Analysis Report Eacu0dRnuP

Overview

General Information

Sample Name: Eacu0dRnuP (renamed file extension from none to exe)
Analysis ID: 317638
MD5: e79d85ef787e5ee5ab0c1c4962325648
SHA1: 137381e0ccf7bb74f2a6b603b0ad7137166a4890
SHA256: dd4b3697f598fcfb9a58ab0f075f7dce217c192ef5b2af6d9377192f60ce3720

Most interesting Screenshot:

Detection

Emotet
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.230106819.00000000022C0000.00000040.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["80.227.52.78:80", "51.89.199.141:8080", "173.212.214.235:7080", "167.114.153.111:8080", "61.19.246.238:443", "37.179.204.33:80", "190.164.104.62:80", "95.9.5.93:80", "138.68.87.218:443", "176.111.60.55:8080", "194.190.67.75:80", "66.76.12.94:8080", "139.59.60.244:8080", "184.180.181.202:80", "49.50.209.131:80", "24.133.106.23:80", "121.7.31.214:80", "185.94.252.104:443", "50.91.114.38:80", "46.105.131.79:8080", "220.245.198.194:80", "218.147.193.146:80", "115.94.207.99:443", "188.219.31.12:80", "200.116.145.225:443", "190.240.194.77:443", "71.15.245.148:8080", "78.24.219.147:8080", "202.141.243.254:443", "217.123.207.149:80", "110.145.77.103:80", "41.185.28.84:8080", "109.74.5.95:8080", "89.121.205.18:80", "123.142.37.166:80", "91.211.88.52:7080", "113.61.66.94:80", "27.114.9.93:80", "2.58.16.89:8080", "102.182.93.220:80", "120.150.60.189:80", "62.171.142.179:8080", "50.245.107.73:443", "110.142.236.207:80", "72.143.73.234:443", "94.200.114.161:80", "103.86.49.11:8080", "186.70.56.94:443", "176.113.52.6:443", "120.150.218.241:443", "217.20.166.178:7080", "137.59.187.107:8080", "87.106.139.101:8080", "94.230.70.6:80", "100.37.240.62:80", "174.106.122.139:80", "172.86.188.251:8080", "123.176.25.234:80", "190.162.215.233:80", "37.139.21.175:8080", "202.134.4.216:8080", "61.76.222.210:80", "5.39.91.110:7080", "75.143.247.51:80", "74.40.205.197:443", "203.153.216.189:7080", "72.186.136.247:443", "201.241.127.190:80", "24.230.141.169:80", "76.175.162.101:80", "112.185.64.233:80", "49.3.224.99:8080", "119.59.116.21:8080", "37.187.72.193:8080", "95.213.236.64:8080", "162.241.140.129:8080", "78.188.106.53:443", "79.137.83.50:443", "194.4.58.192:7080", "24.137.76.62:80", "157.245.99.39:8080", "173.63.222.65:80", "202.134.4.211:8080", "139.99.158.11:443", "139.162.60.124:8080", "186.74.215.34:80", "154.91.33.137:443", "190.12.119.180:443", "216.139.123.119:80", "59.125.219.109:443", "172.104.97.173:8080", "209.141.54.221:7080", "168.235.67.138:7080", "172.91.208.86:80", "62.75.141.82:80", "121.124.124.40:7080", "172.105.13.66:443", "47.36.140.164:80", "62.30.7.67:443", "24.178.90.49:80", "187.161.206.24:80", "68.115.186.26:80", "94.23.237.171:443", "67.170.250.203:443", "74.208.45.104:8080", "182.208.30.18:443", "67.163.161.107:80", "88.153.35.32:80", "97.82.79.83:80", "74.214.230.200:80", "118.83.154.64:443", "85.105.111.166:80", "93.147.212.206:80", "89.216.122.92:80", "76.27.179.47:80", "190.108.228.27:443", "108.46.29.236:80", "194.187.133.160:443", "134.209.144.106:443", "104.131.11.150:443", "61.33.119.226:443", "80.227.52.78:80", "51.89.199.141:8080", "173.212.214.235:7080", "167.114.153.111:8080", "61.19.246.238:443", "37.179.204.33:80", "190.164.104.62:80", "95.9.5.93:80", "138.68.87.218:443", "176.111.60.55:8080", "194.190.67.75:80", "66.76.12.94:8080", "139.59.60.244:8080", "184.180.181.202:80", "49.50.209.131:80", "24.133.106.23:80", "121.7.31.214:80", "185.94.252.104:443", "50.91.114.38:80", "46.105.131.79:8080", "220.245.1
Source: 00000000.00000002.230106819.00000000022C0000.00000040.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["80.227.52.78:80", "51.89.199.141:8080", "173.212.214.235:7080", "167.114.153.111:8080", "61.19.246.238:443", "37.179.204.33:80", "190.164.104.62:80", "95.9.5.93:80", "138.68.87.218:443", "176.111.60.55:8080", "194.190.67.75:80", "66.76.12.94:8080", "139.59.60.244:8080", "184.180.181.202:80", "49.50.209.131:80", "24.133.106.23:80", "121.7.31.214:80", "185.94.252.104:443", "50.91.114.38:80", "46.105.131.79:8080", "220.245.198.194:80", "218.147.193.146:80", "115.94.207.99:443", "188.219.31.12:80", "200.116.145.225:443", "190.240.194.77:443", "71.15.245.148:8080", "78.24.219.147:8080", "202.141.243.254:443", "217.123.207.149:80", "110.145.77.103:80", "41.185.28.84:8080", "109.74.5.95:8080", "89.121.205.18:80", "123.142.37.166:80", "91.211.88.52:7080", "113.61.66.94:80", "27.114.9.93:80", "2.58.16.89:8080", "102.182.93.220:80", "120.150.60.189:80", "62.171.142.179:8080", "50.245.107.73:443", "110.142.236.207:80", "72.143.73.234:443", "94.200.114.161:80", "103.86.49.11:8080", "186.70.56.94:443", "176.113.52.6:443", "120.150.218.241:443", "217.20.166.178:7080", "137.59.187.107:8080", "87.106.139.101:8080", "94.230.70.6:80", "100.37.240.62:80", "174.106.122.139:80", "172.86.188.251:8080", "123.176.25.234:80", "190.162.215.233:80", "37.139.21.175:8080", "202.134.4.216:8080", "61.76.222.210:80", "5.39.91.110:7080", "75.143.247.51:80", "74.40.205.197:443", "203.153.216.189:7080", "72.186.136.247:443", "201.241.127.190:80", "24.230.141.169:80", "76.175.162.101:80", "112.185.64.233:80", "49.3.224.99:8080", "119.59.116.21:8080", "37.187.72.193:8080", "95.213.236.64:8080", "162.241.140.129:8080", "78.188.106.53:443", "79.137.83.50:443", "194.4.58.192:7080", "24.137.76.62:80", "157.245.99.39:8080", "173.63.222.65:80", "202.134.4.211:8080", "139.99.158.11:443", "139.162.60.124:8080", "186.74.215.34:80", "154.91.33.137:443", "190.12.119.180:443", "216.139.123.119:80", "59.125.219.109:443", "172.104.97.173:8080", "209.141.54.221:7080", "168.235.67.138:7080", "172.91.208.86:80", "62.75.141.82:80", "121.124.124.40:7080", "172.105.13.66:443", "47.36.140.164:80", "62.30.7.67:443", "24.178.90.49:80", "187.161.206.24:80", "68.115.186.26:80", "94.23.237.171:443", "67.170.250.203:443", "74.208.45.104:8080", "182.208.30.18:443", "67.163.161.107:80", "88.153.35.32:80", "97.82.79.83:80", "74.214.230.200:80", "118.83.154.64:443", "85.105.111.166:80", "93.147.212.206:80", "89.216.122.92:80", "76.27.179.47:80", "190.108.228.27:443", "108.46.29.236:80", "194.187.133.160:443", "134.209.144.106:443", "104.131.11.150:443", "61.33.119.226:443", "80.227.52.78:80", "51.89.199.141:8080", "173.212.214.235:7080", "167.114.153.111:8080", "61.19.246.238:443", "37.179.204.33:80", "190.164.104.62:80", "95.9.5.93:80", "138.68.87.218:443", "176.111.60.55:8080", "194.190.67.75:80", "66.76.12.94:8080", "139.59.60.244:8080", "184.180.181.202:80", "49.50.209.131:80", "24.133.106.23:80", "121.7.31.214:80", "185.94.252.104:443", "50.91.114.38:80", "46.105.131.79:8080", "220.245.1
Multi AV Scanner detection for submitted file
Source: Eacu0dRnuP.exe Virustotal: Detection: 59% Perma Link
Source: Eacu0dRnuP.exe Metadefender: Detection: 43% Perma Link
Source: Eacu0dRnuP.exe ReversingLabs: Detection: 62%
Source: Eacu0dRnuP.exe Virustotal: Detection: 59% Perma Link
Source: Eacu0dRnuP.exe Metadefender: Detection: 43% Perma Link
Source: Eacu0dRnuP.exe ReversingLabs: Detection: 62%
Machine Learning detection for sample
Source: Eacu0dRnuP.exe Joe Sandbox ML: detected
Source: Eacu0dRnuP.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc, 0_2_00402270
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc, 0_2_00402270
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc, 3_2_00402270
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02262650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 3_2_02262650
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02262290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap, 3_2_02262290
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02261FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptVerifySignatureW,CryptDestroyHash,CryptDecrypt,CryptDuplicateHash, 3_2_02261FB0
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_00423C64
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_028638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_028638F0
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_00423C64
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_028638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_028638F0
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 3_2_00423C64
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_022638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 3_2_022638F0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.3:49724 -> 80.227.52.78:80
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.3:49730 -> 51.89.199.141:8080
Source: Traffic Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.3:49724 -> 80.227.52.78:80
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.3:49730 -> 51.89.199.141:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49730 -> 51.89.199.141:8080
Source: global traffic TCP traffic: 192.168.2.3:49730 -> 51.89.199.141:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 80.227.52.78 80.227.52.78
Source: Joe Sandbox View IP Address: 80.227.52.78 80.227.52.78
Source: Joe Sandbox View IP Address: 80.227.52.78 80.227.52.78
Source: Joe Sandbox View IP Address: 80.227.52.78 80.227.52.78
Source: Joe Sandbox View IP Address: 51.89.199.141 51.89.199.141
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DU-AS1AE DU-AS1AE
Source: Joe Sandbox View ASN Name: DU-AS1AE DU-AS1AE
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49724 -> 80.227.52.78:80
Source: global traffic TCP traffic: 192.168.2.3:49724 -> 80.227.52.78:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgqq2ks2YLPn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------sxMmAtOOfKQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4612Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgqq2ks2YLPn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------sxMmAtOOfKQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4612Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 80.227.52.78
Source: unknown TCP traffic detected without corresponding DNS query: 80.227.52.78
Source: unknown TCP traffic detected without corresponding DNS query: 80.227.52.78
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 80.227.52.78
Source: unknown TCP traffic detected without corresponding DNS query: 80.227.52.78
Source: unknown TCP traffic detected without corresponding DNS query: 80.227.52.78
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_022629B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 3_2_022629B0
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_022629B0 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 3_2_022629B0
Source: unknown HTTP traffic detected: POST /kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgqq2ks2YLPn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------sxMmAtOOfKQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4612Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgqq2ks2YLPn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 51.89.199.141/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------sxMmAtOOfKQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 51.89.199.141:8080Content-Length: 4612Cache-Control: no-cache
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgq
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp String found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp String found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/$f
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp String found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/-f
Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000004.00000002.498030150.0000022687860000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000B.00000002.313901716.000001DF72413000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000009.00000002.493508212.0000022CEBC2A000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000002.493508212.0000022CEBC2A000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.313632584.000001DF7244B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.313976950.000001DF72454000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000003.313648820.000001DF72441000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.313648820.000001DF72441000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000000B.00000003.313632584.000001DF7244B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000002.313976950.000001DF72454000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.313901716.000001DF72413000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.313645092.000001DF72445000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.313645092.000001DF72445000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000002.313951325.000001DF72439000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.313913232.000001DF72425000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp String found in binary or memory: http://51.89.199.141:8080/kQ2qQ4p/1FQKfDAunw/1vITsOyC7bA2XShy/bcsdjT00jJ/b6D7wBgDOTgK988MK/MO2mf0Mgq
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp String found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp String found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/$f
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp String found in binary or memory: http://80.227.52.78/5VyqhybV/hBUnM8a/pu6SqF/-f
Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000004.00000002.496997385.0000022687412000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000004.00000002.498030150.0000022687860000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000B.00000002.313901716.000001DF72413000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000009.00000002.493508212.0000022CEBC2A000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000002.493508212.0000022CEBC2A000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.313632584.000001DF7244B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.313976950.000001DF72454000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000003.313648820.000001DF72441000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.313648820.000001DF72441000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000000B.00000003.313632584.000001DF7244B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.313968364.000001DF72447000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000002.313976950.000001DF72454000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.313624018.000001DF7245F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.313959058.000001DF7243E000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.313901716.000001DF72413000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.313645092.000001DF72445000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.313645092.000001DF72445000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.291934932.000001DF72430000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000002.313951325.000001DF72439000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.313913232.000001DF72425000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0041F8D4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_0041F8D4
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0041F8D4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_0041F8D4
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_0041F8D4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_0041F8D4

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.230106819.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.230764484.0000000002861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.230167872.00000000024A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.494965360.0000000002214000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.495069915.0000000002261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.494701716.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.KBDTUQ.exe.2260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eacu0dRnuP.exe.2860000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02262650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 3_2_02262650
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02262650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx, 3_2_02262650

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File created: C:\Windows\SysWOW64\fphc\ Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File created: C:\Windows\SysWOW64\fphc\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File deleted: C:\Windows\SysWOW64\fphc\KBDTUQ.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File deleted: C:\Windows\SysWOW64\fphc\KBDTUQ.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040D558 0_2_0040D558
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00420953 0_2_00420953
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_004109F3 0_2_004109F3
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00409F47 0_2_00409F47
