sub ecx, edi 0x00000008 mov eax, dword ptr [esp+28h] 0x0000000c test eax, eax 0x0000000e mov edx, dword ptr [esp+20h] 0x00000012 cmove edx, ecx 0x00000015 mov edi, dword ptr [esp+24h] 0x00000019 cmove edi, ecx 0x0000001c cmp edi, ecx 0x0000001e cmovnbe edi, ecx 0x00000021 add eax, 01h 0x00000024 cmp edx, ecx 0x00000026 cmovb edx, ecx 0x00000029 cmp eax, 64h 0x0000002c mov ecx, edi 0x0000002e mov dword ptr [esp+1Ch], eax 0x00000032 mov eax, edx 0x00000034 mov dword ptr [esp+34h], eax 0x00000038 mov eax, dword ptr [esp+1Ch] 0x0000003c mov dword ptr [esp+18h], ebx 0x00000040 mov dword ptr [esp+14h], esi 0x00000044 mov dword ptr [esp+10h], edx 0x00000048 mov dword ptr [esp+2Ch], eax 0x0000004c mov dword ptr [esp+0Ch], edi 0x00000050 mov dword ptr [esp+30h], ecx 0x00000054 jne 00007F12EC720EAEh 0x00000056 mov eax, dword ptr [esp+2Ch] 0x0000005a mov ecx, dword ptr [esp+34h] 0x0000005e mov edx, dword ptr [esp+30h] 0x00000062 mov dword ptr [esp+28h], eax 0x00000066 mov dword ptr [esp+24h], edx 0x0000006a mov dword ptr [esp+20h], ecx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\dKRGkCq.exeRDTSC instruction interceptor: First address: 00000000002598ED second address: 00000000002598E7 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 sub ecx, edi 0x00000008 mov eax, dword ptr [esp+28h] 0x0000000c test eax, eax 0x0000000e mov edx, dword ptr [esp+20h] 0x00000012 cmove edx, ecx 0x00000015 mov edi, dword ptr [esp+24h] 0x00000019 cmove edi, ecx 0x0000001c cmp edi, ecx 0x0000001e cmovnbe edi, ecx 0x00000021 add eax, 01h 0x00000024 cmp edx, ecx 0x00000026 cmovb edx, ecx 0x00000029 cmp eax, 64h 0x0000002c mov ecx, edi 0x0000002e mov dword ptr [esp+1Ch], eax 0x00000032 mov eax, edx 0x00000034 mov dword ptr [esp+34h], eax 0x00000038 mov eax, dword ptr [esp+1Ch] 0x0000003c mov dword ptr [esp+18h], ebx 0x00000040 mov dword ptr [esp+14h], esi 0x00000044 mov dword ptr [esp+10h], edx 0x00000048 mov dword ptr [esp+2Ch], eax 0x0000004c mov dword ptr [esp+0Ch], edi 0x00000050 mov dword ptr [esp+30h], ecx 0x00000054 jne 00007F12EC946D9Eh 0x00000056 mov eax, dword ptr [esp+2Ch] 0x0000005a mov ecx, dword ptr [esp+34h] 0x0000005e mov edx, dword ptr [esp+30h] 0x00000062 mov dword ptr [esp+28h], eax 0x00000066 mov dword ptr [esp+24h], edx 0x0000006a mov dword ptr [esp+20h], ecx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\dKRGkCq.exeRDTSC instruction interceptor: First address: 00000000002598ED second address: 00000000002598E7 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 sub ecx, edi 0x00000008 mov eax, dword ptr [esp+28h] 0x0000000c test eax, eax 0x0000000e mov edx, dword ptr [esp+20h] 0x00000012 cmove edx, ecx 0x00000015 mov edi, dword ptr [esp+24h] 0x00000019 cmove edi, ecx 0x0000001c cmp edi, ecx 0x0000001e cmovnbe edi, ecx 0x00000021 add eax, 01h 0x00000024 cmp edx, ecx 0x00000026 cmovb edx, ecx 0x00000029 cmp eax, 64h 0x0000002c mov ecx, edi 0x0000002e mov dword ptr [esp+1Ch], eax 0x00000032 mov eax, edx 0x00000034 mov dword ptr [esp+34h], eax 0x00000038 mov eax, dword ptr [esp+1Ch] 0x0000003c mov dword ptr [esp+18h], ebx 0x00000040 mov dword ptr [esp+14h], esi 0x00000044 mov dword ptr [esp+10h], edx 0x00000048 mov dword ptr [esp+2Ch], eax 0x0000004c mov dword ptr [esp+0Ch], edi 0x00000050 mov dword ptr [esp+30h], ecx 0x00000054 jne 00007F12EC4ABA5Eh 0x00000056 mov eax, dword ptr [esp+2Ch] 0x0000005a mov ecx, dword ptr [esp+34h] 0x0000005e mov edx, dword ptr [esp+30h] 0x00000062 mov dword ptr [esp+28h], eax 0x00000066 mov dword ptr [esp+24h], edx 0x0000006a mov dword ptr [esp+20h], ecx 0x0000006e rdtsc
