Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.DownLoader34.14215.9248.22662

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.DownLoader34.14215.9248.22662 (renamed file extension from 22662 to exe)
Analysis ID:255716
MD5:5c7cbccdb9a542238618c2288cbafda6
SHA1:22e4af688396eb972f5670751656e885030ffe60
SHA256:5c8722f17722dd9a264f52bbc2b05032945d77332b14f5e98ac8115e2a8bf8bf

Most interesting Screenshot:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • svchost.exe (PID: 6620 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6748 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5204 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6960 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6936 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 7052 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 4208 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 7112 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6988 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4052 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5864 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6572 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["142.105.151.124:443", "62.108.54.22:8080", "212.51.142.238:8080", "71.208.216.10:80", "108.48.41.69:80", "83.110.223.58:443", "210.165.156.91:80", "104.131.44.150:8080", "104.236.246.93:8080", "5.39.91.110:7080", "209.141.54.221:8080", "209.182.216.177:443", "153.126.210.205:7080", "91.211.88.52:7080", "180.92.239.110:8080", "183.101.175.193:80", "162.241.92.219:8080", "87.106.139.101:8080", "114.146.222.200:80", "190.160.53.126:80", "62.75.141.82:80", "46.105.131.87:80", "203.153.216.189:7080", "46.105.131.79:8080", "91.231.166.124:8080", "81.2.235.111:8080", "189.212.199.126:443", "95.9.185.228:443", "169.239.182.217:8080", "47.153.182.47:80", "116.203.32.252:8080", "139.130.242.43:80", "75.139.38.211:80", "41.60.200.34:80", "47.144.21.12:443", "103.86.49.11:8080", "95.179.229.244:8080", "173.91.22.41:80", "70.167.215.250:8080", "110.145.77.103:80", "85.59.136.180:8080", "5.196.74.210:8080", "24.234.133.205:80", "76.27.179.47:80", "104.131.11.150:443", "87.106.136.232:8080", "61.19.246.238:443", "201.173.217.124:443", "176.111.60.55:8080", "200.55.243.138:8080", "74.208.45.104:8080", "139.59.60.244:8080", "67.241.24.163:8080", "24.43.99.75:80", "93.51.50.171:8080", "109.74.5.95:8080", "137.59.187.107:8080", "37.139.21.175:8080", "157.245.99.39:8080", "124.45.106.173:443", "47.146.117.214:80", "95.213.236.64:8080", "62.138.26.28:8080", "190.55.181.54:443", "24.179.13.119:80", "168.235.67.138:7080", "181.230.116.163:80", "121.124.124.40:7080", "79.98.24.39:8080", "37.187.72.193:8080", "162.154.38.103:80", "78.24.219.147:8080", "200.41.121.90:80", "185.94.252.104:443", "50.116.86.205:8080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.235910769.0000000000580000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.236177493.00000000021F1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.501216440.00000000005C0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.503188743.0000000002271000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.235910769.0000000000580000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["142.105.151.124:443", "62.108.54.22:8080", "212.51.142.238:8080", "71.208.216.10:80", "108.48.41.69:80", "83.110.223.58:443", "210.165.156.91:80", "104.131.44.150:8080", "104.236.246.93:8080", "5.39.91.110:7080", "209.141.54.221:8080", "209.182.216.177:443", "153.126.210.205:7080", "91.211.88.52:7080", "180.92.239.110:8080", "183.101.175.193:80", "162.241.92.219:8080", "87.106.139.101:8080", "114.146.222.200:80", "190.160.53.126:80", "62.75.141.82:80", "46.105.131.87:80", "203.153.216.189:7080", "46.105.131.79:8080", "91.231.166.124:8080", "81.2.235.111:8080", "189.212.199.126:443", "95.9.185.228:443", "169.239.182.217:8080", "47.153.182.47:80", "116.203.32.252:8080", "139.130.242.43:80", "75.139.38.211:80", "41.60.200.34:80", "47.144.21.12:443", "103.86.49.11:8080", "95.179.229.244:8080", "173.91.22.41:80", "70.167.215.250:8080", "110.145.77.103:80", "85.59.136.180:8080", "5.196.74.210:8080", "24.234.133.205:80", "76.27.179.47:80", "104.131.11.150:443", "87.106.136.232:8080", "61.19.246.238:443", "201.173.217.124:443", "176.111.60.55:8080", "200.55.243.138:8080", "74.208.45.104:8080", "139.59.60.244:8080", "67.241.24.163:8080", "24.43.99.75:80", "93.51.50.171:8080", "109.74.5.95:8080", "137.59.187.107:8080", "37.139.21.175:8080", "157.245.99.39:8080", "124.45.106.173:443", "47.146.117.214:80", "95.213.236.64:8080", "62.138.26.28:8080", "190.55.181.54:443", "24.179.13.119:80", "168.235.67.138:7080", "181.230.116.163:80", "121.124.124.40:7080", "79.98.24.39:8080", "37.187.72.193:8080", "162.154.38.103:80", "78.24.219.147:8080", "200.41.121.90:80", "185.94.252.104:443", "50.116.86.205:8080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB"}
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_02271D9C CryptDecodeObjectEx,1_2_02271D9C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_0042853B __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_0042853B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_004026E0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,0_2_004026E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00428B68 lstrlenA,FindFirstFileA,FindClose,0_2_00428B68
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00401640 FindFirstFileA,FindClose,0_2_00401640
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_021F28BC FindNextFileW,FindFirstFileW,FindClose,0_2_021F28BC
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_0042853B __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,1_2_0042853B
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_004026E0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,1_2_004026E0
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00428B68 lstrlenA,FindFirstFileA,FindClose,1_2_00428B68