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02868240 0_2_02868240
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02867740 0_2_02867740
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02866530 0_2_02866530
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02863BA0 0_2_02863BA0
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02863F20 0_2_02863F20
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02861C70 0_2_02861C70
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02863D10 0_2_02863D10
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C5ABE 0_2_022C5ABE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C92DE 0_2_022C92DE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C380E 0_2_022C380E
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C58AE 0_2_022C58AE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C80CE 0_2_022C80CE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C573E 0_2_022C573E
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C9DDE 0_2_022C9DDE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040D558 0_2_0040D558
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00420953 0_2_00420953
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_004109F3 0_2_004109F3
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00409F47 0_2_00409F47
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02868240 0_2_02868240
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02867740 0_2_02867740
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02866530 0_2_02866530
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02863BA0 0_2_02863BA0
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02863F20 0_2_02863F20
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02861C70 0_2_02861C70
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02863D10 0_2_02863D10
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C5ABE 0_2_022C5ABE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C92DE 0_2_022C92DE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C380E 0_2_022C380E
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C58AE 0_2_022C58AE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C80CE 0_2_022C80CE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C573E 0_2_022C573E
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C9DDE 0_2_022C9DDE
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_0040D558 3_2_0040D558
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_00420953 3_2_00420953
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_004109F3 3_2_004109F3
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_00409F47 3_2_00409F47
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02268240 3_2_02268240
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02267740 3_2_02267740
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02266530 3_2_02266530
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02263BA0 3_2_02263BA0
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02263F20 3_2_02263F20
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02261C70 3_2_02261C70
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02263D10 3_2_02263D10
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_021D5ABE 3_2_021D5ABE
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_021D92DE 3_2_021D92DE
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_021D380E 3_2_021D380E
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_021D58AE 3_2_021D58AE
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_021D80CE 3_2_021D80CE
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_021D573E 3_2_021D573E
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_021D9DDE 3_2_021D9DDE
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: String function: 004231CF appears 31 times
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: String function: 0040E598 appears 61 times
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: String function: 0040DA1C appears 138 times
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: String function: 004231CF appears 31 times
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: String function: 0040E598 appears 61 times
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: String function: 0040DA1C appears 138 times
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: String function: 004231CF appears 31 times
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: String function: 0040E598 appears 61 times
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: String function: 0040DA1C appears 138 times
PE file contains strange resources
Source: Eacu0dRnuP.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Eacu0dRnuP.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Eacu0dRnuP.exe, 00000000.00000002.229609206.000000000043F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameRoundWindow.EXEP0 vs Eacu0dRnuP.exe
Source: Eacu0dRnuP.exe, 00000000.00000002.232691117.0000000002DE0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Eacu0dRnuP.exe
Source: Eacu0dRnuP.exe, 00000000.00000002.232691117.0000000002DE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Eacu0dRnuP.exe
Source: Eacu0dRnuP.exe, 00000000.00000002.232124434.0000000002CF0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Eacu0dRnuP.exe
Source: Eacu0dRnuP.exe Binary or memory string: OriginalFilenameRoundWindow.EXEP0 vs Eacu0dRnuP.exe
Source: Eacu0dRnuP.exe, 00000000.00000002.229609206.000000000043F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameRoundWindow.EXEP0 vs Eacu0dRnuP.exe
Source: Eacu0dRnuP.exe, 00000000.00000002.232691117.0000000002DE0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Eacu0dRnuP.exe
Source: Eacu0dRnuP.exe, 00000000.00000002.232691117.0000000002DE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Eacu0dRnuP.exe
Source: Eacu0dRnuP.exe, 00000000.00000002.232124434.0000000002CF0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Eacu0dRnuP.exe
Source: Eacu0dRnuP.exe Binary or memory string: OriginalFilenameRoundWindow.EXEP0 vs Eacu0dRnuP.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winEXE@18/8@0/3
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle, 0_2_028687D0
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle, 0_2_028687D0
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02264CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 3_2_02264CB0
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02264CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification, 3_2_02264CB0
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0042309F EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, 0_2_0042309F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0042309F EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, 0_2_0042309F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02865070
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02865070
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6268:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6268:120:WilError_01
Source: Eacu0dRnuP.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Eacu0dRnuP.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Eacu0dRnuP.exe Virustotal: Detection: 59%
Source: Eacu0dRnuP.exe Metadefender: Detection: 43%
Source: Eacu0dRnuP.exe ReversingLabs: Detection: 62%
Source: Eacu0dRnuP.exe Virustotal: Detection: 59%
Source: Eacu0dRnuP.exe Metadefender: Detection: 43%
Source: Eacu0dRnuP.exe ReversingLabs: Detection: 62%
Source: unknown Process created: C:\Users\user\Desktop\Eacu0dRnuP.exe 'C:\Users\user\Desktop\Eacu0dRnuP.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\fphc\KBDTUQ.exe C:\Windows\SysWOW64\fphc\KBDTUQ.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Process created: C:\Windows\SysWOW64\fphc\KBDTUQ.exe C:\Windows\SysWOW64\fphc\KBDTUQ.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Eacu0dRnuP.exe 'C:\Users\user\Desktop\Eacu0dRnuP.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: unknown Process created: C:\Windows\SysWOW64\fphc\KBDTUQ.exe C:\Windows\SysWOW64\fphc\KBDTUQ.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Process created: C:\Windows\SysWOW64\fphc\KBDTUQ.exe C:\Windows\SysWOW64\fphc\KBDTUQ.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc, 0_2_00402270
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc, 0_2_00402270
PE file contains an invalid checksum
Source: Eacu0dRnuP.exe Static PE information: real checksum: 0x9ad26 should be: 0x97a8c
Source: Eacu0dRnuP.exe Static PE information: real checksum: 0x9ad26 should be: 0x97a8c
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040E5D3 push ecx; ret 0_2_0040E5E3
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040D670 push eax; ret 0_2_0040D684
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040D670 push eax; ret 0_2_0040D6AC
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040DA1C push eax; ret 0_2_0040DA3A
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040CF44 push eax; iretd 0_2_0040CF45
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865EA0 push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02865EA1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865EF0 push ecx; mov dword ptr [esp], 0000669Ch 0_2_02865EF1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865E10 push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02865E11
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865F20 push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02865F21
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865CD0 push ecx; mov dword ptr [esp], 00001CE1h 0_2_02865CD1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865D90 push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02865D91
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865DC0 push ecx; mov dword ptr [esp], 000089FAh 0_2_02865DC1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865DF0 push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02865DF1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865D00 push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02865D01
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865D20 push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02865D21
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865D50 push ecx; mov dword ptr [esp], 00006847h 0_2_02865D51
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C7A3E push ecx; mov dword ptr [esp], 0000A3FDh 0_2_022C7A3F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C7ABE push ecx; mov dword ptr [esp], 0000E36Ch 0_2_022C7ABF
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C7A8E push ecx; mov dword ptr [esp], 0000669Ch 0_2_022C7A8F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C786E push ecx; mov dword ptr [esp], 00001CE1h 0_2_022C786F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C78BE push ecx; mov dword ptr [esp], 0000C5A1h 0_2_022C78BF
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C789E push ecx; mov dword ptr [esp], 00001F9Eh 0_2_022C789F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C78EE push ecx; mov dword ptr [esp], 00006847h 0_2_022C78EF
