Analysis Report 2760000.netprovfw.exe

Overview

General Information

Sample Name:	2760000.netprovfw.exe
Analysis ID:	345555
MD5:	90478bb3273d74a7a4bae530dee87174
SHA1:	8fa8f069d4391a21346de65a5ee729ad6ef56a60
SHA256:	f865736f27acaaca93c530f82295fdddf9b97fc54f37732815e89ad660eb69e4
Most interesting Screenshot:

Detection

Emotet

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Emotet

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains strange resources

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 2760000.netprovfw.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 2760000.netprovfw.exe	Virustotal: Detection: 50%			Perma Link
Source: 2760000.netprovfw.exe	ReversingLabs: Detection: 79%

Machine Learning detection for sample

Source: 2760000.netprovfw.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 2760000.netprovfw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 2760000.netprovfw.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wininet.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb hsq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbnhqc source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb^hyq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbdh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdbHhkq` source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.677114006.0000000004859000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbzh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb,hGq\| source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdbph source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb6hAq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbTh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb\|h source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb*hMq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbbh5q source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbRheq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp

Spreading:

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Code function: 0_2_02763A10 _snwprintf,LdrInitializeThunk,_snwprintf,FindFirstFileW,

0_2_02763A10

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 2760000.netprovfw.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.664188211.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.690703011.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02761C70	0_2_02761C70
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02767590	0_2_02767590
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02768180	0_2_02768180

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 632

PE file contains strange resources

Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file does not import any functions

Source: 2760000.netprovfw.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: 2760000.netprovfw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal68.troj.winEXE@2/4@0/1

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6172

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1BE.tmp

Jump to behavior

Source: 2760000.netprovfw.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 2760000.netprovfw.exe	Virustotal: Detection: 50%
Source: 2760000.netprovfw.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\2760000.netprovfw.exe 'C:\Users\user\Desktop\2760000.netprovfw.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 632

Source: 2760000.netprovfw.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT

Source:	Binary string: wininet.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb hsq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbnhqc source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb^hyq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbdh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdbHhkq` source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.677114006.0000000004859000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbzh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb,hGq\| source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdbph source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb6hAq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbTh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb\|h source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb*hMq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbbh5q source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbRheq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp

Data Obfuscation:

PE file contains an invalid checksum

Source: 2760000.netprovfw.exe

Static PE information: real checksum: 0x59bfd should be: 0x6199f

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D70 push ecx; mov dword ptr [esp], 00008067h	0_2_02765D71
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765F70 push ecx; mov dword ptr [esp], 000084ADh	0_2_02765F71
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765E70 push ecx; mov dword ptr [esp], 00008D73h	0_2_02765E71
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765E40 push ecx; mov dword ptr [esp], 0000AEA2h	0_2_02765E41
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D30 push ecx; mov dword ptr [esp], 00002C7Ch	0_2_02765D31
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765F20 push ecx; mov dword ptr [esp], 0000E2ADh	0_2_02765F21
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D00 push ecx; mov dword ptr [esp], 000021B4h	0_2_02765D01
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765DE0 push ecx; mov dword ptr [esp], 000025AAh	0_2_02765DE1
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765FB0 push ecx; mov dword ptr [esp], 0000460Eh	0_2_02765FB1
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765EA0 push ecx; mov dword ptr [esp], 00007473h	0_2_02765EA1
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765DA0 push ecx; mov dword ptr [esp], 000036B8h	0_2_02765DA1

Source: initial sample

Static PE information: section name: .text entropy: 6.84651766717

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Code function: 0_2_02763A10 _snwprintf,LdrInitializeThunk,_snwprintf,FindFirstFileW,

0_2_02763A10

Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000003.00000003.687150176.0000000004859000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Code function: 0_2_02763A10 _snwprintf,LdrInitializeThunk,_snwprintf,FindFirstFileW,

0_2_02763A10

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02763F70 mov eax, dword ptr fs:[00000030h]		0_2_02763F70
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02764E10 mov eax, dword ptr fs:[00000030h]		0_2_02764E10

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 2760000.netprovfw.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.664188211.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.690703011.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 2760000.netprovfw.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 2760000.netprovfw.exe	Virustotal: Detection: 50%			Perma Link
Source: 2760000.netprovfw.exe	ReversingLabs: Detection: 79%

Machine Learning detection for sample

Source: 2760000.netprovfw.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 2760000.netprovfw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 2760000.netprovfw.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wininet.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb hsq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbnhqc source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb^hyq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbdh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdbHhkq` source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.677114006.0000000004859000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbzh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb,hGq\| source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdbph source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb6hAq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbTh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb\|h source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb*hMq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbbh5q source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbRheq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp

Spreading:

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Code function: 0_2_02763A10 _snwprintf,LdrInitializeThunk,_snwprintf,FindFirstFileW,

0_2_02763A10

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 2760000.netprovfw.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.664188211.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.690703011.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02761C70	0_2_02761C70
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02767590	0_2_02767590
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02768180	0_2_02768180

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 632

PE file contains strange resources

Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2760000.netprovfw.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE file does not import any functions

Source: 2760000.netprovfw.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: 2760000.netprovfw.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal68.troj.winEXE@2/4@0/1

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6172

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1BE.tmp

Jump to behavior

Source: 2760000.netprovfw.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 2760000.netprovfw.exe	Virustotal: Detection: 50%
Source: 2760000.netprovfw.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\2760000.netprovfw.exe 'C:\Users\user\Desktop\2760000.netprovfw.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 632

Source: 2760000.netprovfw.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT

Source:	Binary string: wininet.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb hsq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbnhqc source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb^hyq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdbdh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdbHhkq` source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.677114006.0000000004859000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbzh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb,hGq\| source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdbph source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb6hAq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbTh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb\|h source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb*hMq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdbbh5q source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdbRheq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
Source:	Binary string: wtsapi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp

Data Obfuscation:

PE file contains an invalid checksum

Source: 2760000.netprovfw.exe

Static PE information: real checksum: 0x59bfd should be: 0x6199f

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D70 push ecx; mov dword ptr [esp], 00008067h	0_2_02765D71
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765F70 push ecx; mov dword ptr [esp], 000084ADh	0_2_02765F71
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765E70 push ecx; mov dword ptr [esp], 00008D73h	0_2_02765E71
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765E40 push ecx; mov dword ptr [esp], 0000AEA2h	0_2_02765E41
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D30 push ecx; mov dword ptr [esp], 00002C7Ch	0_2_02765D31
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765F20 push ecx; mov dword ptr [esp], 0000E2ADh	0_2_02765F21
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765D00 push ecx; mov dword ptr [esp], 000021B4h	0_2_02765D01
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765DE0 push ecx; mov dword ptr [esp], 000025AAh	0_2_02765DE1
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765FB0 push ecx; mov dword ptr [esp], 0000460Eh	0_2_02765FB1
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765EA0 push ecx; mov dword ptr [esp], 00007473h	0_2_02765EA1
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02765DA0 push ecx; mov dword ptr [esp], 000036B8h	0_2_02765DA1

Source: initial sample

Static PE information: section name: .text entropy: 6.84651766717

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Code function: 0_2_02763A10 _snwprintf,LdrInitializeThunk,_snwprintf,FindFirstFileW,

0_2_02763A10

Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000003.00000003.687150176.0000000004859000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\2760000.netprovfw.exe

Code function: 0_2_02763A10 _snwprintf,LdrInitializeThunk,_snwprintf,FindFirstFileW,

0_2_02763A10

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02763F70 mov eax, dword ptr fs:[00000030h]		0_2_02763F70
Source: C:\Users\user\Desktop\2760000.netprovfw.exe	Code function: 0_2_02764E10 mov eax, dword ptr fs:[00000030h]		0_2_02764E10

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 2760000.netprovfw.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.664188211.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.690703011.0000000002761000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE

ID:	345555
Product:	CloudBasic
Start time:	16:30:00
Start date:	28.01.2021
Sample:	2760000.netprovfw.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	90478bb3273d74a7a4bae530dee87174
SHA1:	8fa8f069d4391a21346de65a5ee729ad6ef56a60
SHA256:	f865736f27acaaca93c530f82295fdddf9b97fc54f37732815e89ad660eb69e4
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_2760000.netprovf_b21efdbffde7a51b97dadc3f5e1a0cbb59477b5_9c33c211_1654d47b\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	548D4253D24ED6AB578348FC29791ADD	15BFE6F7C3BB6E7F37E41CCBB56D1DE497C9E2DB	684A7CFAEC7EBB584BA1C0BC08EA384CE78B5A162BDA595FE808A749B3BD5444
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1BE.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Jan 28 15:31:03 2021, 0x1205a4 type	F021F7228CFA31E63D3414EF0FF5EF65	152AFA0910386EC728E41BA92D5D793C7176051E	22F4AA2068DFBABDB0C01A76340D81719977B38301A14E2BE874C330C841B882
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC605.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	8CA2B75E94B19B5B815F2675BBF4E695	A3223A858E39081E44E5CE3A77D3D9F4D109C47C	42603AA2FD403D7EB759F435291998A6D9EC742DA73E9CF8FB2347985774BE6E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC79C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	6E9F9E83B550D6C9C10FBED1CF15E45D	183B96207290120FD14196CEBAE44B089DAD98CE	0582CABD098099481B5559E2A766F1480B8BAFDE867E97BBF7E748B7A35BE7B6

Analysis Report 2760000.netprovfw.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private