Loading ...

Play interactive tourEdit tour

Analysis Report 2760000.netprovfw.bin

Overview

General Information

Sample Name:2760000.netprovfw.bin (renamed file extension from bin to exe)
Analysis ID:345555
MD5:90478bb3273d74a7a4bae530dee87174
SHA1:8fa8f069d4391a21346de65a5ee729ad6ef56a60
SHA256:f865736f27acaaca93c530f82295fdddf9b97fc54f37732815e89ad660eb69e4

Most interesting Screenshot:

Detection

Emotet
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Emotet
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 2760000.netprovfw.exe (PID: 3636 cmdline: 'C:\Users\user\Desktop\2760000.netprovfw.exe' MD5: 90478BB3273D74A7A4BAE530DEE87174)
    • WerFault.exe (PID: 4852 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
2760000.netprovfw.exeJoeSecurity_EmotetYara detected EmotetJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.2760000.netprovfw.exe.2760000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          0.2.2760000.netprovfw.exe.2760000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 2760000.netprovfw.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: 2760000.netprovfw.exeVirustotal: Detection: 50%Perma Link
            Source: 2760000.netprovfw.exeReversingLabs: Detection: 79%
            Machine Learning detection for sampleShow sources
            Source: 2760000.netprovfw.exeJoe Sandbox ML: detected

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: 2760000.netprovfw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: 2760000.netprovfw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02763A10 _snwprintf,FindNextFileW,_snwprintf,FindFirstFileW,0_2_02763A10
            Source: 2760000.netprovfw.exe, 00000000.00000002.215076314.000000000076A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 2760000.netprovfw.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02761C700_2_02761C70
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_027675900_2_02767590
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_027681800_2_02768180
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640
            Source: 2760000.netprovfw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 2760000.netprovfw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 2760000.netprovfw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 2760000.netprovfw.exeStatic PE information: No import functions for PE file found
            Source: 2760000.netprovfw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: classification engineClassification label: mal68.troj.winEXE@2/4@0/0
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3636
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5C6.tmpJump to behavior
            Source: 2760000.netprovfw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: 2760000.netprovfw.exeVirustotal: Detection: 50%
            Source: 2760000.netprovfw.exeReversingLabs: Detection: 79%
            Source: unknownProcess created: C:\Users\user\Desktop\2760000.netprovfw.exe 'C:\Users\user\Desktop\2760000.netprovfw.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640
            Source: 2760000.netprovfw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT
            Source: 2760000.netprovfw.exeStatic PE information: real checksum: 0x59bfd should be: 0x6199f
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765D70 push ecx; mov dword ptr [esp], 00008067h0_2_02765D71
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765F70 push ecx; mov dword ptr [esp], 000084ADh0_2_02765F71
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765E70 push ecx; mov dword ptr [esp], 00008D73h0_2_02765E71
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765E40 push ecx; mov dword ptr [esp], 0000AEA2h0_2_02765E41
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765D30 push ecx; mov dword ptr [esp], 00002C7Ch0_2_02765D31
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765F20 push ecx; mov dword ptr [esp], 0000E2ADh0_2_02765F21
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765D00 push ecx; mov dword ptr [esp], 000021B4h0_2_02765D01
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765DE0 push ecx; mov dword ptr [esp], 000025AAh0_2_02765DE1
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765FB0 push ecx; mov dword ptr [esp], 0000460Eh0_2_02765FB1
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765EA0 push ecx; mov dword ptr [esp], 00007473h0_2_02765EA1
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765DA0 push ecx; mov dword ptr [esp], 000036B8h0_2_02765DA1
            Source: initial sampleStatic PE information: section name: .text entropy: 6.84651766717
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02763A10 _snwprintf,FindNextFileW,_snwprintf,FindFirstFileW,0_2_02763A10
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02763F70 mov eax, dword ptr fs:[00000030h]0_2_02763F70
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02764E10 mov eax, dword ptr fs:[00000030h]0_2_02764E10

            Stealing of Sensitive Information:

            barindex
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 2760000.netprovfw.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion1Input Capture1Security Software Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.