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C792E push ecx; mov dword ptr [esp], 0000B2E0h 0_2_022C792F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C795E push ecx; mov dword ptr [esp], 000089FAh 0_2_022C795F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C79AE push ecx; mov dword ptr [esp], 0000F5B3h 0_2_022C79AF
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C798E push ecx; mov dword ptr [esp], 0000AAF5h 0_2_022C798F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040E5D3 push ecx; ret 0_2_0040E5E3
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040D670 push eax; ret 0_2_0040D684
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040D670 push eax; ret 0_2_0040D6AC
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040DA1C push eax; ret 0_2_0040DA3A
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040CF44 push eax; iretd 0_2_0040CF45
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865EA0 push ecx; mov dword ptr [esp], 0000A3FDh 0_2_02865EA1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865EF0 push ecx; mov dword ptr [esp], 0000669Ch 0_2_02865EF1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865E10 push ecx; mov dword ptr [esp], 0000F5B3h 0_2_02865E11
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865F20 push ecx; mov dword ptr [esp], 0000E36Ch 0_2_02865F21
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865CD0 push ecx; mov dword ptr [esp], 00001CE1h 0_2_02865CD1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865D90 push ecx; mov dword ptr [esp], 0000B2E0h 0_2_02865D91
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865DC0 push ecx; mov dword ptr [esp], 000089FAh 0_2_02865DC1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865DF0 push ecx; mov dword ptr [esp], 0000AAF5h 0_2_02865DF1
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865D00 push ecx; mov dword ptr [esp], 00001F9Eh 0_2_02865D01
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865D20 push ecx; mov dword ptr [esp], 0000C5A1h 0_2_02865D21
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02865D50 push ecx; mov dword ptr [esp], 00006847h 0_2_02865D51
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C7A3E push ecx; mov dword ptr [esp], 0000A3FDh 0_2_022C7A3F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C7ABE push ecx; mov dword ptr [esp], 0000E36Ch 0_2_022C7ABF
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C7A8E push ecx; mov dword ptr [esp], 0000669Ch 0_2_022C7A8F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C786E push ecx; mov dword ptr [esp], 00001CE1h 0_2_022C786F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C78BE push ecx; mov dword ptr [esp], 0000C5A1h 0_2_022C78BF
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C789E push ecx; mov dword ptr [esp], 00001F9Eh 0_2_022C789F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C78EE push ecx; mov dword ptr [esp], 00006847h 0_2_022C78EF
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C792E push ecx; mov dword ptr [esp], 0000B2E0h 0_2_022C792F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C795E push ecx; mov dword ptr [esp], 000089FAh 0_2_022C795F
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C79AE push ecx; mov dword ptr [esp], 0000F5B3h 0_2_022C79AF
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C798E push ecx; mov dword ptr [esp], 0000AAF5h 0_2_022C798F
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_0040E5D3 push ecx; ret 3_2_0040E5E3
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_0040D670 push eax; ret 3_2_0040D684
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_0040D670 push eax; ret 3_2_0040D6AC
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_0040DA1C push eax; ret 3_2_0040DA3A

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Executable created and started: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Executable created and started: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe PE file moved: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe PE file moved: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File opened: C:\Windows\SysWOW64\fphc\KBDTUQ.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File opened: C:\Windows\SysWOW64\fphc\KBDTUQ.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00402FC2 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00402FC2
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00402FC2 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00402FC2
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_00402FC2 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_00402FC2
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02865070
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap, 0_2_02865070
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 1528 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1528 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_00423C64
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_028638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_028638F0
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_00423C64
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_028638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose, 0_2_028638F0
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_00423C64 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 3_2_00423C64
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_022638F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose, 3_2_022638F0
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040D473 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_0040D473
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040D473 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_0040D473
Source: svchost.exe, 00000004.00000002.493342251.0000022682029000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`sF
Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000004.00000002.497522334.0000022687462000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000007.00000002.492738004.000001A534C02000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.497463664.0000022687455000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWH
Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.492925083.000001A534C28000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.493333947.0000021FB3A29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000004.00000002.493342251.0000022682029000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW`sF
Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000004.00000002.497522334.0000022687462000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000007.00000002.492738004.000001A534C02000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp, svchost.exe, 00000004.00000002.497463664.0000022687455000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: KBDTUQ.exe, 00000003.00000002.495442145.00000000023F2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWH
Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.492925083.000001A534C28000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.493616710.0000022CEBC45000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.493333947.0000021FB3A29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000006.00000002.289462453.0000022CC1140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.496499985.0000022CEC790000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.307963786.0000018A30340000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc, 0_2_00402270
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc, 0_2_00402270
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc, 0_2_00402270
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00402270 LoadLibraryA,LoadLibraryA,GetProcAddress,EncryptFileA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc, 0_2_00402270
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02864E20 mov eax, dword ptr fs:[00000030h] 0_2_02864E20
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02863F20 mov eax, dword ptr fs:[00000030h] 0_2_02863F20
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C5ABE mov eax, dword ptr fs:[00000030h] 0_2_022C5ABE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C095E mov eax, dword ptr fs:[00000030h] 0_2_022C095E
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C69BE mov eax, dword ptr fs:[00000030h] 0_2_022C69BE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C0456 mov eax, dword ptr fs:[00000030h] 0_2_022C0456
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_024A1030 mov eax, dword ptr fs:[00000030h] 0_2_024A1030
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02864E20 mov eax, dword ptr fs:[00000030h] 0_2_02864E20
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_02863F20 mov eax, dword ptr fs:[00000030h] 0_2_02863F20
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C5ABE mov eax, dword ptr fs:[00000030h] 0_2_022C5ABE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C095E mov eax, dword ptr fs:[00000030h] 0_2_022C095E
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C69BE mov eax, dword ptr fs:[00000030h] 0_2_022C69BE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_022C0456 mov eax, dword ptr fs:[00000030h] 0_2_022C0456
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_024A1030 mov eax, dword ptr fs:[00000030h] 0_2_024A1030
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02264E20 mov eax, dword ptr fs:[00000030h] 3_2_02264E20
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02263F20 mov eax, dword ptr fs:[00000030h] 3_2_02263F20
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_021D5ABE mov eax, dword ptr fs:[00000030h] 3_2_021D5ABE
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_021D095E mov eax, dword ptr fs:[00000030h] 3_2_021D095E
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_021D69BE mov eax, dword ptr fs:[00000030h] 3_2_021D69BE
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_021D0456 mov eax, dword ptr fs:[00000030h] 3_2_021D0456
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_02211030 mov eax, dword ptr fs:[00000030h] 3_2_02211030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_028642F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap, 0_2_028642F0
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_028642F0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap, 0_2_028642F0
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00411037 SetUnhandledExceptionFilter, 0_2_00411037
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0041104B SetUnhandledExceptionFilter, 0_2_0041104B
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00411037 SetUnhandledExceptionFilter, 0_2_00411037
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0041104B SetUnhandledExceptionFilter, 0_2_0041104B
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_00411037 SetUnhandledExceptionFilter, 3_2_00411037
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: 3_2_0041104B SetUnhandledExceptionFilter, 3_2_0041104B
Source: KBDTUQ.exe, 00000003.00000002.494088053.0000000000D20000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.493533765.00000268E6860000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: KBDTUQ.exe, 00000003.00000002.494088053.0000000000D20000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.493533765.00000268E6860000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: KBDTUQ.exe, 00000003.00000002.494088053.0000000000D20000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.493533765.00000268E6860000.00000002.00000001.sdmp Binary or memory string: Progman
Source: KBDTUQ.exe, 00000003.00000002.494088053.0000000000D20000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.493533765.00000268E6860000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: KBDTUQ.exe, 00000003.00000002.494088053.0000000000D20000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.493533765.00000268E6860000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: KBDTUQ.exe, 00000003.00000002.494088053.0000000000D20000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.493533765.00000268E6860000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: KBDTUQ.exe, 00000003.00000002.494088053.0000000000D20000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.493533765.00000268E6860000.00000002.00000001.sdmp Binary or memory string: Progman
Source: KBDTUQ.exe, 00000003.00000002.494088053.0000000000D20000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.493533765.00000268E6860000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoA, 0_2_0041732D
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 0_2_0042776D
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0041784C
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_00417883
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 0_2_0041795E
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: _strlen,EnumSystemLocalesA, 0_2_00417909
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoA, 0_2_00417B13
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 0_2_00419B8E
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 0_2_00419C4A
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_00419CBE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 0_2_00419D71
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_00402D20
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoA, 0_2_0041732D
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 0_2_0042776D
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0041784C
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_00417883
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 0_2_0041795E
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: _strlen,EnumSystemLocalesA, 0_2_00417909
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoA, 0_2_00417B13
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 0_2_00419B8E
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 0_2_00419C4A
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_00419CBE
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 0_2_00419D71
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_00402D20
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: GetLocaleInfoA, 3_2_0041732D
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 3_2_0042776D
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: _strlen,EnumSystemLocalesA, 3_2_0041784C
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 3_2_00417883
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 3_2_0041795E
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: _strlen,EnumSystemLocalesA, 3_2_00417909
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: GetLocaleInfoA, 3_2_00417B13
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 3_2_00419B8E
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 3_2_00419C4A
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 3_2_00419CBE
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 3_2_00419D71
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_00402D20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00411CF8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00411CF8
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_00411CF8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00411CF8
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_004151D4 _strlen,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_004151D4
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_004151D4 _strlen,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_004151D4
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040D712 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,GetModuleHandleA, 0_2_0040D712
Source: C:\Users\user\Desktop\Eacu0dRnuP.exe Code function: 0_2_0040D712 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,GetModuleHandleA, 0_2_0040D712
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\fphc\KBDTUQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000E.00000002.492933677.0000023FA1C40000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.493007882.0000023FA1D02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.492933677.0000023FA1C40000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.493007882.0000023FA1D02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.230106819.00000000022C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.230764484.0000000002861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.230167872.00000000024A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.494965360.0000000002214000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.495069915.0000000002261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.494701716.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.KBDTUQ.exe.2260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eacu0dRnuP.exe.2860000.1.unpack, type: UNPACKEDPE