Loading ...

Play interactive tourEdit tour

Analysis Report 2760000.netprovfw.exe

Overview

General Information

Sample Name:2760000.netprovfw.exe
Analysis ID:345555
MD5:90478bb3273d74a7a4bae530dee87174
SHA1:8fa8f069d4391a21346de65a5ee729ad6ef56a60
SHA256:f865736f27acaaca93c530f82295fdddf9b97fc54f37732815e89ad660eb69e4

Most interesting Screenshot:

Detection

Emotet
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Emotet
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 2760000.netprovfw.exe (PID: 6172 cmdline: 'C:\Users\user\Desktop\2760000.netprovfw.exe' MD5: 90478BB3273D74A7A4BAE530DEE87174)
    • WerFault.exe (PID: 5648 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
2760000.netprovfw.exeJoeSecurity_EmotetYara detected EmotetJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.664188211.0000000002761000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.690703011.0000000002761000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.2760000.netprovfw.exe.2760000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          0.2.2760000.netprovfw.exe.2760000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 2760000.netprovfw.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: 2760000.netprovfw.exeVirustotal: Detection: 50%Perma Link
            Source: 2760000.netprovfw.exeReversingLabs: Detection: 79%
            Machine Learning detection for sampleShow sources
            Source: 2760000.netprovfw.exeJoe Sandbox ML: detected

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: 2760000.netprovfw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: 2760000.netprovfw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: wininet.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: shlwapi.pdb hsq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdbnhqc source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: wwin32u.pdb^hyq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdbdh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: crypt32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: urlmon.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: urlmon.pdbHhkq` source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.677114006.0000000004859000.00000004.00000001.sdmp
            Source: Binary string: userenv.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbzh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: iertutil.pdb,hGq| source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdbph source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: msasn1.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb6hAq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdbTh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb|h source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: userenv.pdb*hMq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: iertutil.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdbbh5q source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wtsapi32.pdbRheq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: wtsapi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02763A10 _snwprintf,LdrInitializeThunk,_snwprintf,FindFirstFileW,

            E-Banking Fraud:

            barindex
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 2760000.netprovfw.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000000.664188211.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.690703011.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02761C70
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02767590
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02768180
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 632
            Source: 2760000.netprovfw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 2760000.netprovfw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 2760000.netprovfw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 2760000.netprovfw.exeStatic PE information: No import functions for PE file found
            Source: 2760000.netprovfw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: classification engineClassification label: mal68.troj.winEXE@2/4@0/1
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6172
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1BE.tmpJump to behavior
            Source: 2760000.netprovfw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: 2760000.netprovfw.exeVirustotal: Detection: 50%
            Source: 2760000.netprovfw.exeReversingLabs: Detection: 79%
            Source: unknownProcess created: C:\Users\user\Desktop\2760000.netprovfw.exe 'C:\Users\user\Desktop\2760000.netprovfw.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 632
            Source: 2760000.netprovfw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT
            Source: Binary string: wininet.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: shlwapi.pdb hsq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdbnhqc source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: wwin32u.pdb^hyq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdbdh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: crypt32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: urlmon.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: urlmon.pdbHhkq` source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.677114006.0000000004859000.00000004.00000001.sdmp
            Source: Binary string: userenv.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbzh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: iertutil.pdb,hGq| source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdbph source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: msasn1.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb6hAq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdbTh source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb|h source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: userenv.pdb*hMq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: iertutil.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdbbh5q source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: wtsapi32.pdbRheq source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: msasn1.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: Binary string: wtsapi32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.680015863.0000000004A31000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.680034638.0000000004A07000.00000004.00000040.sdmp
            Source: Binary string: crypt32.pdb source: WerFault.exe, 00000003.00000003.680028342.0000000004A00000.00000004.00000040.sdmp
            Source: 2760000.netprovfw.exeStatic PE information: real checksum: 0x59bfd should be: 0x6199f
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765D70 push ecx; mov dword ptr [esp], 00008067h
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765F70 push ecx; mov dword ptr [esp], 000084ADh
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765E70 push ecx; mov dword ptr [esp], 00008D73h
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765E40 push ecx; mov dword ptr [esp], 0000AEA2h
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765D30 push ecx; mov dword ptr [esp], 00002C7Ch
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765F20 push ecx; mov dword ptr [esp], 0000E2ADh
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765D00 push ecx; mov dword ptr [esp], 000021B4h
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765DE0 push ecx; mov dword ptr [esp], 000025AAh
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765FB0 push ecx; mov dword ptr [esp], 0000460Eh
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765EA0 push ecx; mov dword ptr [esp], 00007473h
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765DA0 push ecx; mov dword ptr [esp], 000036B8h
            Source: initial sampleStatic PE information: section name: .text entropy: 6.84651766717
            Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02763A10 _snwprintf,LdrInitializeThunk,_snwprintf,FindFirstFileW,
            Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: WerFault.exe, 00000003.00000003.687150176.0000000004859000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: WerFault.exe, 00000003.00000002.689659437.0000000004B90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02763A10 _snwprintf,LdrInitializeThunk,_snwprintf,FindFirstFileW,
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02763F70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02764E10 mov eax, dword ptr fs:[00000030h]

