Play interactive tour

Edit tour

Analysis Report 2760000.netprovfw.bin

Overview

General Information

Sample Name:	2760000.netprovfw.bin (renamed file extension from bin to exe)
Analysis ID:	345555
MD5:	90478bb3273d74a7a4bae530dee87174
SHA1:	8fa8f069d4391a21346de65a5ee729ad6ef56a60
SHA256:	f865736f27acaaca93c530f82295fdddf9b97fc54f37732815e89ad660eb69e4
Most interesting Screenshot:

Detection

Emotet

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Emotet

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

One or more processes crash

PE file contains an invalid checksum

PE file contains strange resources

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

2760000.netprovfw.exe (PID: 3636 cmdline: 'C:\Users\user\Desktop\2760000.netprovfw.exe' MD5: 90478BB3273D74A7A4BAE530DEE87174)

WerFault.exe (PID: 4852 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
2760000.netprovfw.exe	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.2760000.netprovfw.exe.2760000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.2760000.netprovfw.exe.2760000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 2760000.netprovfw.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: 2760000.netprovfw.exe	Virustotal: Detection: 50%			Perma Link
Source: 2760000.netprovfw.exe	ReversingLabs: Detection: 79%

Machine Learning detection for sample

Show sources

Source: 2760000.netprovfw.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: 2760000.netprovfw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: 2760000.netprovfw.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT

Spreading:

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Code function: 0_2_02763A10 _snwprintf,FindNextFileW,_snwprintf,FindFirstFileW,

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: 2760000.netprovfw.exe, 00000000.00000002.215076314.000000000076A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 2760000.netprovfw.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE

System Summary:

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02761C70
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02767590
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02768180

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640

Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 2760000.netprovfw.exe

Static PE information: No import functions for PE file found

Source: 2760000.netprovfw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal68.troj.winEXE@2/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3636

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5C6.tmp

Jump to behavior

Source: 2760000.netprovfw.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 2760000.netprovfw.exe	Virustotal: Detection: 50%
Source: 2760000.netprovfw.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\2760000.netprovfw.exe 'C:\Users\user\Desktop\2760000.netprovfw.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640

Source: 2760000.netprovfw.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT

Data Obfuscation:

Source: 2760000.netprovfw.exe

Static PE information: real checksum: 0x59bfd should be: 0x6199f

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D70 push ecx; mov dword ptr [esp], 00008067h
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765F70 push ecx; mov dword ptr [esp], 000084ADh
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765E70 push ecx; mov dword ptr [esp], 00008D73h
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765E40 push ecx; mov dword ptr [esp], 0000AEA2h
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D30 push ecx; mov dword ptr [esp], 00002C7Ch
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765F20 push ecx; mov dword ptr [esp], 0000E2ADh
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D00 push ecx; mov dword ptr [esp], 000021B4h
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765DE0 push ecx; mov dword ptr [esp], 000025AAh
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765FB0 push ecx; mov dword ptr [esp], 0000460Eh
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765EA0 push ecx; mov dword ptr [esp], 00007473h
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765DA0 push ecx; mov dword ptr [esp], 000036B8h

Source: initial sample

Static PE information: section name: .text entropy: 6.84651766717

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Code function: 0_2_02763A10 _snwprintf,FindNextFileW,_snwprintf,FindFirstFileW,

Anti Debugging:

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02763F70 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02764E10 mov eax, dword ptr fs:[00000030h]

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 2760000.netprovfw.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion1	Input Capture1	Security Software Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Information Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2760000.netprovfw.exe	50%	Virustotal		Browse
2760000.netprovfw.exe	79%	ReversingLabs	Win32.Trojan.Convagent
2760000.netprovfw.exe	100%	Avira	TR/Crypt.XPACK.Gen
2760000.netprovfw.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.1.2760000.netprovfw.exe.2760000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.2760000.netprovfw.exe.2760000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.2760000.netprovfw.exe.2760000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	345555
Start date:	28.01.2021
Start time:	16:27:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 26s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	2760000.netprovfw.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.winEXE@2/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 99.3%) Quality average: 71.8% Quality standard deviation: 20.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): WerFault.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 52.255.188.83 Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com

Simulations

Behavior and APIs

Time	Type	Description
16:27:54	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_2760000.netprovf_50482980db6f70d047bdd5f2b763ef22b1cfde7_9c33c211_129efdf4\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	10994
Entropy (8bit):	3.7614659673061346
Encrypted:	false
SSDEEP:	96:zAaFnqcKJ1hskDRf2pXIQcQvc6QcEDMcw3Db+HbHg/uAnQ0DFV6Fq/TOiNkoJT4V:caF3VHBUZMXYjIa/u7scS274ItkS+
MD5:	720CE52891513A7CE9B86362267F0DA5
SHA1:	DEBB950A22077D504E7615EAF440772D1903A500
SHA-256:	694BB24B19E45591A31DD2B4F2744B883E902E1A59692CD4735E4DE3AC58CCC8
SHA-512:	F211EAD3CFDE2F98CCB5ADBBCCD0D5C27D35201B0AE5BB4A70E0B5E23BAD30010BF26DA94F41497B1F938CD5F45D1400A2368A8E28D4FA08CF3C9C47317EF8CC
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.3.5.3.6.7.2.0.5.9.4.2.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.3.5.3.6.7.2.7.6.2.5.4.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.e.9.d.f.1.3.-.b.a.c.d.-.4.a.a.b.-.8.7.f.5.-.a.3.7.1.1.d.b.5.0.0.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.1.3.7.b.7.7.-.b.d.f.0.-.4.d.d.7.-.8.b.3.6.-.6.2.2.3.0.1.0.9.7.5.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.7.6.0.0.0.0...n.e.t.p.r.o.v.f.w...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.3.4.-.0.0.0.1.-.0.0.1.7.-.e.c.3.9.-.3.2.9.3.d.5.f.5.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.0.f.c.c.3.2.5.5.9.8.9.5.0.a.9.b.b.8.c.a.5.b.6.5.8.9.1.d.6.8.6.0.0.0.0.f.f.f.f.!.0.0.0.0.8.f.a.8.f.0.6.9.d.4.3.9.1.a.2.1.3.4.6.d.e.6.5.a.5.e.e.7.2.9.a.d.6.e.f.5.6.a.6.0.!.2.7.6.0.0.0.0...n.e.t.p.r.o.v.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5C6.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jan 29 00:27:52 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	41726
Entropy (8bit):	2.2476995034013756
Encrypted:	false
SSDEEP:	192:A1X2ZQnnUJO7htz2SKwrdcMhMDyTROcb5Kszgeb:W/gSKaS1DyTRRblvb
MD5:	87A7ABC2F6BEAB6144BC5B26B23AE74A
SHA1:	90BC5F6AD1F9D5474FC3AB9F696FC6B37F65B421
SHA-256:	A14D136A44ECE61B85B934F9A0F7CD91704847AEF659196F536710F0F5F478BB
SHA-512:	6330C9B8B186F8FA0656C7FBF1AEF94BE11A519E6FE7D3511D7C7EF45D15B4288880564873F02F3B479541283DEC1F549255C73D6A4A90E60D6BDB38A4940C93
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........V.`...................U...........B......T.......GenuineIntelW...........T.......4....V.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF78C.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8316
Entropy (8bit):	3.694070001122533
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi526b6YS3SUnYsgmfJfGSwCprR889b+sWsfG4Km:RrlsNio6b6YiSUnYsgmfJ+SJp+s1fN7
MD5:	D984D43F2B351442B894831AED8A541A
SHA1:	D17A0A15F90E05B8305E1593EB236CDE91B5CE5A
SHA-256:	10AB7323E241217ECA9B43DAAC0C0AEDA00A17B42CEEEB9253DD45B505746688
SHA-512:	55FEB2D609DF9EBD3ECC5960280B666412F455E6E1565FBC01D03C2FC8F183DD1439C5402685C0C2CE95ED3CB6B6DF3ED448708A6AABB783C06899CA429F17BE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF81A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4605
Entropy (8bit):	4.454386786497803
Encrypted:	false
SSDEEP:	48:cvIwSD8zsxlJgtWI9EKWSC8Bq8fm8M4JzXYlFs8+q8I6ROC6vG6d:uITf53rSN9JR8JVvG6d
MD5:	5EF659495C5F15CBFFB7E779342ECDF1
SHA1:	9E271CDB285588F5EE1A8F0D125EA0E6EB149E03
SHA-256:	EC7E8E6E007E9BA87CF04894BD00BB64B1BAE5E8D8851B82B054BC0B12C08873
SHA-512:	9C386FE1DC6B6B8C5F7F62DAD5A39AF7AB911361F65CBD6880CA541B2FFEA2EE470E466251C44376F64946B00E5F7A3418CB6B69157006E59D3BF51B49EF8D99
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="837218" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.529033895906113
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2760000.netprovfw.exe
File size:	350208
MD5:	90478bb3273d74a7a4bae530dee87174
SHA1:	8fa8f069d4391a21346de65a5ee729ad6ef56a60
SHA256:	f865736f27acaaca93c530f82295fdddf9b97fc54f37732815e89ad660eb69e4
SHA512:	4df47075f24abd5882f27e22d39c6a73b1586ddd1757539387a885e3f112e1e00b4b97b4f68d91ef5662c7a3973ab350fe5e1e68d36943948ffa255315f51961
SSDEEP:	6144:Lt0Ju8YGNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqOY:x0J5nKXzJ4pdd3klnnWosPhnzqL
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../.../.../...".J.....R.p.....R.K.....Rich/...................PE..L...M.._.............................\............v........

File Icon


Icon Hash:	c0d9f1f399a4c2c1

Static PE Info

General
Entrypoint:	0x2765cd0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x2760000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT
Time Stamp:	0x5F90A34D [Wed Oct 21 21:08:29 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
call 00007F0628F9DD70h
mov eax, dword ptr [0276E2C4h]
test eax, eax
jne 00007F0628F9D50Dh
mov ecx, A2CE093Fh
call 00007F0628F9B77Dh
mov edx, B9B17DC0h
mov ecx, eax
call 00007F0628F9B6D1h
mov dword ptr [0276E2C4h], eax
push 00000000h
call eax
retn 0010h
push ecx
mov dword ptr [esp], 000021B4h
add dword ptr [esp], 00005AC3h
shl dword ptr [esp], 04h
mov eax, dword ptr [esp]
shl eax, 06h
mov dword ptr [esp], eax
or dword ptr [esp], CC87922Ah
xor dword ptr [esp], CDF7DF6Ah
mov eax, dword ptr [esp]
pop ecx
ret
int3
push ecx
mov dword ptr [esp], 00002C7Ch
imul eax, dword ptr [esp], 2Dh
mov dword ptr [esp], eax
shl dword ptr [esp], 0Ch
xor dword ptr [esp], 9184714Ch
shl dword ptr [esp], 0Fh
or dword ptr [esp], 011C88C3h
xor dword ptr [esp], 59BE8863h
mov eax, dword ptr [esp]
pop ecx
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ecx
mov dword ptr [esp], 00008067h
xor dword ptr [esp], 30B3246Ch
add dword ptr [esp], 000090BEh
xor dword ptr [esp], 30B43B69h
mov eax, dword ptr [esp]
pop ecx
ret
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x49800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf000	0x74c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb000	0xa600	False	0.544686558735	data	6.84651766717	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x1000	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x2000	0xc00	False	0.851888020833	data	7.19591538106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xf000	0x1000	0x800	False	0.01123046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x4a000	0x49800	False	0.348051525298	data	5.21306515691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x102fc	0x668	data
RT_ICON	0x10964	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2296940798, next used block 15239304
RT_ICON	0x10c4c	0x1e8	data
RT_ICON	0x10e34	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x10f5c	0xea8	data
RT_ICON	0x11e04	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14019316, next used block 14479096
RT_ICON	0x126ac	0x6c8	data
RT_ICON	0x12d74	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x132dc	0x42028	dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
RT_ICON	0x55304	0x25a8	data
RT_ICON	0x578ac	0x10a8	data
RT_ICON	0x58954	0x988	data
RT_ICON	0x592dc	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x59744	0xbc	data