Source: C:\Windows\SysWOW64\controlnirmala.exeRDTSC instruction interceptor: First address: 00000000002598E7 second address: 00000000002598ED instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 mov edi, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\controlnirmala.exeRDTSC instruction interceptor: First address: 00000000002598ED second address: 00000000002598E7 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 sub ecx, edi 0x00000008 mov eax, dword ptr [esp+28h] 0x0000000c test eax, eax 0x0000000e mov edx, dword ptr [esp+20h] 0x00000012 cmove edx, ecx 0x00000015 mov edi, dword ptr [esp+24h] 0x00000019 cmove edi, ecx 0x0000001c cmp edi, ecx 0x0000001e cmovnbe edi, ecx 0x00000021 add eax, 01h 0x00000024 cmp edx, ecx 0x00000026 cmovb edx, ecx 0x00000029 cmp eax, 64h 0x0000002c mov ecx, edi 0x0000002e mov dword ptr [esp+1Ch], eax 0x00000032 mov eax, edx 0x00000034 mov dword ptr [esp+34h], eax 0x00000038 mov eax, dword ptr [esp+1Ch] 0x0000003c mov dword ptr [esp+18h], ebx 0x00000040 mov dword ptr [esp+14h], esi 0x00000044 mov dword ptr [esp+10h], edx 0x00000048 mov dword ptr [esp+2Ch], eax 0x0000004c mov dword ptr [esp+0Ch], edi 0x00000050 mov dword ptr [esp+30h], ecx 0x00000054 jne 00007F12EC4ABA5Eh 0x00000056 mov eax, dword ptr [esp+2Ch] 0x0000005a mov ecx, dword ptr [esp+34h] 0x0000005e mov edx, dword ptr [esp+30h] 0x00000062 mov dword ptr [esp+28h], eax 0x00000066 mov dword ptr [esp+24h], edx 0x0000006a mov dword ptr [esp+20h], ecx 0x0000006e rdtsc
Source: C:\Windows\SysWOW64\controlnirmala.exeRDTSC instruction interceptor: First address: 00000000002598ED second address: 00000000002598E7 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 sub ecx, edi 0x00000008 mov eax, dword ptr [esp+28h] 0x0000000c test eax, eax 0x0000000e mov edx, dword ptr [esp+20h] 0x00000012 cmove edx, ecx 0x00000015 mov edi, dword ptr [esp+24h] 0x00000019 cmove edi, ecx 0x0000001c cmp edi, ecx 0x0000001e cmovnbe edi, ecx 0x00000021 add eax, 01h 0x00000024 cmp edx, ecx 0x00000026 cmovb edx, ecx 0x00000029 cmp eax, 64h 0x0000002c mov ecx, edi 0x0000002e mov dword ptr [esp+1Ch], eax 0x00000032 mov eax, edx 0x00000034 mov dword ptr [esp+34h], eax 0x00000038 mov eax, dword ptr [esp+1Ch] 0x0000003c mov dword ptr [esp+18h], ebx 0x00000040 mov dword ptr [esp+14h], esi 0x00000044 mov dword ptr [esp+10h], edx 0x00000048 mov dword ptr [esp+2Ch], eax 0x0000004c mov dword ptr [esp+0Ch], edi 0x00000050 mov dword ptr [esp+30h], ecx 0x00000054 jne 00007F12EC720EAEh 0x00000056 mov eax, dword ptr [esp+2Ch] 0x0000005a mov ecx, dword ptr [esp+34h] 0x0000005e mov edx, dword ptr [esp+30h] 0x00000062 mov dword ptr [esp+28h], eax 0x00000066 mov dword ptr [esp+24h], edx 0x0000006a mov dword ptr [esp+20h], ecx 0x0000006e rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_002598B5 rdtsc 0_2_002598B5
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: EnumServicesStatusExW,GetTickCount,OpenServiceW,1_2_0244F71D
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: EnumServicesStatusExW,GetLastError,1_2_0244F6C4
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: EnumServicesStatusExW,GetTickCount,OpenServiceW,3_2_0117F71D
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: EnumServicesStatusExW,GetLastError,3_2_0117F6C4
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_002598B5 rdtsc 0_2_002598B5
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_023F1A36 LoadLibraryA,GetProcAddress,0_2_023F1A36
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_023F1530 mov eax, dword ptr fs:[00000030h]0_2_023F1530
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_023F21B0 mov eax, dword ptr fs:[00000030h]0_2_023F21B0
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_02441530 mov eax, dword ptr fs:[00000030h]1_2_02441530
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 1_2_024421B0 mov eax, dword ptr fs:[00000030h]1_2_024421B0
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 2_2_01A721B0 mov eax, dword ptr fs:[00000030h]2_2_01A721B0
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 2_2_01A71530 mov eax, dword ptr fs:[00000030h]2_2_01A71530
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_01171530 mov eax, dword ptr fs:[00000030h]3_2_01171530
Source: C:\Windows\SysWOW64\controlnirmala.exeCode function: 3_2_011721B0 mov eax, dword ptr fs:[00000030h]3_2_011721B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_023F2A08 GetProcessHeap,HeapFree,0_2_023F2A08
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: GetLocaleInfoW,lstrlenA,0_2_0025915B
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\controlnirmala.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_00257B5C GetModuleHandleW,GdiSetBatchLimit,GdiSetBatchLimit,RequestWakeupLatency,WinExec,RegSetKeySecurity,RegSetKeySecurity,StrChrNW,GetNamedPipeClientProcessId,GetTimeZoneInformation,GetTimeZoneInformation,VarUI4FromUI8,0_2_00257B5C
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_023F277F RtlGetVersion,GetNativeSystemInfo,0_2_023F277F
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\controlnirmala.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\dKRGkCq.exeCode function: 0_2_00257E32 CoInvalidateRemoteMachineBindings,VarUI4FromUI8,0_2_00257E32

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dKRGkCq.exe83%VirustotalBrowse
dKRGkCq.exe73%MetadefenderBrowse
dKRGkCq.exe97%ReversingLabsWin32.Trojan.Emotet
dKRGkCq.exe100%AviraHEUR/AGEN.1036970
dKRGkCq.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
1.2.dKRGkCq.exe.2440000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
1.2.dKRGkCq.exe.250000.0.unpack100%AviraHEUR/AGEN.1036970Download File
1.0.dKRGkCq.exe.250000.0.unpack100%AviraHEUR/AGEN.1036970Download File
3.0.controlnirmala.exe.250000.0.unpack100%AviraHEUR/AGEN.1036970Download File
3.2.controlnirmala.exe.1140000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
3.2.controlnirmala.exe.1170000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.dKRGkCq.exe.250000.0.unpack100%AviraHEUR/AGEN.1036970Download File
0.0.dKRGkCq.exe.250000.0.unpack100%AviraHEUR/AGEN.1036970Download File
0.2.dKRGkCq.exe.23d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.dKRGkCq.exe.23f0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.controlnirmala.exe.250000.0.unpack100%AviraHEUR/AGEN.1036970Download File
1.2.dKRGkCq.exe.a30000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.controlnirmala.exe.1a50000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
3.2.controlnirmala.exe.250000.0.unpack100%AviraHEUR/AGEN.1036970Download File
2.0.controlnirmala.exe.250000.0.unpack100%AviraHEUR/AGEN.1036970Download File
2.2.controlnirmala.exe.1a70000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://91.126.37.22:7080/4%VirustotalBrowse
http://91.126.37.22:7080/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1022944727.00000000023F1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
  • 0x5b80:$snippet4: 33 C0 C7 05 10 72 40 02 20 2A 40 02 C7 05 14 72 40 02 20 2A 40 02 A3 18 72 40 02 A3 1C 72 40 02 ...
00000002.00000002.1046568355.0000000001A71000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
  • 0x5b80:$snippet4: 33 C0 C7 05 10 72 A8 01 20 2A A8 01 C7 05 14 72 A8 01 20 2A A8 01 A3 18 72 A8 01 A3 1C 72 A8 01 ...
00000003.00000002.1443954739.0000000001171000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
  • 0x5b80:$snippet4: 33 C0 C7 05 10 72 18 01 20 2A 18 01 C7 05 14 72 18 01 20 2A 18 01 A3 18 72 18 01 A3 1C 72 18 01 ...
00000001.00000002.1049011516.0000000002441000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
  • 0x5b80:$snippet4: 33 C0 C7 05 10 72 45 02 20 2A 45 02 C7 05 14 72 45 02 20 2A 45 02 A3 18 72 45 02 A3 1C 72 45 02 ...

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.dKRGkCq.exe.23f0000.2.unpackEmotetEmotet Payloadkevoreilly
  • 0x5f80:$snippet4: 33 C0 C7 05 10 72 40 02 20 2A 40 02 C7 05 14 72 40 02 20 2A 40 02 A3 18 72 40 02 A3 1C 72 40 02 ...
1.2.dKRGkCq.exe.2440000.2.unpackEmotetEmotet Payloadkevoreilly
  • 0x5f80:$snippet4: 33 C0 C7 05 10 72 45 02 20 2A 45 02 C7 05 14 72 45 02 20 2A 45 02 A3 18 72 45 02 A3 1C 72 45 02 ...
3.2.controlnirmala.exe.1170000.2.unpackEmotetEmotet Payloadkevoreilly
  • 0x5f80:$snippet4: 33 C0 C7 05 10 72 18 01 20 2A 18 01 C7 05 14 72 18 01 20 2A 18 01 A3 18 72 18 01 A3 1C 72 18 01 ...
2.2.controlnirmala.exe.1a70000.2.unpackEmotetEmotet Payloadkevoreilly
  • 0x5f80:$snippet4: 33 C0 C7 05 10 72 A8 01 20 2A A8 01 C7 05 14 72 A8 01 20 2A A8 01 A3 18 72 A8 01 A3 1C 72 A8 01 ...

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownINV.209.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Info-18013.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Teil 1.1.163.htmlGet hashmaliciousBrowse
  • 104.27.129.102
Info.7017.xlsGet hashmaliciousBrowse
  • 192.168.2.255
https://www.greeninitiative.me/wp-content/plugins/add-to-any/au.htmlGet hashmaliciousBrowse
  • 52.34.133.113
Info-298692.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Guide_coronavirus.docGet hashmaliciousBrowse
  • 162.255.119.253
Info 470.xlsGet hashmaliciousBrowse
  • 52.114.128.43
Info 470.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Guide_coronavirus.docGet hashmaliciousBrowse
  • 198.187.29.233
incoming Invoice_437278.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Info 9299.xlsGet hashmaliciousBrowse
  • 192.168.2.255
https://www.davidmillettecpa.com/DOCUMENT.htmlGet hashmaliciousBrowse
  • 104.27.180.30
Notif_002.xlsGet hashmaliciousBrowse
  • 52.114.75.78
recoverit_setup_full4280.exeGet hashmaliciousBrowse
  • 47.91.67.36
2007320141.exeGet hashmaliciousBrowse
  • 34.197.12.81
https://diigo.com/0h5ld2Get hashmaliciousBrowse
  • 54.148.192.94
https://u15582950.ct.sendgrid.net/ls/click?upn=xkRWX3hROsZS0NmxIBQ99-2BoJFsajzSAx6aL-2Bqp0WtECD3UzQW0Z6739IRu2-2F6vQsaqEP_OvYGL6tW9whHjeK15-2Bm8wuw5PDCKaJA2sM0zG8-2FiXPdhUPp8pONlFgPLX5L1LaM-2FAJ0T8RziYy6cJjhpqvv-2B-2FF7PSq3srLa3m6jzpUdcq0DvpkETzqM3dk3Yq06dO91FaQ9r1EfrtW6Y6J1GeTUUUwKggPdoz1OFQ8xUQpYrN0hTksH9vkfh0vAuwOSTs5dsKdPbI1dGARjKnU8z0w1G0xV8U9KhPLDArEU5hpFr7SpYSGxOESW6NI0Qi32iBXgo4WgFdGRIZjcUf6RrEuxNysE7TXpNhUWb1sHjrxaDpK6LJe8UV7wumMjR2TI51lv2xbH2RKKRgvSNcEfQWU8womGwMqunppOQIK7IPsiFgs20bmIo4pGP4-2BTVNhBp8QqZImUYdJBfFA706kTiodD-2BwlxgzLUPSl2PeCI8idUcX-2BvEVuom-2FWKJD3umwoMojhlHYgO-2BNAJD4LgoLBRhSYDm3e31QumpaV-2BLEQIr-2B0B-2Fd9QuSG9p1Rm2IcB53ukdzheveYWrTuYDt3Fkkfaj5PwPhr9aT94T64352A3eKhRfTdn29lVG5qYb3xs5dsF1As-2Fmbd-2FEGL3izoyADJsdO4CV-2FeDctfAJ57t11lPQO7-2FuAFG11OTLybTfeQrjCmm1dBpdn38-2Bz2wlM6NGDqpUTbLD9w-3D-3DGet hashmaliciousBrowse
  • 151.139.128.10
cve-2020-0796-local.exeGet hashmaliciousBrowse
  • 127.0.0.1
https://docs.google.com/uc?export=download&id=1IFDJjPAYbiA40gSMNSdQaBiauT1Me_CJGet hashmaliciousBrowse
  • 151.139.128.10
unknownINV.209.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Info-18013.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Teil 1.1.163.htmlGet hashmaliciousBrowse
  • 104.27.129.102
Info.7017.xlsGet hashmaliciousBrowse
  • 192.168.2.255
https://www.greeninitiative.me/wp-content/plugins/add-to-any/au.htmlGet hashmaliciousBrowse
  • 52.34.133.113
Info-298692.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Guide_coronavirus.docGet hashmaliciousBrowse
  • 162.255.119.253
Info 470.xlsGet hashmaliciousBrowse
  • 52.114.128.43
Info 470.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Guide_coronavirus.docGet hashmaliciousBrowse
  • 198.187.29.233
incoming Invoice_437278.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Info 9299.xlsGet hashmaliciousBrowse
  • 192.168.2.255
https://www.davidmillettecpa.com/DOCUMENT.htmlGet hashmaliciousBrowse
  • 104.27.180.30
Notif_002.xlsGet hashmaliciousBrowse
  • 52.114.75.78
recoverit_setup_full4280.exeGet hashmaliciousBrowse
  • 47.91.67.36
2007320141.exeGet hashmaliciousBrowse
  • 34.197.12.81
https://diigo.com/0h5ld2Get hashmaliciousBrowse
  • 54.148.192.94
https://u15582950.ct.sendgrid.net/ls/click?upn=xkRWX3hROsZS0NmxIBQ99-2BoJFsajzSAx6aL-2Bqp0WtECD3UzQW0Z6739IRu2-2F6vQsaqEP_OvYGL6tW9whHjeK15-2Bm8wuw5PDCKaJA2sM0zG8-2FiXPdhUPp8pONlFgPLX5L1LaM-2FAJ0T8RziYy6cJjhpqvv-2B-2FF7PSq3srLa3m6jzpUdcq0DvpkETzqM3dk3Yq06dO91FaQ9r1EfrtW6Y6J1GeTUUUwKggPdoz1OFQ8xUQpYrN0hTksH9vkfh0vAuwOSTs5dsKdPbI1dGARjKnU8z0w1G0xV8U9KhPLDArEU5hpFr7SpYSGxOESW6NI0Qi32iBXgo4WgFdGRIZjcUf6RrEuxNysE7TXpNhUWb1sHjrxaDpK6LJe8UV7wumMjR2TI51lv2xbH2RKKRgvSNcEfQWU8womGwMqunppOQIK7IPsiFgs20bmIo4pGP4-2BTVNhBp8QqZImUYdJBfFA706kTiodD-2BwlxgzLUPSl2PeCI8idUcX-2BvEVuom-2FWKJD3umwoMojhlHYgO-2BNAJD4LgoLBRhSYDm3e31QumpaV-2BLEQIr-2B0B-2Fd9QuSG9p1Rm2IcB53ukdzheveYWrTuYDt3Fkkfaj5PwPhr9aT94T64352A3eKhRfTdn29lVG5qYb3xs5dsF1As-2Fmbd-2FEGL3izoyADJsdO4CV-2FeDctfAJ57t11lPQO7-2FuAFG11OTLybTfeQrjCmm1dBpdn38-2Bz2wlM6NGDqpUTbLD9w-3D-3DGet hashmaliciousBrowse
  • 151.139.128.10
cve-2020-0796-local.exeGet hashmaliciousBrowse
  • 127.0.0.1
https://docs.google.com/uc?export=download&id=1IFDJjPAYbiA40gSMNSdQaBiauT1Me_CJGet hashmaliciousBrowse
  • 151.139.128.10
unknownINV.209.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Info-18013.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Teil 1.1.163.htmlGet hashmaliciousBrowse
  • 104.27.129.102
Info.7017.xlsGet hashmaliciousBrowse
  • 192.168.2.255
https://www.greeninitiative.me/wp-content/plugins/add-to-any/au.htmlGet hashmaliciousBrowse
  • 52.34.133.113
Info-298692.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Guide_coronavirus.docGet hashmaliciousBrowse
  • 162.255.119.253
Info 470.xlsGet hashmaliciousBrowse
  • 52.114.128.43
Info 470.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Guide_coronavirus.docGet hashmaliciousBrowse
  • 198.187.29.233
incoming Invoice_437278.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Info 9299.xlsGet hashmaliciousBrowse
  • 192.168.2.255
https://www.davidmillettecpa.com/DOCUMENT.htmlGet hashmaliciousBrowse
  • 104.27.180.30
Notif_002.xlsGet hashmaliciousBrowse
  • 52.114.75.78
recoverit_setup_full4280.exeGet hashmaliciousBrowse
  • 47.91.67.36
2007320141.exeGet hashmaliciousBrowse
  • 34.197.12.81
https://diigo.com/0h5ld2Get hashmaliciousBrowse
  • 54.148.192.94
https://u15582950.ct.sendgrid.net/ls/click?upn=xkRWX3hROsZS0NmxIBQ99-2BoJFsajzSAx6aL-2Bqp0WtECD3UzQW0Z6739IRu2-2F6vQsaqEP_OvYGL6tW9whHjeK15-2Bm8wuw5PDCKaJA2sM0zG8-2FiXPdhUPp8pONlFgPLX5L1LaM-2FAJ0T8RziYy6cJjhpqvv-2B-2FF7PSq3srLa3m6jzpUdcq0DvpkETzqM3dk3Yq06dO91FaQ9r1EfrtW6Y6J1GeTUUUwKggPdoz1OFQ8xUQpYrN0hTksH9vkfh0vAuwOSTs5dsKdPbI1dGARjKnU8z0w1G0xV8U9KhPLDArEU5hpFr7SpYSGxOESW6NI0Qi32iBXgo4WgFdGRIZjcUf6RrEuxNysE7TXpNhUWb1sHjrxaDpK6LJe8UV7wumMjR2TI51lv2xbH2RKKRgvSNcEfQWU8womGwMqunppOQIK7IPsiFgs20bmIo4pGP4-2BTVNhBp8QqZImUYdJBfFA706kTiodD-2BwlxgzLUPSl2PeCI8idUcX-2BvEVuom-2FWKJD3umwoMojhlHYgO-2BNAJD4LgoLBRhSYDm3e31QumpaV-2BLEQIr-2B0B-2Fd9QuSG9p1Rm2IcB53ukdzheveYWrTuYDt3Fkkfaj5PwPhr9aT94T64352A3eKhRfTdn29lVG5qYb3xs5dsF1As-2Fmbd-2FEGL3izoyADJsdO4CV-2FeDctfAJ57t11lPQO7-2FuAFG11OTLybTfeQrjCmm1dBpdn38-2Bz2wlM6NGDqpUTbLD9w-3D-3DGet hashmaliciousBrowse
  • 151.139.128.10
cve-2020-0796-local.exeGet hashmaliciousBrowse
  • 127.0.0.1
https://docs.google.com/uc?export=download&id=1IFDJjPAYbiA40gSMNSdQaBiauT1Me_CJGet hashmaliciousBrowse
  • 151.139.128.10
unknownINV.209.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Info-18013.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Teil 1.1.163.htmlGet hashmaliciousBrowse
  • 104.27.129.102
Info.7017.xlsGet hashmaliciousBrowse
  • 192.168.2.255
https://www.greeninitiative.me/wp-content/plugins/add-to-any/au.htmlGet hashmaliciousBrowse
  • 52.34.133.113
Info-298692.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Guide_coronavirus.docGet hashmaliciousBrowse
  • 162.255.119.253
Info 470.xlsGet hashmaliciousBrowse
  • 52.114.128.43
Info 470.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Guide_coronavirus.docGet hashmaliciousBrowse
  • 198.187.29.233
incoming Invoice_437278.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Info 9299.xlsGet hashmaliciousBrowse
  • 192.168.2.255
https://www.davidmillettecpa.com/DOCUMENT.htmlGet hashmaliciousBrowse
  • 104.27.180.30
Notif_002.xlsGet hashmaliciousBrowse
  • 52.114.75.78
recoverit_setup_full4280.exeGet hashmaliciousBrowse
  • 47.91.67.36
2007320141.exeGet hashmaliciousBrowse
  • 34.197.12.81
https://diigo.com/0h5ld2Get hashmaliciousBrowse
  • 54.148.192.94
https://u15582950.ct.sendgrid.net/ls/click?upn=xkRWX3hROsZS0NmxIBQ99-2BoJFsajzSAx6aL-2Bqp0WtECD3UzQW0Z6739IRu2-2F6vQsaqEP_OvYGL6tW9whHjeK15-2Bm8wuw5PDCKaJA2sM0zG8-2FiXPdhUPp8pONlFgPLX5L1LaM-2FAJ0T8RziYy6cJjhpqvv-2B-2FF7PSq3srLa3m6jzpUdcq0DvpkETzqM3dk3Yq06dO91FaQ9r1EfrtW6Y6J1GeTUUUwKggPdoz1OFQ8xUQpYrN0hTksH9vkfh0vAuwOSTs5dsKdPbI1dGARjKnU8z0w1G0xV8U9KhPLDArEU5hpFr7SpYSGxOESW6NI0Qi32iBXgo4WgFdGRIZjcUf6RrEuxNysE7TXpNhUWb1sHjrxaDpK6LJe8UV7wumMjR2TI51lv2xbH2RKKRgvSNcEfQWU8womGwMqunppOQIK7IPsiFgs20bmIo4pGP4-2BTVNhBp8QqZImUYdJBfFA706kTiodD-2BwlxgzLUPSl2PeCI8idUcX-2BvEVuom-2FWKJD3umwoMojhlHYgO-2BNAJD4LgoLBRhSYDm3e31QumpaV-2BLEQIr-2B0B-2Fd9QuSG9p1Rm2IcB53ukdzheveYWrTuYDt3Fkkfaj5PwPhr9aT94T64352A3eKhRfTdn29lVG5qYb3xs5dsF1As-2Fmbd-2FEGL3izoyADJsdO4CV-2FeDctfAJ57t11lPQO7-2FuAFG11OTLybTfeQrjCmm1dBpdn38-2Bz2wlM6NGDqpUTbLD9w-3D-3DGet hashmaliciousBrowse
  • 151.139.128.10
cve-2020-0796-local.exeGet hashmaliciousBrowse
  • 127.0.0.1
https://docs.google.com/uc?export=download&id=1IFDJjPAYbiA40gSMNSdQaBiauT1Me_CJGet hashmaliciousBrowse
  • 151.139.128.10
unknownINV.209.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Info-18013.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Teil 1.1.163.htmlGet hashmaliciousBrowse
  • 104.27.129.102
Info.7017.xlsGet hashmaliciousBrowse
  • 192.168.2.255
https://www.greeninitiative.me/wp-content/plugins/add-to-any/au.htmlGet hashmaliciousBrowse
  • 52.34.133.113
Info-298692.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Guide_coronavirus.docGet hashmaliciousBrowse
  • 162.255.119.253
Info 470.xlsGet hashmaliciousBrowse
  • 52.114.128.43
Info 470.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Guide_coronavirus.docGet hashmaliciousBrowse
  • 198.187.29.233
incoming Invoice_437278.xlsGet hashmaliciousBrowse
  • 192.168.2.255
Info 9299.xlsGet hashmaliciousBrowse
  • 192.168.2.255
https://www.davidmillettecpa.com/DOCUMENT.htmlGet hashmaliciousBrowse
  • 104.27.180.30
Notif_002.xlsGet hashmaliciousBrowse
  • 52.114.75.78
recoverit_setup_full4280.exeGet hashmaliciousBrowse
  • 47.91.67.36
2007320141.exeGet hashmaliciousBrowse
  • 34.197.12.81
https://diigo.com/0h5ld2Get hashmaliciousBrowse
  • 54.148.192.94
https://u15582950.ct.sendgrid.net/ls/click?upn=xkRWX3hROsZS0NmxIBQ99-2BoJFsajzSAx6aL-2Bqp0WtECD3UzQW0Z6739IRu2-2F6vQsaqEP_OvYGL6tW9whHjeK15-2Bm8wuw5PDCKaJA2sM0zG8-2FiXPdhUPp8pONlFgPLX5L1LaM-2FAJ0T8RziYy6cJjhpqvv-2B-2FF7PSq3srLa3m6jzpUdcq0DvpkETzqM3dk3Yq06dO91FaQ9r1EfrtW6Y6J1GeTUUUwKggPdoz1OFQ8xUQpYrN0hTksH9vkfh0vAuwOSTs5dsKdPbI1dGARjKnU8z0w1G0xV8U9KhPLDArEU5hpFr7SpYSGxOESW6NI0Qi32iBXgo4WgFdGRIZjcUf6RrEuxNysE7TXpNhUWb1sHjrxaDpK6LJe8UV7wumMjR2TI51lv2xbH2RKKRgvSNcEfQWU8womGwMqunppOQIK7IPsiFgs20bmIo4pGP4-2BTVNhBp8QqZImUYdJBfFA706kTiodD-2BwlxgzLUPSl2PeCI8idUcX-2BvEVuom-2FWKJD3umwoMojhlHYgO-2BNAJD4LgoLBRhSYDm3e31QumpaV-2BLEQIr-2B0B-2Fd9QuSG9p1Rm2IcB53ukdzheveYWrTuYDt3Fkkfaj5PwPhr9aT94T64352A3eKhRfTdn29lVG5qYb3xs5dsF1As-2Fmbd-2FEGL3izoyADJsdO4CV-2FeDctfAJ57t11lPQO7-2FuAFG11OTLybTfeQrjCmm1dBpdn38-2Bz2wlM6NGDqpUTbLD9w-3D-3DGet hashmaliciousBrowse
  • 151.139.128.10
cve-2020-0796-local.exeGet hashmaliciousBrowse
  • 127.0.0.1
https://docs.google.com/uc?export=download&id=1IFDJjPAYbiA40gSMNSdQaBiauT1Me_CJGet hashmaliciousBrowse
  • 151.139.128.10

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.