Loading ...

Play interactive tourEdit tour

Analysis Report jbzBOqYoA1

Overview

General Information

Sample Name:jbzBOqYoA1 (renamed file extension from none to exe)
MD5:eff238b0135824f51158f8251b6015fb
SHA1:7e61b08e4e72c481cfa76b654cef28bc1f7a16e6
SHA256:f1e2e1a9f542954c017e627cedb9ccde92ffe466e7bca9b37ac18f5d41abc495

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus or Machine Learning detection for unpacked file
Contains functionality locales information (e.g. system language)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • jbzBOqYoA1.exe (PID: 4112 cmdline: 'C:\Users\user\Desktop\jbzBOqYoA1.exe' MD5: EFF238B0135824F51158F8251B6015FB)
    • jbzBOqYoA1.exe (PID: 5688 cmdline: --3c72c125 MD5: EFF238B0135824F51158F8251B6015FB)
  • minimumwubi.exe (PID: 5244 cmdline: C:\Windows\SysWOW64\minimumwubi.exe MD5: EFF238B0135824F51158F8251B6015FB)
    • minimumwubi.exe (PID: 5944 cmdline: --f1508aa9 MD5: EFF238B0135824F51158F8251B6015FB)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["216.98.148.181/publish"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 17 41 00 85 C0
    • 0x5a13:$snippet6: 33 C0 21 05 5C 39 41 00 A3 58 39 41 00 39 05 90 03 41 00 74 18 40 A3 58 39 41 00 83 3C C5 90 03 ...
    00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0x18ec:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 17 41 00 85 C0
      • 0x5a13:$snippet6: 33 C0 21 05 5C 39 41 00 A3 58 39 41 00 39 05 90 03 41 00 74 18 40 A3 58 39 41 00 83 3C C5 90 03 ...
      00000000.00000002.1062165487.0000000000561000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 11 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: jbzBOqYoA1.exeAvira: detected
        Multi AV Scanner detection for submitted fileShow sources
        Source: jbzBOqYoA1.exeVirustotal: Detection: 79%Perma Link
        Source: jbzBOqYoA1.exeReversingLabs: Detection: 82%
        Source: 1.0.jbzBOqYoA1.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 2.0.minimumwubi.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 3.0.minimumwubi.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 0.0.jbzBOqYoA1.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291F11 CryptExportKey,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291F56 CryptGetHashParam,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1F11 CryptExportKey,
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1F56 CryptGetHashParam,

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00430BC9 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00430BC9 FindFirstFileA,FindClose,

        Source: global trafficTCP traffic: 192.168.2.6:49938 -> 125.99.61.162:7080
        Source: global trafficTCP traffic: 192.168.2.6:49947 -> 94.183.71.206:7080
        Source: global trafficTCP traffic: 192.168.2.6:49948 -> 91.83.93.105:8080
        Source: global trafficTCP traffic: 192.168.2.6:49949 -> 216.98.148.181:8080
        Source: Joe Sandbox ViewIP Address: 125.99.61.162 125.99.61.162
        Source: Joe Sandbox ViewIP Address: 94.183.71.206 94.183.71.206
        Source: Joe Sandbox ViewIP Address: 91.83.93.105 91.83.93.105
        Source: Joe Sandbox ViewIP Address: 91.83.93.105 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1383 InternetReadFile,
        Source: minimumwubi.exe, 00000003.00000002.1479115639.0000000000198000.00000004.00000001.sdmpString found in binary or memory: http://216.98.148.181/publish/symbols/free/merge/

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0044240B GetKeyState,GetKeyState,GetKeyState,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0043C995 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00440C03 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0042CF30 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00429BB6 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0044240B GetKeyState,GetKeyState,GetKeyState,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0043C995 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00440C03 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0042CF30 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00429BB6 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,

        E-Banking Fraud:

        barindex
        Detected Emotet e-Banking trojanShow sources
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229D657
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DED657
        Yara detected EmotetShow sources
        Source: Yara matchFile source: 00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1062165487.0000000000561000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1111371732.0000000002291000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1101847702.0000000000531000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1101817922.0000000000520000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1479932404.0000000000DE1000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1062088484.0000000000540000.00000040.00000001.sdmp, type: MEMORY

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000000.00000002.1062165487.0000000000561000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000001.00000002.1111371732.0000000002291000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000002.00000002.1101847702.0000000000531000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000002.00000002.1101817922.0000000000520000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000003.00000002.1479932404.0000000000DE1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000000.00000002.1062088484.0000000000540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229D823 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291D2B CreateProcessAsUserW,CreateProcessW,
        Source: C:\Windows\SysWOW64\minimumwubi.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeFile deleted: C:\Windows\SysWOW64\minimumwubi.exe:Zone.IdentifierJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0042E1E8
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00424233
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00428300
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00408A42
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00423DA3
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0042E1E8
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00424233
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00428300
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00408A42
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00423DA3
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022828C1
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022830E8
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022830E4
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022937A9
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022937A5
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02292F82
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE2F82
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE37A9
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE37A5
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 0042C90B appears 40 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00409020 appears 114 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 0042A9D7 appears 62 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00409A16 appears 62 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00427CB5 appears 78 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00409DD1 appears 36 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 0042AB0C appears 56 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00442ED6 appears 68 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 00405DA4 appears 932 times
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: String function: 004010B9 appears 70 times
        Source: jbzBOqYoA1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: jbzBOqYoA1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: jbzBOqYoA1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: jbzBOqYoA1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: jbzBOqYoA1.exe, 00000000.00000000.1054289752.000000000046E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMFCBind.EXEH vs jbzBOqYoA1.exe
        Source: jbzBOqYoA1.exe, 00000001.00000000.1061127527.000000000046E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMFCBind.EXEH vs jbzBOqYoA1.exe
        Source: jbzBOqYoA1.exe, 00000001.00000002.1113868429.00000000029F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs jbzBOqYoA1.exe
        Source: jbzBOqYoA1.exe, 00000001.00000002.1113868429.00000000029F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs jbzBOqYoA1.exe
        Source: jbzBOqYoA1.exe, 00000001.00000002.1111883271.00000000024A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs jbzBOqYoA1.exe
        Source: jbzBOqYoA1.exeBinary or memory string: OriginalFilenameMFCBind.EXEH vs jbzBOqYoA1.exe
        Source: 00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000000.00000002.1062165487.0000000000561000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000001.00000002.1111371732.0000000002291000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000002.00000002.1101847702.0000000000531000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000002.00000002.1101817922.0000000000520000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000003.00000002.1479932404.0000000000DE1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000000.00000002.1062088484.0000000000540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: classification engineClassification label: mal92.bank.troj.evad.winEXE@6/0@0/4
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00433326 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004345F5 DestroyMenu,DestroyMenu,FreeResource,DestroyMenu,FreeResource,DestroyMenu,FreeResource,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229D8F3 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M7AE0F80C
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I7AE0F80C
        Source: C:\Windows\SysWOW64\minimumwubi.exeMutant created: \BaseNamedObjects\Global\I7AE0F80C
        Source: jbzBOqYoA1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: jbzBOqYoA1.exeVirustotal: Detection: 79%
        Source: jbzBOqYoA1.exeReversingLabs: Detection: 82%
        Source: unknownProcess created: C:\Users\user\Desktop\jbzBOqYoA1.exe 'C:\Users\user\Desktop\jbzBOqYoA1.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\jbzBOqYoA1.exe --3c72c125
        Source: unknownProcess created: C:\Windows\SysWOW64\minimumwubi.exe C:\Windows\SysWOW64\minimumwubi.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\minimumwubi.exe --f1508aa9
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess created: C:\Users\user\Desktop\jbzBOqYoA1.exe --3c72c125
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess created: C:\Windows\SysWOW64\minimumwubi.exe --f1508aa9
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_CURSOR
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_BITMAP
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_ICON
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_MENU
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_DIALOG
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_STRING
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_ACCELERATOR
        Source: jbzBOqYoA1.exeStatic PE information: section name: RT_GROUP_ICON

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004309A9 __EH_prolog,LoadLibraryA,GetProcAddress,
        Source: jbzBOqYoA1.exeStatic PE information: real checksum: 0x8ec7c should be: 0x91cdf
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0040905B push ecx; ret
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004058B0 push eax; ret
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004058B0 push eax; ret
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00405DA4 push eax; ret
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0040905B push ecx; ret
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004058B0 push eax; ret
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004058B0 push eax; ret
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00405DA4 push eax; ret

        Persistence and Installation Behavior:

        barindex
        Drops executables to the windows directory (C:\Windows) and starts themShow sources
        Source: C:\Windows\SysWOW64\minimumwubi.exeExecutable created and started: C:\Windows\SysWOW64\minimumwubi.exe
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exePE file moved: C:\Windows\SysWOW64\minimumwubi.exeJump to behavior

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0229D8F3 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeFile opened: C:\Windows\SysWOW64\minimumwubi.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004044FD IsIconic,GetWindowPlacement,GetWindowRect,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0043E7D6 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00440CE7 IsWindowVisible,IsIconic,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004396C4 IsIconic,IsWindowVisible,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00433D1A GetParent,GetParent,IsIconic,GetParent,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004044FD IsIconic,GetWindowPlacement,GetWindowRect,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0043E7D6 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00440CE7 IsWindowVisible,IsIconic,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004396C4 IsIconic,IsWindowVisible,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00433D1A GetParent,GetParent,IsIconic,GetParent,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Found evasive API chain (may stop execution after checking mutex)Show sources
        Source: C:\Windows\SysWOW64\minimumwubi.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeAPI coverage: 3.4 %
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeAPI coverage: 5.7 %
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00430BC9 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00430BC9 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00409DD1 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeAPI call chain: ExitProcess graph end node
        Source: C:\Windows\SysWOW64\minimumwubi.exeAPI call chain: ExitProcess graph end node
        Source: C:\Windows\SysWOW64\minimumwubi.exeAPI call chain: ExitProcess graph end node
        Source: C:\Windows\SysWOW64\minimumwubi.exeProcess information queried: ProcessInformation

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004309A9 __EH_prolog,LoadLibraryA,GetProcAddress,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_004015A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_004015A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02280467 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02280C0C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02281743 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022912CD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_02291E04 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE12CD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\minimumwubi.exeCode function: 3_2_00DE1E04 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_022914F2 GetProcessHeap,RtlAllocateHeap,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00409B92 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00409BA6 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00409B92 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00409BA6 SetUnhandledExceptionFilter,

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,_strncpy,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,_strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,WideCharToMultiByte,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,_strncpy,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,_strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: _strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoA,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: GetLocaleInfoW,WideCharToMultiByte,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0228D9B7 cpuid
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\minimumwubi.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0040BE8A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0040DE3E __lock,_strlen,_strcat,_strncpy,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0040436B GetVersionExA,
        Source: C:\Windows\SysWOW64\minimumwubi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected EmotetShow sources
        Source: Yara matchFile source: 00000003.00000002.1479674961.0000000000570000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1111327241.0000000002280000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1062165487.0000000000561000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1111371732.0000000002291000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1101847702.0000000000531000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1101817922.0000000000520000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1479932404.0000000000DE1000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1062088484.0000000000540000.00000040.00000001.sdmp, type: MEMORY

        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00448089 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_0044BB18 lstrcpynA,lstrlenA,lstrlenA,CreateFileMoniker,CreateBindCtx,lstrlenA,CreateGenericComposite,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 0_2_00447B3B CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00448089 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_0044BB18 lstrcpynA,lstrlenA,lstrlenA,CreateFileMoniker,CreateBindCtx,lstrlenA,CreateGenericComposite,
        Source: C:\Users\user\Desktop\jbzBOqYoA1.exeCode function: 1_2_00447B3B CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1Execution through API11Hidden Files and Directories1Valid Accounts1Software Packing1Input Capture1System Time Discovery2Remote File Copy1Input Capture1Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
        Replication Through Removable MediaService Execution12Valid Accounts1Access Token Manipulation1Deobfuscate/Decode Files or Information1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        External Remote ServicesWindows Management InstrumentationModify Existing Service11Process Injection1File Deletion1Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Drive-by CompromiseScheduled TaskNew Service2New Service2Obfuscated Files or Information2Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol2SIM Card SwapPremium SMS Toll Fraud
        Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading12Account ManipulationSystem Information Discovery37Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
        Spearphishing AttachmentScriptingPath InterceptionScheduled TaskValid Accounts1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet