Analysis Report 2760000.netprovfw.bin

ID:	345555
Product:	CloudBasic
Start time:	16:27:00
Start date:	28.01.2021
Sample:	2760000.netprovfw.bin
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	90478bb3273d74a7a4bae530dee87174
SHA1:	8fa8f069d4391a21346de65a5ee729ad6ef56a60
SHA256:	f865736f27acaaca93c530f82295fdddf9b97fc54f37732815e89ad660eb69e4
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_2760000.netprovf_50482980db6f70d047bdd5f2b763ef22b1cfde7_9c33c211_129efdf4\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	720CE52891513A7CE9B86362267F0DA5	DEBB950A22077D504E7615EAF440772D1903A500	694BB24B19E45591A31DD2B4F2744B883E902E1A59692CD4735E4DE3AC58CCC8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5C6.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Jan 29 00:27:52 2021, 0x1205a4 type	87A7ABC2F6BEAB6144BC5B26B23AE74A	90BC5F6AD1F9D5474FC3AB9F696FC6B37F65B421	A14D136A44ECE61B85B934F9A0F7CD91704847AEF659196F536710F0F5F478BB
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF78C.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	D984D43F2B351442B894831AED8A541A	D17A0A15F90E05B8305E1593EB236CDE91B5CE5A	10AB7323E241217ECA9B43DAAC0C0AEDA00A17B42CEEEB9253DD45B505746688
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF81A.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	5EF659495C5F15CBFFB7E779342ECDF1	9E271CDB285588F5EE1A8F0D125EA0E6EB149E03	EC7E8E6E007E9BA87CF04894BD00BB64B1BAE5E8D8851B82B054BC0B12C08873

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 2760000.netprovfw.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 2760000.netprovfw.exe	Virustotal: Detection: 50%			Perma Link
Source: 2760000.netprovfw.exe	ReversingLabs: Detection: 79%

Machine Learning detection for sample

Source: 2760000.netprovfw.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 2760000.netprovfw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 2760000.netprovfw.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Code function: 0_2_02763A10 _snwprintf,FindNextFileW,_snwprintf,FindFirstFileW,

0_2_02763A10

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: 2760000.netprovfw.exe, 00000000.00000002.215076314.000000000076A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 2760000.netprovfw.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02761C70		0_2_02761C70
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02767590		0_2_02767590
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02768180		0_2_02768180

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640

PE file contains strange resources

Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file does not import any functions

Source: 2760000.netprovfw.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: 2760000.netprovfw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Classification label

Source: classification engine

Classification label: mal68.troj.winEXE@2/4@0/0

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3636

Creates temporary files

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5C6.tmp

Jump to behavior

PE file has an executable .text section and no other executable section

Source: 2760000.netprovfw.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: 2760000.netprovfw.exe	Virustotal: Detection: 50%
Source: 2760000.netprovfw.exe	ReversingLabs: Detection: 79%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\2760000.netprovfw.exe 'C:\Users\user\Desktop\2760000.netprovfw.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 2760000.netprovfw.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT

Data Obfuscation:

PE file contains an invalid checksum

Source: 2760000.netprovfw.exe

Static PE information: real checksum: 0x59bfd should be: 0x6199f

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D70 push ecx; mov dword ptr [esp], 00008067h		0_2_02765D71
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765F70 push ecx; mov dword ptr [esp], 000084ADh		0_2_02765F71
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765E70 push ecx; mov dword ptr [esp], 00008D73h		0_2_02765E71
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765E40 push ecx; mov dword ptr [esp], 0000AEA2h		0_2_02765E41
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D30 push ecx; mov dword ptr [esp], 00002C7Ch		0_2_02765D31
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765F20 push ecx; mov dword ptr [esp], 0000E2ADh		0_2_02765F21
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D00 push ecx; mov dword ptr [esp], 000021B4h		0_2_02765D01
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765DE0 push ecx; mov dword ptr [esp], 000025AAh		0_2_02765DE1
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765FB0 push ecx; mov dword ptr [esp], 0000460Eh		0_2_02765FB1
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765EA0 push ecx; mov dword ptr [esp], 00007473h		0_2_02765EA1
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765DA0 push ecx; mov dword ptr [esp], 000036B8h		0_2_02765DA1

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 6.84651766717

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Code function: 0_2_02763A10 _snwprintf,FindNextFileW,_snwprintf,FindFirstFileW,

0_2_02763A10

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02763F70 mov eax, dword ptr fs:[00000030h]		0_2_02763F70
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02764E10 mov eax, dword ptr fs:[00000030h]		0_2_02764E10

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 2760000.netprovfw.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE