Loading ...

Play interactive tourEdit tour

Analysis Report jbzBOqYoA1

Overview

General Information

Sample Name:jbzBOqYoA1 (renamed file extension from none to exe)
MD5:eff238b0135824f51158f8251b6015fb
SHA1:7e61b08e4e72c481cfa76b654cef28bc1f7a16e6
SHA256:f1e2e1a9f542954c017e627cedb9ccde92ffe466e7bca9b37ac18f5d41abc495

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus or Machine Learning detection for unpacked file
Contains functionality locales information (e.g. system language)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • jbzBOqYoA1.exe (PID: 4112 cmdline: 'C:\Users\user\Desktop\jbzBOqYoA1.exe' MD5: EFF238B0135824F51158F8251B6015FB)
    • jbzBOqYoA1.exe (PID: 5688 cmdline: --3c72c125 MD5: EFF238B0135824F51158F8251B6015FB)
  • minimumwubi.exe (PID: 5244 cmdline: C:\Windows\SysWOW64\minimumwubi.exe MD5: EFF238B0135824F51158F8251B6015FB)
    • minimumwubi.exe (PID: 5944 cmdline: --f1508aa9 MD5: EFF238B0135824F51158F8251B6015FB)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["216.98.148.181/publish"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 17 41 00 85 C0
    • 0x5a13:$snippet6: 33 C0 21 05 5C 39 41 00 A3 58 39 41 00 39 05 90 03 41 00 74 18 40 A3 58 39 41 00 83 3C C5 90 03 ...
    00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 17 41 00 85 C0
      • 0x5a13:$snippet6: 33 C0 21 05 5C 39 41 00 A3 58 39 41 00 39 05 90 03 41 00 74 18 40 A3 58 39 41 00 83 3C C5 90 03 ...
      00000000.00000002.1062165487.0000000000561000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 11 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: jbzBOqYoA1.exeAvira: detected
        Multi AV Scanner detection for submitted fileShow sources
        Source: jbzBOqYoA1.exeVirustotal: Detection: 79%Perma Link
        Source: jbzBOqYoA1.exeReversingLabs: Detection: 82%
        Source: 1.0.jbzBOqYoA1.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 2.0.minimumwubi.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 3.0.minimumwubi.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 0.0.jbzBOqYoA1.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,1_2_0229207B
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,1_2_0229215A
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291F11 CryptExportKey,1_2_02291F11
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_02291F75
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291F56 CryptGetHashParam,1_2_02291F56
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,1_2_02291FFC
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,3_2_00DE207B
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,3_2_00DE1FFC
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,3_2_00DE1F75
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1F11 CryptExportKey,3_2_00DE1F11
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,3_2_00DE215A
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1F56 CryptGetHashParam,3_2_00DE1F56

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_00430651
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00430BC9 FindFirstFileA,FindClose,0_2_00430BC9
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_00430651
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00430BC9 FindFirstFileA,FindClose,1_2_00430BC9

        Source: global trafficTCP traffic: 192.168.2.6:49938 -> 125.99.61.162:7080
        Source: global trafficTCP traffic: 192.168.2.6:49947 -> 94.183.71.206:7080
        Source: global trafficTCP traffic: 192.168.2.6:49948 -> 91.83.93.105:8080
        Source: global trafficTCP traffic: 192.168.2.6:49949 -> 216.98.148.181:8080
        Source: Joe Sandbox ViewIP Address: 125.99.61.162 125.99.61.162
        Source: Joe Sandbox ViewIP Address: 94.183.71.206 94.183.71.206
        Source: Joe Sandbox ViewIP Address: 91.83.93.105 91.83.93.105
        Source: Joe Sandbox ViewIP Address: 91.83.93.105 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1383 InternetReadFile,3_2_00DE1383
        Source: minimumwubi.exe, 00000003.00000002.1479115639.0000000000198000.00000004.00000001.sdmpString found in binary or memory: http://216.98.148.181/publish/symbols/free/merge/