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00401640 FindFirstFileA,FindClose,1_2_00401640
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_022728BC FindNextFileW,FindFirstFileW,FindClose,1_2_022728BC

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.7:49738 -> 142.105.151.124:443
          Source: global trafficHTTP traffic detected: POST /XbMBytKt/OOVgHQB/BxFtEmJW0c/Abkh5TRZSc/YfuI1bDtMFtUDakee/ HTTP/1.1Referer: http://142.105.151.124/XbMBytKt/OOVgHQB/BxFtEmJW0c/Abkh5TRZSc/YfuI1bDtMFtUDakee/Content-Type: multipart/form-data; boundary=---------------------------104235864240884User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 142.105.151.124:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
          Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
          Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
          Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
          Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
          Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
          Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
          Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
          Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
          Source: unknownTCP traffic detected without corresponding DNS query: 142.105.151.124
          Source: unknownHTTP traffic detected: POST /XbMBytKt/OOVgHQB/BxFtEmJW0c/Abkh5TRZSc/YfuI1bDtMFtUDakee/ HTTP/1.1Referer: http://142.105.151.124/XbMBytKt/OOVgHQB/BxFtEmJW0c/Abkh5TRZSc/YfuI1bDtMFtUDakee/Content-Type: multipart/form-data; boundary=---------------------------104235864240884User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 142.105.151.124:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
          Source: quartz.exe, 00000001.00000002.506913821.00000000029BF000.00000004.00000001.sdmpString found in binary or memory: http://142.105.151.124:443/XbMBytKt/OOVgHQB/BxFtEmJW0c/Abkh5TRZSc/YfuI1bDtMFtUDakee/
          Source: quartz.exe, 00000001.00000002.506913821.00000000029BF000.00000004.00000001.sdmpString found in binary or memory: http://142.105.151.124:443/XbMBytKt/OOVgHQB/BxFtEmJW0c/Abkh5TRZSc/YfuI1bDtMFtUDakee//
          Source: svchost.exe, 00000002.00000002.501873487.00000140B98A6000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.504163920.00000213501F0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
          Source: svchost.exe, 00000002.00000002.501873487.00000140B98A6000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.504163920.00000213501F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: svchost.exe, 00000002.00000002.501873487.00000140B98A6000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.504163920.00000213501F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: svchost.exe, 00000002.00000002.507538600.00000140BF110000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: svchost.exe, 00000013.00000002.502622167.000001E9F5150000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: svchost.exe, 00000007.00000002.302627662.000002218EE13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
          Source: svchost.exe, 0000001B.00000003.495308735.0000021350362000.00000004.00000001.sdmpString found in binary or memory: http://www.windowsphone.com/
          Source: svchost.exe, 0000001B.00000003.495308735.0000021350362000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.503489765.000002134FB13000.00000004.00000001.sdmpString found in binary or memory: http://www.xbox.com/
          Source: svchost.exe, 00000007.00000003.302079568.000002218EE60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
          Source: svchost.exe, 00000007.00000003.302125157.000002218EE49000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000007.00000003.302079568.000002218EE60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
          Source: svchost.exe, 00000007.00000002.302795308.000002218EE3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
          Source: svchost.exe, 00000007.00000003.302079568.000002218EE60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
          Source: svchost.exe, 00000007.00000003.302085335.000002218EE4C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 00000007.00000003.280129065.000002218EE30000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
          Source: svchost.exe, 00000007.00000002.302795308.000002218EE3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
          Source: svchost.exe, 00000007.00000003.302079568.000002218EE60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
          Source: svchost.exe, 00000007.00000003.302079568.000002218EE60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
          Source: svchost.exe, 00000007.00000003.302079568.000002218EE60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
          Source: svchost.exe, 00000007.00000003.280129065.000002218EE30000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
          Source: svchost.exe, 00000007.00000003.302160928.000002218EE40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
          Source: svchost.exe, 00000007.00000003.302160928.000002218EE40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
          Source: svchost.exe, 00000007.00000003.302079568.000002218EE60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
          Source: svchost.exe, 00000007.00000003.302160928.000002218EE40000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.303154583.000002218EE5C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
          Source: svchost.exe, 00000007.00000003.302125157.000002218EE49000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000007.00000002.303154583.000002218EE5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000007.00000002.303154583.000002218EE5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000007.00000003.302040868.000002218EE63000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.302160928.000002218EE40000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
          Source: svchost.exe, 00000007.00000003.302079568.000002218EE60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
          Source: svchost.exe, 00000007.00000002.302795308.000002218EE3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000007.00000003.280129065.000002218EE30000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 0000001B.00000003.495308735.0000021350362000.00000004.00000001.sdmpString found in binary or memory: https://live.xbox.com/purchase/xbox/
          Source: svchost.exe, 0000001B.00000003.495354780.0000021350373000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.495385767.000002134FAA3000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.502199529.000002134FA89000.00000004.00000001.sdmpString found in binary or memory: https://login.windows.net/common
          Source: svchost.exe, 0000001B.00000003.498149827.0000021350A3B000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000003.498119165.0000021350A9D000.00000004.00000001.sdmpString found in binary or memory: https://picsart.com/privacy-policy?hl=en
          Source: svchost.exe, 0000001B.00000003.495308735.0000021350362000.00000004.00000001.sdmpString found in binary or memory: https://profile.xboxlive.com/users/batch/profile/settings
          Source: svchost.exe, 0000001B.00000003.495344531.0000021350361000.00000004.00000001.sdmpString found in binary or memory: https://storeedgefd.dsx.mp.microsoft.c
          Source: svchost.exe, 00000007.00000002.302795308.000002218EE3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
          Source: svchost.exe, 00000007.00000002.302795308.000002218EE3D000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.302627662.000002218EE13000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000007.00000003.302185916.000002218EE45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000007.00000003.302185916.000002218EE45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000007.00000003.280129065.000002218EE30000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
          Source: svchost.exe, 00000007.00000002.302779239.000002218EE39000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
          Source: svchost.exe, 00000007.00000002.302627662.000002218EE13000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
          Source: svchost.exe, 00000002.00000002.501873487.00000140B98A6000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.504163920.00000213501F0000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_004346DE GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_004346DE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_004229A4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_004229A4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00431A6D ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_00431A6D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_0041FD16 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,0_2_0041FD16
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00435F74 GetKeyState,GetKeyState,GetKeyState,0_2_00435F74
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_004346DE GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_004346DE
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_004229A4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_004229A4
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00431A6D ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,1_2_00431A6D
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_0041FD16 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,1_2_0041FD16
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00435F74 GetKeyState,GetKeyState,GetKeyState,1_2_00435F74

          E-Banking Fraud:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000000.00000002.235910769.0000000000580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.236177493.00000000021F1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.501216440.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.503188743.0000000002271000.00000020.00000001.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeFile created: C:\Windows\SysWOW64\dxtrans\Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeFile deleted: C:\Windows\SysWOW64\dxtrans\quartz.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00416E840_2_00416E84
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_004133EC0_2_004133EC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00423CA40_2_00423CA4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_0040FF570_2_0040FF57
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_021F2ABA0_2_021F2ABA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_021F2C260_2_021F2C26
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00416E841_2_00416E84
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_004133EC1_2_004133EC
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00423CA41_2_00423CA4
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_0040FF571_2_0040FF57
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_02272ABA1_2_02272ABA
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_02272C261_2_02272C26
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: String function: 00414410 appears 47 times
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: String function: 00413794 appears 200 times
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: String function: 0042534F appears 35 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: String function: 00414410 appears 47 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: String function: 00413794 appears 200 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: String function: 0042534F appears 35 times