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2021 16:27:44.950273991 CET	63492	53	192.168.2.3	8.8.8.8
Jan 28, 2021 16:27:45.001044035 CET	53	63492	8.8.8.8	192.168.2.3
Jan 28, 2021 16:27:45.804285049 CET	60831	53	192.168.2.3	8.8.8.8
Jan 28, 2021 16:27:45.852279902 CET	53	60831	8.8.8.8	192.168.2.3
Jan 28, 2021 16:27:46.676866055 CET	60100	53	192.168.2.3	8.8.8.8
Jan 28, 2021 16:27:46.728919983 CET	53	60100	8.8.8.8	192.168.2.3
Jan 28, 2021 16:27:47.529217005 CET	53195	53	192.168.2.3	8.8.8.8
Jan 28, 2021 16:27:47.577835083 CET	53	53195	8.8.8.8	192.168.2.3
Jan 28, 2021 16:27:48.344050884 CET	50141	53	192.168.2.3	8.8.8.8
Jan 28, 2021 16:27:48.394737959 CET	53	50141	8.8.8.8	192.168.2.3
Jan 28, 2021 16:27:49.204808950 CET	53023	53	192.168.2.3	8.8.8.8
Jan 28, 2021 16:27:49.261265993 CET	53	53023	8.8.8.8	192.168.2.3
Jan 28, 2021 16:27:50.005877018 CET	49563	53	192.168.2.3	8.8.8.8
Jan 28, 2021 16:27:50.057293892 CET	53	49563	8.8.8.8	192.168.2.3
Jan 28, 2021 16:27:50.848668098 CET	51352	53	192.168.2.3	8.8.8.8
Jan 28, 2021 16:27:50.896701097 CET	53	51352	8.8.8.8	192.168.2.3
Jan 28, 2021 16:27:51.791634083 CET	59349	53	192.168.2.3	8.8.8.8
Jan 28, 2021 16:27:51.844265938 CET	53	59349	8.8.8.8	192.168.2.3
Jan 28, 2021 16:27:52.679951906 CET	57084	53	192.168.2.3	8.8.8.8
Jan 28, 2021 16:27:52.727832079 CET	53	57084	8.8.8.8	192.168.2.3
Jan 28, 2021 16:27:52.961210966 CET	58823	53	192.168.2.3	8.8.8.8
Jan 28, 2021 16:27:53.011951923 CET	53	58823	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 2760000.netprovfw.exe PID: 3636 Parent PID: 5668

General

Start time:	16:27:50
Start date:	28/01/2021
Path:	C:\Users\user\Desktop\2760000.netprovfw.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\2760000.netprovfw.exe'
Imagebase:	0x2760000
File size:	350208 bytes
MD5 hash:	90478BB3273D74A7A4BAE530DEE87174
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: WerFault.exe PID: 4852 Parent PID: 3636

General

Start time:	16:27:51
Start date:	28/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640
Imagebase:	0x1210000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2760000.netprovfw.bin

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: 2760000.netprovfw.exe PID: 3636 Parent PID: 5668

General

Analysis Process: WerFault.exe PID: 4852 Parent PID: 3636

General

Disassembly

Code Analysis