            Stealing of Sensitive Information:

            barindex
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 2760000.netprovfw.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000000.664188211.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.690703011.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            2760000.netprovfw.exe50%VirustotalBrowse
            2760000.netprovfw.exe79%ReversingLabsWin32.Trojan.Convagent
            2760000.netprovfw.exe100%AviraTR/Crypt.XPACK.Gen
            2760000.netprovfw.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.1.2760000.netprovfw.exe.2760000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.0.2760000.netprovfw.exe.2760000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.2760000.netprovfw.exe.2760000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:345555
            Start date:28.01.2021
            Start time:16:30:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 5m 0s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:2760000.netprovfw.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Run name:Run with higher sleep bypass
            Number of analysed new started processes analysed:23
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal68.troj.winEXE@2/4@0/1
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:
            • Successful, ratio: 100% (good quality ratio 99.3%)
            • Quality average: 71.8%
            • Quality standard deviation: 20.8%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Sleeps bigger than 120000ms are automatically reduced to 1000ms
            • Found application associated with file extension: .exe
            • Stop behavior analysis, all processes terminated
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 104.43.139.144, 51.104.144.132, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 8.248.139.254, 8.248.131.254, 8.241.123.126, 67.26.75.254, 67.27.159.126, 51.104.139.180
            • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_2760000.netprovf_b21efdbffde7a51b97dadc3f5e1a0cbb59477b5_9c33c211_1654d47b\Report.wer
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):11112
            Entropy (8bit):3.7638085527696172
            Encrypted:false
            SSDEEP:96:gqjnqc1w71hsoI7RY6tpXIQcQvc6QcEDMcw3DL+HbHg/uAnQ0DFV6Fq/TOiNkoJ1:Dj3/HBUZMXojIa/u7sLS274IthSwS
            MD5:548D4253D24ED6AB578348FC29791ADD
            SHA1:15BFE6F7C3BB6E7F37E41CCBB56D1DE497C9E2DB
            SHA-256:684A7CFAEC7EBB584BA1C0BC08EA384CE78B5A162BDA595FE808A749B3BD5444
            SHA-512:2E3D2BB60E44E0F1E5468E9C0018AB1D7DC30B665FFEDA29C6744208FC723102E68B29C0FF6FAF18CC425A05F3A9774475E8A74000C0DCE709EBBC38999A11A2
            Malicious:false
            Reputation:low
            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.3.2.1.4.6.2.7.9.7.3.4.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.3.2.1.4.6.6.0.4.7.3.2.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.a.f.1.5.5.5.-.6.4.a.1.-.4.d.3.6.-.9.e.3.8.-.a.7.b.3.1.6.b.6.c.3.a.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.e.4.5.a.7.8.-.5.e.a.0.-.4.9.b.7.-.9.4.5.0.-.5.2.f.9.7.a.d.a.5.c.5.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.7.6.0.0.0.0...n.e.t.p.r.o.v.f.w...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.1.c.-.0.0.0.1.-.0.0.1.b.-.e.f.0.2.-.4.1.9.2.8.a.f.5.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.0.f.c.c.3.2.5.5.9.8.9.5.0.a.9.b.b.8.c.a.5.b.6.5.8.9.1.d.6.8.6.0.0.0.0.f.f.f.f.!.0.0.0.0.8.f.a.8.f.0.6.9.d.4.3.9.1.a.2.1.3.4.6.d.e.6.5.a.5.e.e.7.2.9.a.d.6.e.f.5.6.a.6.0.!.2.7.6.0.0.0.0...n.e.t.p.r.o.v.f.w...e.x.
            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC1BE.tmp.dmp
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Thu Jan 28 15:31:03 2021, 0x1205a4 type
            Category:dropped
            Size (bytes):46978
            Entropy (8bit):2.079619195541246
            Encrypted:false
            SSDEEP:192:WbXRDiveMn5pDpZEEZTk5YXiDKz0VpvOx+T+LkTPljfqIgHQh+hmUN:yDiKnfMmvyLkTtLqI8hTN
            MD5:F021F7228CFA31E63D3414EF0FF5EF65
            SHA1:152AFA0910386EC728E41BA92D5D793C7176051E
            SHA-256:22F4AA2068DFBABDB0C01A76340D81719977B38301A14E2BE874C330C841B882
            SHA-512:7E2AE2B94EF8906D4185C01A9FF204AF8D8EDEDA8EC3DA8EC7409E01F1AAFA5E7C9F0E6F666DC573B7FBE1D1B378BBDA315B036EA39C0E1F1258296B59ADC640
            Malicious:false
            Reputation:low
            Preview: MDMP....... ..........`...................U...........B..............GenuineIntelW...........T..............`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC605.tmp.WERInternalMetadata.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):8418
            Entropy (8bit):3.6993284274895495
            Encrypted:false
            SSDEEP:192:Rrl7r3GLNizR6I6YrjSUi+g7gmfuSkC+pr489bCe1sf2Wm:RrlsNil6I6YPSUi+0gmfuSkbCeOfO
            MD5:8CA2B75E94B19B5B815F2675BBF4E695
            SHA1:A3223A858E39081E44E5CE3A77D3D9F4D109C47C
            SHA-256:42603AA2FD403D7EB759F435291998A6D9EC742DA73E9CF8FB2347985774BE6E
            SHA-512:CD554F7EC6583303CB9BE6D3ED425B0F9AAED8AD1D92F94313014A5000D26E348D8106CD8B876C7D6AE14C334E2257312C77E9602D7A3E8EA06A9835F44F0AAB
            Malicious:false
            Reputation:low
            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.7.2.<./.P.i.d.>.......
            C:\ProgramData\Microsoft\Windows\WER\Temp\WERC79C.tmp.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4742
            Entropy (8bit):4.481100733842928
            Encrypted:false
            SSDEEP:48:cvIwSD8zsxOJgtWI9HvWSC8BC8fm8M4JzXTMF37W+q8vSXTpC6vG4d:uITf2k+SNpJ32WK4pVvG4d
            MD5:6E9F9E83B550D6C9C10FBED1CF15E45D
            SHA1:183B96207290120FD14196CEBAE44B089DAD98CE
            SHA-256:0582CABD098099481B5559E2A766F1480B8BAFDE867E97BBF7E748B7A35BE7B6
            SHA-512:C8722396397BEC5EC765EE53C902B21C027C6A54B40194D421E9BFFAA2644E10AFF867A392D3C1CA0FB31049BFDEB9B2B807C4995A1A4CBF751D7E0AC9B6308F
            Malicious:false
            Reputation:low
            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="836681" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):5.529033895906113
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:2760000.netprovfw.exe
            File size:350208
            MD5:90478bb3273d74a7a4bae530dee87174
            SHA1:8fa8f069d4391a21346de65a5ee729ad6ef56a60
            SHA256:f865736f27acaaca93c530f82295fdddf9b97fc54f37732815e89ad660eb69e4
            SHA512:4df47075f24abd5882f27e22d39c6a73b1586ddd1757539387a885e3f112e1e00b4b97b4f68d91ef5662c7a3973ab350fe5e1e68d36943948ffa255315f51961
            SSDEEP:6144:Lt0Ju8YGNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqOY:x0J5nKXzJ4pdd3klnnWosPhnzqL
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../.../.../...".J.....R.p.....R.K.....Rich/...................PE..L...M.._.............................\............v........

            File Icon

            Icon Hash:c0d9f1f399a4c2c1

            Static PE Info

            General

            Entrypoint:0x2765cd0
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x2760000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT
            Time Stamp:0x5F90A34D [Wed Oct 21 21:08:29 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:

            Entrypoint Preview

            Instruction
            call 00007F3E447DE1A0h
            mov eax, dword ptr [0276E2C4h]
            test eax, eax
            jne 00007F3E447DD93Dh
            mov ecx, A2CE093Fh
            call 00007F3E447DBBADh
            mov edx, B9B17DC0h
            mov ecx, eax
            call 00007F3E447DBB01h
            mov dword ptr [0276E2C4h], eax
            push 00000000h
            call eax
            retn 0010h
            push ecx
            mov dword ptr [esp], 000021B4h
            add dword ptr [esp], 00005AC3h
            shl dword ptr [esp], 04h
            mov eax, dword ptr [esp]
            shl eax, 06h
            mov dword ptr [esp], eax
            or dword ptr [esp], CC87922Ah
            xor dword ptr [esp], CDF7DF6Ah
            mov eax, dword ptr [esp]
            pop ecx
            ret
            int3
            push ecx
            mov dword ptr [esp], 00002C7Ch
            imul eax, dword ptr [esp], 2Dh
            mov dword ptr [esp], eax
            shl dword ptr [esp], 0Ch
            xor dword ptr [esp], 9184714Ch
            shl dword ptr [esp], 0Fh
            or dword ptr [esp], 011C88C3h
            xor dword ptr [esp], 59BE8863h
            mov eax, dword ptr [esp]
            pop ecx
            ret
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push ecx
            mov dword ptr [esp], 00008067h
            xor dword ptr [esp], 30B3246Ch
            add dword ptr [esp], 000090BEh
            xor dword ptr [esp], 30B43B69h
            mov eax, dword ptr [esp]
            pop ecx
            ret
            int3
            int3
            int3
            int3
            int3

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [LNK] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x49800.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000x74c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000xb0000xa600False0.544686558735data6.84651766717IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0xc0000x10000x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xd0000x20000xc00False0.851888020833data7.19591538106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .reloc0xf0000x10000x800False0.01123046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .rsrc0x100000x4a0000x49800False0.348051525298data5.21306515691IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x102fc0x668data
            RT_ICON0x109640x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2296940798, next used block 15239304
            RT_ICON0x10c4c0x1e8data
            RT_ICON0x10e340x128GLS_BINARY_LSB_FIRST
            RT_ICON0x10f5c0xea8data
            RT_ICON0x11e040x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14019316, next used block 14479096
            RT_ICON0x126ac0x6c8data
            RT_ICON0x12d740x568GLS_BINARY_LSB_FIRST
            RT_ICON0x132dc0x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
            RT_ICON0x553040x25a8data
            RT_ICON0x578ac0x10a8data
            RT_ICON0x589540x988data
            RT_ICON0x592dc0x468GLS_BINARY_LSB_FIRST
            RT_GROUP_ICON0x597440xbcdata

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 28, 2021 16:30:51.698203087 CET6238953192.168.2.48.8.8.8
            Jan 28, 2021 16:30:51.752008915 CET53623898.8.8.8192.168.2.4
            Jan 28, 2021 16:30:52.644115925 CET4991053192.168.2.48.8.8.8
            Jan 28, 2021 16:30:52.694928885 CET53499108.8.8.8192.168.2.4
            Jan 28, 2021 16:30:53.599356890 CET5585453192.168.2.48.8.8.8
            Jan 28, 2021 16:30:53.647212982 CET53558548.8.8.8192.168.2.4
            Jan 28, 2021 16:30:54.608031034 CET6454953192.168.2.48.8.8.8
            Jan 28, 2021 16:30:54.658289909 CET53645498.8.8.8192.168.2.4
            Jan 28, 2021 16:30:56.125598907 CET6315353192.168.2.48.8.8.8
            Jan 28, 2021 16:30:56.175590992 CET53631538.8.8.8192.168.2.4
            Jan 28, 2021 16:30:57.177278042 CET5299153192.168.2.48.8.8.8
            Jan 28, 2021 16:30:57.225483894 CET53529918.8.8.8192.168.2.4
            Jan 28, 2021 16:31:01.043617964 CET5370053192.168.2.48.8.8.8
            Jan 28, 2021 16:31:01.093184948 CET53537008.8.8.8192.168.2.4
            Jan 28, 2021 16:31:02.025582075 CET5172653192.168.2.48.8.8.8
            Jan 28, 2021 16:31:02.073518991 CET53517268.8.8.8192.168.2.4
            Jan 28, 2021 16:31:03.086703062 CET5679453192.168.2.48.8.8.8
            Jan 28, 2021 16:31:03.134582996 CET53567948.8.8.8192.168.2.4
            Jan 28, 2021 16:31:04.298206091 CET5653453192.168.2.48.8.8.8
            Jan 28, 2021 16:31:04.346330881 CET53565348.8.8.8192.168.2.4
            Jan 28, 2021 16:31:05.224901915 CET5662753192.168.2.48.8.8.8
            Jan 28, 2021 16:31:05.275648117 CET53566278.8.8.8192.168.2.4
            Jan 28, 2021 16:31:06.172967911 CET5662153192.168.2.48.8.8.8
            Jan 28, 2021 16:31:06.223690987 CET53566218.8.8.8192.168.2.4
            Jan 28, 2021 16:31:07.071607113 CET6311653192.168.2.48.8.8.8
            Jan 28, 2021 16:31:07.119482040 CET53631168.8.8.8192.168.2.4
            Jan 28, 2021 16:31:07.165868998 CET6407853192.168.2.48.8.8.8
            Jan 28, 2021 16:31:07.216655970 CET53640788.8.8.8192.168.2.4
            Jan 28, 2021 16:31:08.190399885 CET6480153192.168.2.48.8.8.8
            Jan 28, 2021 16:31:08.238993883 CET53648018.8.8.8192.168.2.4
            Jan 28, 2021 16:31:09.148546934 CET6172153192.168.2.48.8.8.8
            Jan 28, 2021 16:31:09.206170082 CET53617218.8.8.8192.168.2.4
            Jan 28, 2021 16:31:15.922477961 CET5125553192.168.2.48.8.8.8
            Jan 28, 2021 16:31:15.973301888 CET53512558.8.8.8192.168.2.4
            Jan 28, 2021 16:31:20.205841064 CET6152253192.168.2.48.8.8.8
            Jan 28, 2021 16:31:20.265036106 CET53615228.8.8.8192.168.2.4
            Jan 28, 2021 16:31:31.352629900 CET5233753192.168.2.48.8.8.8
            Jan 28, 2021 16:31:31.431056023 CET53523378.8.8.8192.168.2.4
            Jan 28, 2021 16:31:32.028876066 CET5504653192.168.2.48.8.8.8
            Jan 28, 2021 16:31:32.089148045 CET53550468.8.8.8192.168.2.4
            Jan 28, 2021 16:31:32.655956030 CET4961253192.168.2.48.8.8.8
            Jan 28, 2021 16:31:32.727657080 CET53496128.8.8.8192.168.2.4
            Jan 28, 2021 16:31:32.944097996 CET4928553192.168.2.48.8.8.8
            Jan 28, 2021 16:31:32.992048025 CET53492858.8.8.8192.168.2.4
            Jan 28, 2021 16:31:33.219733000 CET5060153192.168.2.48.8.8.8
            Jan 28, 2021 16:31:33.277944088 CET53506018.8.8.8192.168.2.4
            Jan 28, 2021 16:31:33.760773897 CET6087553192.168.2.48.8.8.8
            Jan 28, 2021 16:31:33.811491966 CET53608758.8.8.8192.168.2.4
            Jan 28, 2021 16:31:34.336227894 CET5644853192.168.2.48.8.8.8
            Jan 28, 2021 16:31:34.392530918 CET53564488.8.8.8192.168.2.4
            Jan 28, 2021 16:31:35.181438923 CET5917253192.168.2.48.8.8.8
            Jan 28, 2021 16:31:35.239265919 CET53591728.8.8.8192.168.2.4
            Jan 28, 2021 16:31:36.506181002 CET6242053192.168.2.48.8.8.8
            Jan 28, 2021 16:31:36.562490940 CET53624208.8.8.8192.168.2.4
            Jan 28, 2021 16:31:37.653403997 CET6057953192.168.2.48.8.8.8
            Jan 28, 2021 16:31:37.712230921 CET53605798.8.8.8192.168.2.4
            Jan 28, 2021 16:31:38.205615044 CET5018353192.168.2.48.8.8.8
            Jan 28, 2021 16:31:38.261718988 CET53501838.8.8.8192.168.2.4
            Jan 28, 2021 16:31:40.748184919 CET6153153192.168.2.48.8.8.8
            Jan 28, 2021 16:31:40.796499014 CET53615318.8.8.8192.168.2.4
            Jan 28, 2021 16:31:51.106797934 CET4922853192.168.2.48.8.8.8
            Jan 28, 2021 16:31:51.157553911 CET53492288.8.8.8192.168.2.4
            Jan 28, 2021 16:31:51.334002018 CET5979453192.168.2.48.8.8.8
            Jan 28, 2021 16:31:51.384711981 CET53597948.8.8.8192.168.2.4
            Jan 28, 2021 16:31:54.605343103 CET5591653192.168.2.48.8.8.8
            Jan 28, 2021 16:31:54.663253069 CET53559168.8.8.8192.168.2.4
            Jan 28, 2021 16:32:25.223737001 CET5275253192.168.2.48.8.8.8
            Jan 28, 2021 16:32:25.274698973 CET53527528.8.8.8192.168.2.4
            Jan 28, 2021 16:32:26.986428022 CET6054253192.168.2.48.8.8.8
            Jan 28, 2021 16:32:27.037240028 CET53605428.8.8.8192.168.2.4

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            General

            Start time:16:30:56
            Start date:28/01/2021
            Path:C:\Users\user\Desktop\2760000.netprovfw.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\2760000.netprovfw.exe'
            Imagebase:0x2760000
            File size:350208 bytes
            MD5 hash:90478BB3273D74A7A4BAE530DEE87174
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.664188211.0000000002761000.00000020.00020000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.690703011.0000000002761000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:16:31:01
            Start date:28/01/2021
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 632
            Imagebase:0x1240000
            File size:434592 bytes
            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Disassembly

            Code Analysis

            Reset < >