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exe, 00000000.00000000.233672390.0000000000454000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDriveBrowsingTree.EXE\ vs SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exe, 00000000.00000002.236446382.00000000025E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exe, 00000000.00000002.237354680.0000000002E40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exe, 00000000.00000002.237354680.0000000002E40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeBinary or memory string: OriginalFilenameDriveBrowsingTree.EXE\ vs SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exe
          Source: classification engineClassification label: mal76.troj.evad.winEXE@17/5@0/3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_0042A5C5 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_0042A5C5
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_022735D2 Process32NextW,CreateToolhelp32Snapshot,FindCloseChangeNotification,1_2_022735D2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00407CD0 LoadLibraryExA,LoadLibraryExA,SizeofResource,LoadLibraryExA,GetCurrentProcess,VirtualAllocExNuma,0_2_00407CD0
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6156:120:WilError_01
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\dxtrans\quartz.exe C:\Windows\SysWOW64\dxtrans\quartz.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
          Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wisvc
          Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeProcess created: C:\Windows\SysWOW64\dxtrans\quartz.exe C:\Windows\SysWOW64\dxtrans\quartz.exeJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: section name: RT_CURSOR
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: section name: RT_BITMAP
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: section name: RT_ICON
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: section name: RT_MENU
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: section name: RT_DIALOG
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: section name: RT_STRING
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: section name: RT_ACCELERATOR
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeStatic PE information: section name: RT_GROUP_ICON
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_004288FB __EH_prolog,LoadLibraryA,GetProcAddress,0_2_004288FB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_0041444B push ecx; ret 0_2_0041445B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00413020 push eax; ret 0_2_00413034
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00413020 push eax; ret 0_2_0041305C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00413794 push eax; ret 0_2_004137B2
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_0041444B push ecx; ret 1_2_0041445B
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00413020 push eax; ret 1_2_00413034
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00413020 push eax; ret 1_2_0041305C
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00413794 push eax; ret 1_2_004137B2

          Persistence and Installation Behavior:

          barindex
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeExecutable created and started: C:\Windows\SysWOW64\dxtrans\quartz.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exePE file moved: C:\Windows\SysWOW64\dxtrans\quartz.exeJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeFile opened: C:\Windows\SysWOW64\dxtrans\quartz.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_004302E7 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_004302E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_004347C2 IsWindowVisible,IsIconic,0_2_004347C2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00408E23 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00408E23
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_0042977B GetParent,GetParent,IsIconic,GetParent,0_2_0042977B
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_004302E7 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,1_2_004302E7
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_004347C2 IsWindowVisible,IsIconic,1_2_004347C2
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00408E23 IsIconic,GetWindowPlacement,GetWindowRect,1_2_00408E23
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_0042977B GetParent,GetParent,IsIconic,GetParent,1_2_0042977B
          Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} DeviceTicketJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 6804Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 6020Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_0042853B __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_0042853B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_004026E0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,0_2_004026E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00428B68 lstrlenA,FindFirstFileA,FindClose,0_2_00428B68
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00401640 FindFirstFileA,FindClose,0_2_00401640
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_021F28BC FindNextFileW,FindFirstFileW,FindClose,0_2_021F28BC
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_0042853B __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,1_2_0042853B
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_004026E0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,1_2_004026E0
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00428B68 lstrlenA,FindFirstFileA,FindClose,1_2_00428B68
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_00401640 FindFirstFileA,FindClose,1_2_00401640
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_022728BC FindNextFileW,FindFirstFileW,FindClose,1_2_022728BC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00413306 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_00413306
          Source: svchost.exe, 00000004.00000002.286919292.000002381FF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.311810887.000002B9D1C90000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.346162702.0000021A34340000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.503114844.000001E9F5400000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.483143373.00000238E6140000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.506286512.0000021350740000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: svchost.exe, 00000002.00000002.506330019.00000140BAC63000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
          Source: quartz.exe, 00000001.00000002.506913821.00000000029BF000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.506266006.00000140BAC56000.00000004.00000001.sdmp, svchost.exe, 0000001B.00000002.503093735.000002134FADB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 00000004.00000002.286919292.000002381FF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.311810887.000002B9D1C90000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.346162702.0000021A34340000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.503114844.000001E9F5400000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.483143373.00000238E6140000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.506286512.0000021350740000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: svchost.exe, 00000004.00000002.286919292.000002381FF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.311810887.000002B9D1C90000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.346162702.0000021A34340000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.503114844.000001E9F5400000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.483143373.00000238E6140000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.506286512.0000021350740000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: quartz.exe, 00000001.00000002.506797203.00000000029B2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW`
          Source: svchost.exe, 00000006.00000002.500980868.0000016115A2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: svchost.exe, 00000004.00000002.286919292.000002381FF40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.311810887.000002B9D1C90000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.346162702.0000021A34340000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.503114844.000001E9F5400000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.483143373.00000238E6140000.00000002.00000001.sdmp, svchost.exe, 0000001B.00000002.506286512.0000021350740000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_004288FB __EH_prolog,LoadLibraryA,GetProcAddress,0_2_004288FB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_021F36E3 mov eax, dword ptr fs:[00000030h]0_2_021F36E3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_021F2E00 mov eax, dword ptr fs:[00000030h]0_2_021F2E00
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_022736E3 mov eax, dword ptr fs:[00000030h]1_2_022736E3
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_02272E00 mov eax, dword ptr fs:[00000030h]1_2_02272E00
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_004164EA SetUnhandledExceptionFilter,0_2_004164EA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_004164FE SetUnhandledExceptionFilter,0_2_004164FE
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_004164EA SetUnhandledExceptionFilter,1_2_004164EA
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: 1_2_004164FE SetUnhandledExceptionFilter,1_2_004164FE
          Source: quartz.exe, 00000001.00000002.502309813.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: quartz.exe, 00000001.00000002.502309813.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: quartz.exe, 00000001.00000002.502309813.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: quartz.exe, 00000001.00000002.502309813.0000000000DE0000.00000002.00000001.sdmpBinary or memory string: jProgram Manager
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: GetLocaleInfoA,0_2_0041C708
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_00401070
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,0_2_00437103
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: GetLocaleInfoA,1_2_0041C708
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,1_2_00401070
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,1_2_00437103
          Source: C:\Windows\SysWOW64\dxtrans\quartz.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_00418091 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00418091
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_0041A9AA __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,0_2_0041A9AA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeCode function: 0_2_0041E999 GetVersionExA,0_2_0041E999
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.9248.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Changes security center settings (notifications, updates, antivirus, firewall)Show sources
          Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
          Source: svchost.exe, 0000000A.00000002.500565819.000001DB8CE3D000.00000004.00000001.sdmpBinary or memory string: "@V%ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: svchost.exe, 00000013.00000002.502953758.000001E9F5343000.00000004.00000001.sdmpBinary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
          Source: svchost.exe, 0000000A.00000002.500746299.000001DB8CF02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000000.00000002.235910769.0000000000580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.236177493.00000000021F1000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.501216440.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.503188743.0000000002271000.00000020.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection2Masquerading12Input Capture1System Time Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel22Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery41Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion3NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information2Proc FilesystemSystem Information Discovery37Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET