Loading ...

Play interactive tourEdit tour

Analysis Report E08ar33wan

Overview

General Information

Sample Name:E08ar33wan (renamed file extension from none to exe)
MD5:1c33624bb4805ff432dc6f458be9b0a4
SHA1:53685e4f5dc4d6935cf8af369395578444b1e9b1
SHA256:546c604339d0285a8ef648f0e539d0c678fd78cb3b58a3f025010e17fd6dbf63

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus or Machine Learning detection for unpacked file
Contains functionality locales information (e.g. system language)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • E08ar33wan.exe (PID: 4752 cmdline: 'C:\Users\user\Desktop\E08ar33wan.exe' MD5: 1C33624BB4805FF432DC6F458BE9B0A4)
    • E08ar33wan.exe (PID: 2692 cmdline: --83438383 MD5: 1C33624BB4805FF432DC6F458BE9B0A4)
  • tranbackup.exe (PID: 3056 cmdline: C:\Windows\SysWOW64\tranbackup.exe MD5: 1C33624BB4805FF432DC6F458BE9B0A4)
    • tranbackup.exe (PID: 3052 cmdline: --15064f5f MD5: 1C33624BB4805FF432DC6F458BE9B0A4)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["216.98.148.181/chunk", "216.98.148.181:8080", "91.83.93.105:8080", "125.99.61.162:7080", "94.183.71.206/acquire", "94.183.71.206:7080"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 17 29 02 85 C0
    • 0x50d4:$snippet6: 33 C0 21 05 5C 39 29 02 A3 58 39 29 02 39 05 90 03 29 02 74 18 40 A3 58 39 29 02 83 3C C5 90 03 ...
    00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0xfad:$snippet2: 6A 13 68 01 00 01 00 FF 15 58 17 22 02 85 C0
      • 0x50d4:$snippet6: 33 C0 21 05 5C 39 22 02 A3 58 39 22 02 39 05 90 03 22 02 74 18 40 A3 58 39 22 02 83 3C C5 90 03 ...
      00000002.00000002.1076244773.0000000000F21000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 11 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: E08ar33wan.exeAvira: detected
        Found malware configurationShow sources
        Source: tranbackup.exe.3052.3.memstrMalware Configuration Extractor: Emotet {"C2 list": ["216.98.148.181/chunk", "216.98.148.181:8080", "91.83.93.105:8080", "125.99.61.162:7080", "94.183.71.206/acquire", "94.183.71.206:7080"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: E08ar33wan.exeVirustotal: Detection: 80%Perma Link
        Source: E08ar33wan.exeMetadefender: Detection: 35%Perma Link
        Source: E08ar33wan.exeReversingLabs: Detection: 84%
        Source: 2.0.tranbackup.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 0.0.E08ar33wan.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 3.0.tranbackup.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj
        Source: 1.0.E08ar33wan.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.dbvj

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281F11 CryptExportKey,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281F56 CryptGetHashParam,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00430BC9 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00430BC9 FindFirstFileA,FindClose,

        Source: global trafficTCP traffic: 192.168.2.6:49938 -> 125.99.61.162:7080
        Source: global trafficTCP traffic: 192.168.2.6:49940 -> 94.183.71.206:7080
        Source: global trafficTCP traffic: 192.168.2.6:49948 -> 91.83.93.105:8080
        Source: global trafficTCP traffic: 192.168.2.6:49949 -> 216.98.148.181:8080
        Source: Joe Sandbox ViewIP Address: 125.99.61.162 125.99.61.162
        Source: Joe Sandbox ViewIP Address: 94.183.71.206 94.183.71.206
        Source: Joe Sandbox ViewIP Address: 91.83.93.105 91.83.93.105
        Source: Joe Sandbox ViewIP Address: 91.83.93.105 91.83.93.105
        Source: Joe Sandbox ViewIP Address: 216.98.148.181 216.98.148.181
        Source: Joe Sandbox ViewASN Name: unknown unknown
        Source: Joe Sandbox ViewASN Name: unknown unknown
        Source: Joe Sandbox ViewASN Name: unknown unknown
        Source: Joe Sandbox ViewASN Name: unknown unknown
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 125.99.61.162
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 94.183.71.206
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 91.83.93.105
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: unknownTCP traffic detected without corresponding DNS query: 216.98.148.181
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmp, tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://125.99.61.162:7080/enabled/usbccid/xian/merge/
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://125.99.61.162:7080/enabled/usbccid/xian/merge/p
        Source: tranbackup.exe, 00000003.00000002.1454257924.0000000000198000.00000004.00000001.sdmp, tranbackup.exe, 00000003.00000002.1455654140.00000000007FD000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181/chunk/
        Source: tranbackup.exe, 00000003.00000002.1455654140.00000000007FD000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181/chunk/T
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181:8080/chunk/
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181:8080/chunk/32
        Source: tranbackup.exe, 00000003.00000002.1455654140.00000000007FD000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181:8080/chunk/jQf
        Source: tranbackup.exe, 00000003.00000002.1455654140.00000000007FD000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181:8080/chunk/l
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://216.98.148.181:8080/chunk/~x
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://91.83.93.105:8080/teapot/stubs/xian/merge/
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpString found in binary or memory: http://91.83.93.105:8080/teapot/stubs/xian/merge//
        Source: tranbackup.exe, 00000003.00000002.1455654140.00000000007FD000.00000004.00000020.sdmpString found in binary or memory: http://91.83.93.105:8080/teapot/stubs/xian/merge/QH
        Source: tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://94.183.71.206/acquire/symbols/xian/
        Source: tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://94.183.71.206:7080/acquire/symbols/xian/
        Source: tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://94.183.71.206:7080/acquire/symbols/xian/5
        Source: tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://94.183.71.206:7080/acquire/symbols/xian/:
        Source: tranbackup.exe, 00000003.00000003.1229674285.0000000000800000.00000004.00000001.sdmpString found in binary or memory: http://94.183.71.206:7080/acquire/symbols/xian/H

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0044240B GetKeyState,GetKeyState,GetKeyState,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0043C995 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00440C03 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0042CF30 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00429BB6 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0044240B GetKeyState,GetKeyState,GetKeyState,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0043C995 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00440C03 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0042CF30 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00429BB6 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,

        E-Banking Fraud:

        barindex
        Detected Emotet e-Banking trojanShow sources
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228D657
        Yara detected EmotetShow sources
        Source: Yara matchFile source: 00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1076244773.0000000000F21000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1076185938.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1078066753.0000000002270000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1455138019.0000000000730000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1455183187.0000000000741000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1043740200.0000000002200000.00000040.00000001.sdmp, type: MEMORY

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000002.00000002.1076244773.0000000000F21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000002.00000002.1076185938.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000001.00000002.1078066753.0000000002270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000003.00000002.1455138019.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000003.00000002.1455183187.0000000000741000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: 00000000.00000002.1043740200.0000000002200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228D823 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281D2B CreateProcessAsUserW,CreateProcessW,
        Source: C:\Windows\SysWOW64\tranbackup.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeFile deleted: C:\Windows\SysWOW64\tranbackup.exe:Zone.IdentifierJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0042E1E8
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00424233
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00428300
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00408A42
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00423DA3
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022028C1
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022030E4
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022030E8
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022137A5
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022137A9
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02212F82
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0042E1E8
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00424233
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00428300
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00408A42
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00423DA3
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022728C1
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022730E4
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022730E8
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022837A9
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022837A5
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02282F82
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F130E4
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F130E8
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F128C1
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F237A5
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F237A9
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F22F82
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 0042C90B appears 40 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00409020 appears 114 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 0042A9D7 appears 62 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00409A16 appears 62 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00427CB5 appears 78 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00409DD1 appears 36 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 0042AB0C appears 56 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00442ED6 appears 68 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 00405DA4 appears 932 times
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: String function: 004010B9 appears 70 times
        Source: E08ar33wan.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: E08ar33wan.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: E08ar33wan.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: E08ar33wan.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: E08ar33wan.exe, 00000000.00000000.1035646358.000000000046E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMFCBind.EXEH vs E08ar33wan.exe
        Source: E08ar33wan.exe, 00000001.00000002.1079650740.0000000002960000.00000002.00000001.sdmpBinary or memory string: originalfilename vs E08ar33wan.exe
        Source: E08ar33wan.exe, 00000001.00000002.1079650740.0000000002960000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs E08ar33wan.exe
        Source: E08ar33wan.exe, 00000001.00000002.1077545021.000000000046E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMFCBind.EXEH vs E08ar33wan.exe
        Source: E08ar33wan.exe, 00000001.00000002.1079581596.0000000002910000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs E08ar33wan.exe
        Source: E08ar33wan.exeBinary or memory string: OriginalFilenameMFCBind.EXEH vs E08ar33wan.exe
        Source: 00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000002.00000002.1076244773.0000000000F21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000002.00000002.1076185938.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000001.00000002.1078066753.0000000002270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000003.00000002.1455138019.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000003.00000002.1455183187.0000000000741000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: 00000000.00000002.1043740200.0000000002200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
        Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@6/0@0/4
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00433326 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02211943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004345F5 DestroyMenu,DestroyMenu,FreeResource,DestroyMenu,FreeResource,DestroyMenu,FreeResource,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228D8F3 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,
        Source: C:\Users\user\Desktop\E08ar33wan.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M4FE3305E
        Source: C:\Users\user\Desktop\E08ar33wan.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I4FE3305E
        Source: E08ar33wan.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\E08ar33wan.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\E08ar33wan.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: E08ar33wan.exeVirustotal: Detection: 80%
        Source: E08ar33wan.exeMetadefender: Detection: 35%
        Source: E08ar33wan.exeReversingLabs: Detection: 84%
        Source: C:\Users\user\Desktop\E08ar33wan.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
        Source: C:\Windows\SysWOW64\tranbackup.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
        Source: unknownProcess created: C:\Users\user\Desktop\E08ar33wan.exe 'C:\Users\user\Desktop\E08ar33wan.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\E08ar33wan.exe --83438383
        Source: unknownProcess created: C:\Windows\SysWOW64\tranbackup.exe C:\Windows\SysWOW64\tranbackup.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\tranbackup.exe --15064f5f
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess created: C:\Users\user\Desktop\E08ar33wan.exe --83438383
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess created: C:\Windows\SysWOW64\tranbackup.exe --15064f5f
        Source: C:\Users\user\Desktop\E08ar33wan.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32
        Source: E08ar33wan.exeStatic PE information: section name: RT_CURSOR
        Source: E08ar33wan.exeStatic PE information: section name: RT_BITMAP
        Source: E08ar33wan.exeStatic PE information: section name: RT_ICON
        Source: E08ar33wan.exeStatic PE information: section name: RT_MENU
        Source: E08ar33wan.exeStatic PE information: section name: RT_DIALOG
        Source: E08ar33wan.exeStatic PE information: section name: RT_STRING
        Source: E08ar33wan.exeStatic PE information: section name: RT_ACCELERATOR
        Source: E08ar33wan.exeStatic PE information: section name: RT_GROUP_ICON

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004309A9 __EH_prolog,LoadLibraryA,GetProcAddress,
        Source: E08ar33wan.exeStatic PE information: real checksum: 0x8ec7c should be: 0x87d44
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0040905B push ecx; ret
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004058B0 push eax; ret
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004058B0 push eax; ret
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00405DA4 push eax; ret
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0040905B push ecx; ret
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004058B0 push eax; ret
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004058B0 push eax; ret
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00405DA4 push eax; ret

        Persistence and Installation Behavior:

        barindex
        Drops executables to the windows directory (C:\Windows) and starts themShow sources
        Source: C:\Windows\SysWOW64\tranbackup.exeExecutable created and started: C:\Windows\SysWOW64\tranbackup.exe
        Source: C:\Users\user\Desktop\E08ar33wan.exePE file moved: C:\Windows\SysWOW64\tranbackup.exeJump to behavior

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0228D8F3 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\E08ar33wan.exeFile opened: C:\Windows\SysWOW64\tranbackup.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004044FD IsIconic,GetWindowPlacement,GetWindowRect,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0043E7D6 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00440CE7 IsWindowVisible,IsIconic,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004396C4 IsIconic,IsWindowVisible,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00433D1A GetParent,GetParent,IsIconic,GetParent,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004044FD IsIconic,GetWindowPlacement,GetWindowRect,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0043E7D6 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00440CE7 IsWindowVisible,IsIconic,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004396C4 IsIconic,IsWindowVisible,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00433D1A GetParent,GetParent,IsIconic,GetParent,
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\E08ar33wan.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Found evasive API chain (may stop execution after checking mutex)Show sources
        Source: C:\Windows\SysWOW64\tranbackup.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
        Source: C:\Users\user\Desktop\E08ar33wan.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,
        Source: C:\Users\user\Desktop\E08ar33wan.exeAPI coverage: 3.9 %
        Source: C:\Users\user\Desktop\E08ar33wan.exeAPI coverage: 5.7 %
        Source: C:\Windows\SysWOW64\tranbackup.exeAPI coverage: 9.9 %
        Source: C:\Users\user\Desktop\E08ar33wan.exeFile Volume queried: C:\ FullSizeInformation
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00430BC9 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00430651 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00430BC9 FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00409DD1 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
        Source: tranbackup.exe, 00000003.00000002.1455618550.00000000007D9000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\E08ar33wan.exeAPI call chain: ExitProcess graph end node
        Source: C:\Windows\SysWOW64\tranbackup.exeAPI call chain: ExitProcess graph end node
        Source: C:\Windows\SysWOW64\tranbackup.exeProcess information queried: ProcessInformation

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004309A9 __EH_prolog,LoadLibraryA,GetProcAddress,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_004015A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02200467 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02200C0C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02201743 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022112CD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_02211E04 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_004015A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02270467 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02270C0C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02271743 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_022812CD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_02281E04 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F10467 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F10C0C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F11743 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F212CD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\tranbackup.exeCode function: 2_2_00F21E04 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_022114F2 GetProcessHeap,RtlAllocateHeap,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00409B92 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00409BA6 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00409B92 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00409BA6 SetUnhandledExceptionFilter,

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,_strncpy,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,_strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,WideCharToMultiByte,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,_strncpy,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,_strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: _strlen,EnumSystemLocalesA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoA,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: GetLocaleInfoW,WideCharToMultiByte,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0220D9B7 cpuid
        Source: C:\Users\user\Desktop\E08ar33wan.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\E08ar33wan.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\tranbackup.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0040BE8A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0040DE3E __lock,_strlen,_strcat,_strncpy,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0040436B GetVersionExA,
        Source: C:\Windows\SysWOW64\tranbackup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected EmotetShow sources
        Source: Yara matchFile source: 00000001.00000002.1078097274.0000000002281000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1043772960.0000000002211000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1076244773.0000000000F21000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1076185938.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1078066753.0000000002270000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1455138019.0000000000730000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1455183187.0000000000741000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1043740200.0000000002200000.00000040.00000001.sdmp, type: MEMORY

        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00448089 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_0044BB18 lstrcpynA,lstrlenA,lstrlenA,CreateFileMoniker,CreateBindCtx,lstrlenA,CreateGenericComposite,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 0_2_00447B3B CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00448089 lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_0044BB18 lstrcpynA,lstrlenA,lstrlenA,CreateFileMoniker,CreateBindCtx,lstrlenA,CreateGenericComposite,
        Source: C:\Users\user\Desktop\E08ar33wan.exeCode function: 1_2_00447B3B CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1Execution through API111Hidden Files and Directories1Valid Accounts1Software Packing1Input Capture1System Time Discovery2Application Deployment SoftwareInput Capture1Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
        Replication Through Removable MediaCommand-Line Interface2Valid Accounts1Access Token Manipulation1Deobfuscate/Decode Files or Information1Network SniffingSecurity Software Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        External Remote ServicesService Execution12Modify Existing Service11Process Injection1File Deletion1Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Drive-by CompromiseScheduled TaskNew Service2New Service2Obfuscated Files or Information2Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
        Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading12Account ManipulationSystem Information Discovery37Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
        Spearphishing AttachmentScriptingPath InterceptionScheduled TaskValid Accounts1Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet