Loading ...

Play interactive tourEdit tour

Analysis Report 26m2r5af2Z

Overview

General Information

Sample Name:26m2r5af2Z (renamed file extension from none to exe)
MD5:fac223dc0f2411ca13d665e87062d5e9
SHA1:800d7eacbc3887f736ed2de3a79dba2900356f84
SHA256:f4e8bb7744c69035652a8a6cce441e0fe649c2b770444889e73ebf59efcde2e7

Most interesting Screenshot:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Query firmware table information (likely to detect VMs)
Contains functionality locales information (e.g. system language)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 26m2r5af2Z.exe (PID: 5256 cmdline: 'C:\Users\user\Desktop\26m2r5af2Z.exe' MD5: FAC223DC0F2411CA13D665E87062D5E9)
    • JavaScriptCollectionAgent.exe (PID: 5312 cmdline: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe MD5: FAC223DC0F2411CA13D665E87062D5E9)
  • svchost.exe (PID: 4968 cmdline: C:\Windows\system32\svchost.exe -k wsappx -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["181.92.244.156/k1wKwudd9qVGkzP"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2487716761.0000000000541000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.783755382.00000000004A0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.783780669.00000000004B1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.2487669112.0000000000530000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: JavaScriptCollectionAgent.exe.5312.1.memstrMalware Configuration Extractor: Emotet {"C2 list": ["181.92.244.156/k1wKwudd9qVGkzP"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 26m2r5af2Z.exeVirustotal: Detection: 18%Perma Link

          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_005420D0 CryptDecodeObjectEx,1_2_005420D0
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_005420E8 CryptDecodeObjectEx,1_2_005420E8

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0041F498 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_0041F498
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004B3030 FindNextFileW,FindFirstFileW,FindClose,0_2_004B3030
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0041F498 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_0041F498

          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: POST /k1wKwudd9qVGkzPa7/5H2A/ HTTP/1.1Referer: http://181.92.244.156/k1wKwudd9qVGkzPa7/5H2A/Content-Type: multipart/form-data; boundary=---------------------------820502026808580User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 181.92.244.156Content-Length: 4644Connection: Keep-AliveCache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownTCP traffic detected without corresponding DNS query: 181.92.244.156
          Source: unknownHTTP traffic detected: POST /k1wKwudd9qVGkzPa7/5H2A/ HTTP/1.1Referer: http://181.92.244.156/k1wKwudd9qVGkzPa7/5H2A/Content-Type: multipart/form-data; boundary=---------------------------820502026808580User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 181.92.244.156Content-Length: 4644Connection: Keep-AliveCache-Control: no-cache
          Source: JavaScriptCollectionAgent.exe, 00000001.00000002.2487186277.000000000019A000.00000004.00000001.sdmpString found in binary or memory: http://181.92.244.156/k1wKwudd9qVGkzPa7/5H2A/
          Source: svchost.exe, 00000004.00000002.2487698488.0000017FC6229000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.2488055132.0000017FC6B1E000.00000004.00000001.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.4.drString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0041C29F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0041C29F
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0041E6F7 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0041E6F7
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00423F01 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,0_2_00423F01
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00423F16 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_00423F16
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0041C29F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_0041C29F
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0041E6F7 GetKeyState,GetKeyState,GetKeyState,GetKeyState,1_2_0041E6F7
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00423F01 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,1_2_00423F01
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00423F16 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_00423F16

          E-Banking Fraud:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000001.00000002.2487716761.0000000000541000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.783755382.00000000004A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.783780669.00000000004B1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2487669112.0000000000530000.00000040.00000001.sdmp, type: MEMORY

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeFile created: C:\Windows\SysWOW64\JavaScriptCollectionAgent\Jump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeFile deleted: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0041B1A30_2_0041B1A3
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004A521F0_2_004A521F
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004B58E00_2_004B58E0
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0041B1A31_2_0041B1A3
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0053521F1_2_0053521F
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_005458E01_2_005458E0
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: String function: 0040BC30 appears 90 times
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: String function: 0040BCE0 appears 43 times
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: String function: 0040BC30 appears 90 times
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: String function: 0040BCE0 appears 43 times
          Source: 26m2r5af2Z.exe, 00000000.00000002.786386207.0000000002FC0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 26m2r5af2Z.exe
          Source: 26m2r5af2Z.exe, 00000000.00000002.786386207.0000000002FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 26m2r5af2Z.exe
          Source: 26m2r5af2Z.exe, 00000000.00000002.784457048.0000000002270000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 26m2r5af2Z.exe
          Source: classification engineClassification label: mal76.troj.evad.winEXE@4/1@0/1
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00544170 Process32NextW,CreateToolhelp32Snapshot,FindCloseChangeNotification,1_2_00544170
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0040A80A __EH_prolog,LoadLibraryExW,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,GetCurrentProcess,VirtualAllocExNuma,0_2_0040A80A
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M55B61B38
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I55B61B38
          Source: 26m2r5af2Z.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 26m2r5af2Z.exeVirustotal: Detection: 18%
          Source: unknownProcess created: C:\Users\user\Desktop\26m2r5af2Z.exe 'C:\Users\user\Desktop\26m2r5af2Z.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeProcess created: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_CURSOR
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_BITMAP
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_ICON
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_MENU
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_DIALOG
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_STRING
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_ACCELERATOR
          Source: 26m2r5af2Z.exeStatic PE information: section name: RT_GROUP_ICON

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00410AA0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00410AA0
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0040BC30 push eax; ret 0_2_0040BC4E
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0040BD40 push eax; ret 0_2_0040BD6E
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004A93A7 push 00000071h; iretd 0_2_004A93A9
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0040BC30 push eax; ret 1_2_0040BC4E
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0040BD40 push eax; ret 1_2_0040BD6E
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_005393A7 push 00000071h; iretd 1_2_005393A9

          Persistence and Installation Behavior:

          barindex
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeExecutable created and started: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exePE file moved: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeFile opened: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00420ADD GetParent,GetParent,GetParent,IsIconic,0_2_00420ADD
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00423FBE IsWindowVisible,IsIconic,0_2_00423FBE
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00420ADD GetParent,GetParent,GetParent,IsIconic,1_2_00420ADD
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00423FBE IsWindowVisible,IsIconic,1_2_00423FBE
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Query firmware table information (likely to detect VMs)Show sources
          Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0041F498 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_0041F498
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004B3030 FindNextFileW,FindFirstFileW,FindClose,0_2_004B3030
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0041F498 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_0041F498
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeProcess information queried: ProcessInformationJump to behavior

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_00410AA0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00410AA0
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004A0467 mov eax, dword ptr fs:[00000030h]0_2_004A0467
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004A3BDF mov eax, dword ptr fs:[00000030h]0_2_004A3BDF
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004A2E6F mov eax, dword ptr fs:[00000030h]0_2_004A2E6F
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004B42A0 mov eax, dword ptr fs:[00000030h]0_2_004B42A0
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004B3530 mov eax, dword ptr fs:[00000030h]0_2_004B3530
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00530467 mov eax, dword ptr fs:[00000030h]1_2_00530467
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00533BDF mov eax, dword ptr fs:[00000030h]1_2_00533BDF
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00532E6F mov eax, dword ptr fs:[00000030h]1_2_00532E6F
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_005442A0 mov eax, dword ptr fs:[00000030h]1_2_005442A0
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_00543530 mov eax, dword ptr fs:[00000030h]1_2_00543530
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0040F620 SetUnhandledExceptionFilter,0_2_0040F620
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_0040F640 SetUnhandledExceptionFilter,0_2_0040F640
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0040F620 SetUnhandledExceptionFilter,1_2_0040F620
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: 1_2_0040F640 SetUnhandledExceptionFilter,1_2_0040F640

          Source: JavaScriptCollectionAgent.exe, 00000001.00000002.2488019966.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: JavaScriptCollectionAgent.exe, 00000001.00000002.2488019966.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: JavaScriptCollectionAgent.exe, 00000001.00000002.2488019966.0000000000D70000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
          Source: JavaScriptCollectionAgent.exe, 00000001.00000002.2488019966.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,MultiByteToWideChar,0_2_004129E0
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,0_2_00412B10
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,MultiByteToWideChar,1_2_004129E0
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,1_2_00412B10
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\26m2r5af2Z.exeCode function: 0_2_004252DD GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,0_2_004252DD
          Source: C:\Windows\SysWOW64\JavaScriptCollectionAgent\JavaScriptCollectionAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000001.00000002.2487716761.0000000000541000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.783755382.00000000004A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.783780669.00000000004B1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2487669112.0000000000530000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsExecution through API1Hidden Files and Directories1Process Injection2Masquerading12Input Capture1Virtualization/Sandbox Evasion1Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesHidden Files and Directories1Network SniffingProcess Discovery3Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection2Credentials in FilesSecurity Software Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
          Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceFile Deletion1Brute ForceSystem Information Discovery24Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
          Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.