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0044240B GetKeyState,GetKeyState,GetKeyState,0_2_0044240B
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0043C995 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_0043C995
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00440C03 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_00440C03
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0042CF30 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0042CF30
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00429BB6 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,0_2_00429BB6
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0044240B GetKeyState,GetKeyState,GetKeyState,1_2_0044240B
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0043C995 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,1_2_0043C995
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00440C03 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_00440C03
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0042CF30 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_0042CF30
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00429BB6 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,1_2_00429BB6

        E-Banking Fraud:

        barindex
        Detected Emotet e-Banking trojanShow sources
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229D6571_2_0229D657
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DED6573_2_00DED657
        Yara detected EmotetShow sources
        Source: Yara matchFile source: 00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1062165487.0000000000561000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1111371732.0000000002291000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1101847702.0000000000531000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1101817922.0000000000520000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1479932404.0000000000DE1000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1062088484.0000000000540000.00000040.00000001.sdmp, type: MEMORY

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,1_2_02291F75
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,3_2_00DE1F75

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000000.00000002.1062165487.0000000000561000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000001.00000002.1111371732.0000000002291000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000002.00000002.1101847702.0000000000531000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000002.00000002.1101817922.0000000000520000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000003.00000002.1479932404.0000000000DE1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000000.00000002.1062088484.0000000000540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229D823 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,1_2_0229D823
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291D2B CreateProcessAsUserW,CreateProcessW,1_2_02291D2B
        Source: C:\Windows\SysWOW64\minimumwubi.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeFile deleted: C:\Windows\SysWOW64\minimumwubi.exe:Zone.IdentifierJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0042E1E80_2_0042E1E8
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004242330_2_00424233
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004283000_2_00428300
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00408A420_2_00408A42
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00423DA30_2_00423DA3
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0042E1E81_2_0042E1E8
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004242331_2_00424233
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004283001_2_00428300
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00408A421_2_00408A42
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00423DA31_2_00423DA3
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022828C11_2_022828C1
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022830E81_2_022830E8
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022830E41_2_022830E4
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022937A91_2_022937A9
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022937A51_2_022937A5
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02292F821_2_02292F82
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE2F823_2_00DE2F82
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE37A93_2_00DE37A9
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE37A53_2_00DE37A5
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 0042C90B appears 40 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00409020 appears 114 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 0042A9D7 appears 62 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00409A16 appears 62 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00427CB5 appears 78 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00409DD1 appears 36 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 0042AB0C appears 56 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00442ED6 appears 68 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00405DA4 appears 932 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 004010B9 appears 70 times
        Source: jbzBOqYoA1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: jbzBOqYoA1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: jbzBOqYoA1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: jbzBOqYoA1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: jbzBOqYoA1.exe, 00000000.00000000.1054289752.000000000046E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMFCBind.EXEH vs jbzBOqYoA1.exe
        Source: jbzBOqYoA1.exe, 00000001.00000000.1061127527.000000000046E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMFCBind.EXEH vs jbzBOqYoA1.exe
        Source: jbzBOqYoA1.exe, 00000001.00000002.1113868429.00000000029F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs jbzBOqYoA1.exe
        Source: jbzBOqYoA1.exe, 00000001.00000002.1113868429.00000000029F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs jbzBOqYoA1.exe
        Source: jbzBOqYoA1.exe, 00000001.00000002.1111883271.00000000024A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs jbzBOqYoA1.exe
        Source: jbzBOqYoA1.exeBinary or memory string: OriginalFilenameMFCBind.EXEH vs jbzBOqYoA1.exe
        Source: 00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000000.00000002.1062165487.0000000000561000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000001.00000002.1111371732.0000000002291000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000002.00000002.1101847702.0000000000531000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000002.00000002.1101817922.0000000000520000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000003.00000002.1479932404.0000000000DE1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000000.00000002.1062088484.0000000000540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: classification engineClassification label: mal92.bank.troj.evad.winEXE@6/0@0/4
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00433326 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_00433326
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0229D8F3
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,3_2_00DED8F3
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_02291943
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004345F5 DestroyMenu,DestroyMenu,FreeResource,DestroyMenu,FreeResource,DestroyMenu,FreeResource,0_2_004345F5
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229D8F3 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0229D8F3
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M7AE0F80C
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I7AE0F80C
        Source: C:\Windows\SysWOW64\minimumwubi.exeMutant created: \BaseNamedObjects\Global\I7AE0F80C
        Source: jbzBOqYoA1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: jbzBOqYoA1.exeVirustotal: Detection: 79%
        Source: jbzBOqYoA1.exeReversingLabs: Detection: 82%
        Source: unknownProcess created: C:\Users\user\Desktop\jbzBOqYoA1.exe 'C:\Users\user\Desktop\jbzBOqYoA1.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\jbzBOqYoA1.exe --3c72c125
        Source: unknownProcess created: C:\Windows\SysWOW64\minimumwubi.exe C:\Windows\SysWOW64\minimumwubi.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\minimumwubi.exe --f1508aa9
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess created: C:\Users\user\Desktop\jbzBOqYoA1.exe --3c72c125Jump to behavior
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess created: C:\Windows\SysWOW64\minimumwubi.exe --f1508aa9Jump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32Jump to behavior
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_CURSOR
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_BITMAP
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_ICON
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_MENU
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_DIALOG
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_STRING
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_ACCELERATOR
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_GROUP_ICON

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004309A9 __EH_prolog,LoadLibraryA,GetProcAddress,0_2_004309A9
        Source: jbzBOqYoA1.exeStatic PE information: real checksum: 0x8ec7c should be: 0x91cdf
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0040905B push ecx; ret 0_2_0040906B
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004058B0 push eax; ret 0_2_004058C4
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004058B0 push eax; ret 0_2_004058EC
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00405DA4 push eax; ret 0_2_00405DC2
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0040905B push ecx; ret 1_2_0040906B
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004058B0 push eax; ret 1_2_004058C4
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004058B0 push eax; ret 1_2_004058EC
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00405DA4 push eax; ret 1_2_00405DC2

        Persistence and Installation Behavior:

        barindex
        Drops executables to the windows directory (C:\Windows) and starts themShow sources
        Source: C:\Windows\SysWOW64\minimumwubi.exeExecutable created and started: C:\Windows\SysWOW64\minimumwubi.exeJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exePE file moved: C:\Windows\SysWOW64\minimumwubi.exeJump to behavior

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229D8F3 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_0229D8F3

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeFile opened: C:\Windows\SysWOW64\minimumwubi.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004044FD IsIconic,GetWindowPlacement,GetWindowRect,0_2_004044FD
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0043E7D6 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_0043E7D6
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00440CE7 IsWindowVisible,IsIconic,0_2_00440CE7
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004396C4 IsIconic,IsWindowVisible,0_2_004396C4
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00433D1A GetParent,GetParent,IsIconic,GetParent,0_2_00433D1A
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004044FD IsIconic,GetWindowPlacement,GetWindowRect,1_2_004044FD
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0043E7D6 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,1_2_0043E7D6
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00440CE7 IsWindowVisible,IsIconic,1_2_00440CE7
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004396C4 IsIconic,IsWindowVisible,1_2_004396C4
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00433D1A GetParent,GetParent,IsIconic,GetParent,1_2_00433D1A
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Found evasive API chain (may stop execution after checking mutex)Show sources
        Source: C:\Windows\SysWOW64\minimumwubi.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-48436
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,1_2_0229D657
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,3_2_00DED657
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeAPI coverage: 3.4 %
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeAPI coverage: 5.7 %
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_00430651
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00430BC9 FindFirstFileA,FindClose,0_2_00430BC9
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_00430651
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00430BC9 FindFirstFileA,FindClose,1_2_00430BC9
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00409DD1 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_00409DD1
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeAPI call chain: ExitProcess graph end nodegraph_1-48354
        Source: C:\Windows\SysWOW64\minimumwubi.exeAPI call chain: ExitProcess graph end node
        Source: C:\Windows\SysWOW64\minimumwubi.exeAPI call chain: ExitProcess graph end node
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information queried: ProcessInformationJump to behavior

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004309A9 __EH_prolog,LoadLibraryA,GetProcAddress,0_2_004309A9
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004015A6 mov eax, dword ptr fs:[00000030h]0_2_004015A6
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004015A6 mov eax, dword ptr fs:[00000030h]1_2_004015A6
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02280467 mov eax, dword ptr fs:[00000030h]1_2_02280467
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02280C0C mov eax, dword ptr fs:[00000030h]1_2_02280C0C
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02281743 mov eax, dword ptr fs:[00000030h]1_2_02281743
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022912CD mov eax, dword ptr fs:[00000030h]1_2_022912CD
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291E04 mov eax, dword ptr fs:[00000030h]1_2_02291E04
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE12CD mov eax, dword ptr fs:[00000030h]3_2_00DE12CD
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1E04 mov eax, dword ptr fs:[00000030h]3_2_00DE1E04
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022914F2 GetProcessHeap,RtlAllocateHeap,1_2_022914F2
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00409B92 SetUnhandledExceptionFilter,0_2_00409B92
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00409BA6 SetUnhandledExceptionFilter,0_2_00409BA6
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00409B92 SetUnhandledExceptionFilter,1_2_00409B92
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00409BA6 SetUnhandledExceptionFilter,1_2_00409BA6

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,0_2_0044448C
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,_strncpy,0_2_00410B3F
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,0_2_0040F054
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,EnumSystemLocalesA,0_2_00411076
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_00401000
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,_strlen,EnumSystemLocalesA,0_2_004110AD
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,EnumSystemLocalesA,0_2_00411133
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,0_2_00411188
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,0_2_00427456
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,0_2_00413CAE
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,MultiByteToWideChar,0_2_00413D6A
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,0_2_00413DDE
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,WideCharToMultiByte,0_2_00413E91
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,1_2_0044448C
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,_strncpy,1_2_00410B3F
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,1_2_0040F054
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,EnumSystemLocalesA,1_2_00411076
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,1_2_00401000
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,_strlen,EnumSystemLocalesA,1_2_004110AD
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,EnumSystemLocalesA,1_2_00411133
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,1_2_00411188
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,1_2_00427456
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,1_2_00413CAE
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,MultiByteToWideChar,1_2_00413D6A
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,1_2_00413DDE
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,WideCharToMultiByte,1_2_00413E91
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0228D9B7 cpuid 1_2_0228D9B7
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\minimumwubi.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0040BE8A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0040BE8A
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0040DE3E __lock,_strlen,_strcat,_strncpy,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0040DE3E
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0040436B GetVersionExA,0_2_0040436B
        Source: C:\Windows\SysWOW64\minimumwubi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected EmotetShow sources
        Source: Yara matchFile source: 00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1062165487.0000000000561000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1111371732.0000000002291000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1101847702.0000000000531000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1101817922.0000000000520000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1479932404.0000000000DE1000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1062088484.0000000000540000.00000040.00000001.sdmp, type: MEMORY

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00448089 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,0_2_00448089
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0044BB18 lstrcpynA,lstrlenA,lstrlenA,CreateFileMoniker,CreateBindCtx,lstrlenA,CreateGenericComposite,0_2_0044BB18
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00447B3B CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,0_2_00447B3B
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00448089 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,1_2_00448089
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0044BB18 lstrcpynA,lstrlenA,lstrlenA,CreateFileMoniker,CreateBindCtx,lstrlenA,CreateGenericComposite,1_2_0044BB18
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00447B3B CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,1_2_00447B3B

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1Execution through API11Hidden Files and Directories1Valid Accounts1Software Packing1Input Capture1System Time Discovery2Remote File Copy1Input Capture1Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
        Replication Through Removable MediaService Execution12Valid Accounts1Access Token Manipulation1Deobfuscate/Decode Files or Information1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        External Remote ServicesWindows Management InstrumentationModify Existing Service11Process Injection1File Deletion1Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Drive-by CompromiseScheduled TaskNew Service2New Service2Obfuscated Files or Information2Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol2SIM Card SwapPremium SMS Toll Fraud
        Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading12Account ManipulationSystem Information Discovery37Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
        Spearphishing AttachmentScriptingPath InterceptionScheduled TaskValid Accounts1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet