Analysis Report YF4dF4w2Cr

Overview

General Information

Sample Name:	YF4dF4w2Cr (renamed file extension from none to exe)
Analysis ID:	376398
MD5:	f4d1470af3a7d82560b38558b132d468
SHA1:	0c45cf4e32116eae8d73b52c140f5d91a19ee8ea
SHA256:	6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Emotet e-Banking trojan

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Emotet

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: YF4dF4w2Cr.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: YF4dF4w2Cr.exe	Metadefender: Detection: 41%			Perma Link
Source: YF4dF4w2Cr.exe	ReversingLabs: Detection: 86%

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.fwdrrebrand.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.ddim
Source: 0.0.YF4dF4w2Cr.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.ddim
Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.YF4dF4w2Cr.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.ddim
Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.fwdrrebrand.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.ddim

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,	1_2_023E207B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,	1_2_023E215A
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1F11 CryptExportKey,	1_2_023E1F11
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,	1_2_023E1F75
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1F56 CryptGetHashParam,	1_2_023E1F56
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	1_2_023E1FFC
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E7207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,	3_2_00E7207B
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	3_2_00E71FFC
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,	3_2_00E71F75
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71F11 CryptExportKey,	3_2_00E71F11
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71F56 CryptGetHashParam,	3_2_00E71F56
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E7215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,	3_2_00E7215A

Compliance:

Uses 32bit PE files

Source: YF4dF4w2Cr.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0042E202 lstrlenA,FindFirstFileA,FindClose,	0_2_0042E202
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	0_2_00429112
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0042E202 lstrlenA,FindFirstFileA,FindClose,	1_2_0042E202
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	1_2_00429112

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49739 -> 200.55.168.82:20
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 70.32.94.58:8080
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 213.138.100.98:8080
Source: global traffic	TCP traffic: 192.168.2.4:49751 -> 144.76.62.10:8080
Source: global traffic	TCP traffic: 192.168.2.4:49752 -> 203.99.188.203:990
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 201.196.15.79:990

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 190.117.206.153 190.117.206.153

Source: unknown	TCP traffic detected without corresponding DNS query: 190.117.206.153
Source: unknown	TCP traffic detected without corresponding DNS query: 190.117.206.153
Source: unknown	TCP traffic detected without corresponding DNS query: 190.117.206.153
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.187.137
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.187.137
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.187.137
Source: unknown	TCP traffic detected without corresponding DNS query: 200.55.168.82
Source: unknown	TCP traffic detected without corresponding DNS query: 200.55.168.82
Source: unknown	TCP traffic detected without corresponding DNS query: 200.55.168.82
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.94.58
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.94.58
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.94.58
Source: unknown	TCP traffic detected without corresponding DNS query: 213.138.100.98
Source: unknown	TCP traffic detected without corresponding DNS query: 213.138.100.98
Source: unknown	TCP traffic detected without corresponding DNS query: 213.138.100.98
Source: unknown	TCP traffic detected without corresponding DNS query: 144.76.62.10
Source: unknown	TCP traffic detected without corresponding DNS query: 144.76.62.10
Source: unknown	TCP traffic detected without corresponding DNS query: 144.76.62.10
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.188.203
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.188.203
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.188.203
Source: unknown	TCP traffic detected without corresponding DNS query: 201.196.15.79
Source: unknown	TCP traffic detected without corresponding DNS query: 201.196.15.79
Source: unknown	TCP traffic detected without corresponding DNS query: 201.196.15.79

Source: C:\Windows\SysWOW64\fwdrrebrand.exe

Code function: 3_2_00E71383 InternetReadFile,

3_2_00E71383

Source: fwdrrebrand.exe, 00000003.00000002.911061816.0000000000199000.00000004.00000001.sdmp

String found in binary or memory: http://201.196.15.79/pnp/splash/loadan/merge/

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: YF4dF4w2Cr.exe, 00000000.00000002.646439364.00000000007DA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00424B11 GetKeyState,GetKeyState,GetKeyState,	0_2_00424B11
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0042EEC9 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,	0_2_0042EEC9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0040F3F3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_0040F3F3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0040963B SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,	0_2_0040963B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00421E22 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	0_2_00421E22
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00424B11 GetKeyState,GetKeyState,GetKeyState,	1_2_00424B11
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0042EEC9 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,	1_2_0042EEC9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0040F3F3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	1_2_0040F3F3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0040963B SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,	1_2_0040963B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00421E22 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	1_2_00421E22

E-Banking Fraud:

Detected Emotet e-Banking trojan

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023ED229		1_2_023ED229
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E7D229		3_2_00E7D229

Yara detected Emotet

Source: Yara match	File source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,		1_2_023E1F75
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,		3_2_00E71F75

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly

Contains functionality to delete services

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 1_2_023ED3F5 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,

1_2_023ED3F5

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 1_2_023E1D2B CreateProcessAsUserW,CreateProcessW,

1_2_023E1D2B

Creates files inside the system directory

Source: C:\Windows\SysWOW64\fwdrrebrand.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

File deleted: C:\Windows\SysWOW64\fwdrrebrand.exe:Zone.Identifier

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_004110C4	0_2_004110C4
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00403470	0_2_00403470
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00432286	0_2_00432286
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_004445DA	0_2_004445DA
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043A5F0	0_2_0043A5F0
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043265A	0_2_0043265A
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043C699	0_2_0043C699
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_004468E1	0_2_004468E1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00432A66	0_2_00432A66
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00444B1E	0_2_00444B1E
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00432E86	0_2_00432E86
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00445062	0_2_00445062
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0042B39D	0_2_0042B39D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0044575A	0_2_0044575A
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00431DB1	0_2_00431DB1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F28C1	0_2_022F28C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F30E8	0_2_022F30E8
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F30E4	0_2_022F30E4
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_023137A5	0_2_023137A5
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_023137A9	0_2_023137A9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_02312F82	0_2_02312F82
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_004110C4	1_2_004110C4
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00403470	1_2_00403470
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00432286	1_2_00432286
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_004445DA	1_2_004445DA
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043A5F0	1_2_0043A5F0
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043265A	1_2_0043265A
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043C699	1_2_0043C699
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_004468E1	1_2_004468E1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00432A66	1_2_00432A66
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00444B1E	1_2_00444B1E
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00432E86	1_2_00432E86
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00445062	1_2_00445062
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0042B39D	1_2_0042B39D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0044575A	1_2_0044575A
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00431DB1	1_2_00431DB1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F28C1	1_2_022F28C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F30E8	1_2_022F30E8
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F30E4	1_2_022F30E4
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E37A9	1_2_023E37A9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E37A5	1_2_023E37A5
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E2F82	1_2_023E2F82
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E430E4	2_2_00E430E4
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E430E8	2_2_00E430E8
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E428C1	2_2_00E428C1
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E537A5	2_2_00E537A5
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E537A9	2_2_00E537A9
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E52F82	2_2_00E52F82
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E430E4	3_2_00E430E4
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E430E8	3_2_00E430E8
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E428C1	3_2_00E428C1
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E737A5	3_2_00E737A5
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E737A9	3_2_00E737A9
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E72F82	3_2_00E72F82

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00431A9B appears 430 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 004015A0 appears 56 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00439FE5 appears 52 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00431818 appears 142 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00431ACE appears 50 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00401170 appears 34 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 0041F363 appears 42 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00431B04 appears 52 times

Sample file is different than original file name gathered from version info

Source: YF4dF4w2Cr.exe, 00000000.00000002.646492673.00000000022D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs YF4dF4w2Cr.exe
Source: YF4dF4w2Cr.exe, 00000001.00000002.659892079.0000000002710000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs YF4dF4w2Cr.exe
Source: YF4dF4w2Cr.exe, 00000001.00000002.659567664.00000000022D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs YF4dF4w2Cr.exe
Source: YF4dF4w2Cr.exe, 00000001.00000002.659959901.0000000002770000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs YF4dF4w2Cr.exe
Source: YF4dF4w2Cr.exe, 00000001.00000002.659959901.0000000002770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs YF4dF4w2Cr.exe

Uses 32bit PE files

Source: YF4dF4w2Cr.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Yara signature match

Source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Source: classification engine

Classification label: mal92.bank.troj.evad.winEXE@6/0@0/8

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_0041D7DD __EH_prolog3_GS,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,

0_2_0041D7DD

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,		1_2_023ED4C5
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,		3_2_00E7D4C5

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_02311943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_02311943

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_0042B11B __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,CoInitializeEx,CoCreateInstance,

0_2_0042B11B

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_00402500 FindResourceA,WideCharToMultiByte,WideCharToMultiByte,

0_2_00402500

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 1_2_023ED4C5 OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

1_2_023ED4C5

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ID1A8F11D
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Mutant created: \BaseNamedObjects\Global\ID1A8F11D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MD1A8F11D

Source: YF4dF4w2Cr.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: YF4dF4w2Cr.exe	Metadefender: Detection: 41%
Source: YF4dF4w2Cr.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

Source: unknown	Process created: C:\Users\user\Desktop\YF4dF4w2Cr.exe 'C:\Users\user\Desktop\YF4dF4w2Cr.exe'
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process created: C:\Users\user\Desktop\YF4dF4w2Cr.exe --5c8d8ab7
Source: unknown	Process created: C:\Windows\SysWOW64\fwdrrebrand.exe C:\Windows\SysWOW64\fwdrrebrand.exe
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process created: C:\Windows\SysWOW64\fwdrrebrand.exe --1cbc15eb
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process created: C:\Users\user\Desktop\YF4dF4w2Cr.exe --5c8d8ab7	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process created: C:\Windows\SysWOW64\fwdrrebrand.exe --1cbc15eb	Jump to behavior

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_CURSOR
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_BITMAP
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_ICON
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_MENU
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_DIALOG
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_STRING
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_ACCELERATOR
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_GROUP_ICON

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_00442426 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00442426

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043185D push ecx; ret	0_2_00431870
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00431B73 push ecx; ret	0_2_00431B86
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022FE932 pushad ; ret	0_2_022FE933
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022FE9EA pushad ; iretd	0_2_022FE9ED
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043185D push ecx; ret	1_2_00431870
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00431B73 push ecx; ret	1_2_00431B86
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022FE932 pushad ; ret	1_2_022FE933
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022FE9EA pushad ; iretd	1_2_022FE9ED
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E4E9EA pushad ; iretd	2_2_00E4E9ED
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E4E932 pushad ; ret	2_2_00E4E933
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E4E9EA pushad ; iretd	3_2_00E4E9ED
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E4E932 pushad ; ret	3_2_00E4E933

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\fwdrrebrand.exe

Executable created and started: C:\Windows\SysWOW64\fwdrrebrand.exe

Jump to behavior

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

PE file moved: C:\Windows\SysWOW64\fwdrrebrand.exe

Jump to behavior

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 1_2_023ED4C5 OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

1_2_023ED4C5

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

File opened: C:\Windows\SysWOW64\fwdrrebrand.exe:Zone.Identifier read attributes | delete

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0040C49C IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0040C49C
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00418BD1 GetParent,GetParent,IsIconic,GetParent,	0_2_00418BD1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00409E32 IsWindowVisible,IsIconic,	0_2_00409E32
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00427FD5 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	0_2_00427FD5
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0040C49C IsIconic,GetWindowPlacement,GetWindowRect,	1_2_0040C49C
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00418BD1 GetParent,GetParent,IsIconic,GetParent,	1_2_00418BD1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00409E32 IsWindowVisible,IsIconic,	1_2_00409E32
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00427FD5 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	1_2_00427FD5

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,		1_2_023ED229
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,		3_2_00E7D229

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	API coverage: 7.8 %
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	API coverage: 9.1 %

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0042E202 lstrlenA,FindFirstFileA,FindClose,	0_2_0042E202
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	0_2_00429112
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0042E202 lstrlenA,FindFirstFileA,FindClose,	1_2_0042E202
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	1_2_00429112

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\fwdrrebrand.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_00430650 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00430650

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

0_2_00442426

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00401AF0 mov eax, dword ptr fs:[00000030h]	0_2_00401AF0
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F0467 mov eax, dword ptr fs:[00000030h]	0_2_022F0467
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F0C0C mov eax, dword ptr fs:[00000030h]	0_2_022F0C0C
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F1743 mov eax, dword ptr fs:[00000030h]	0_2_022F1743
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_023112CD mov eax, dword ptr fs:[00000030h]	0_2_023112CD
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_02311E04 mov eax, dword ptr fs:[00000030h]	0_2_02311E04
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00401AF0 mov eax, dword ptr fs:[00000030h]	1_2_00401AF0
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F0467 mov eax, dword ptr fs:[00000030h]	1_2_022F0467
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F0C0C mov eax, dword ptr fs:[00000030h]	1_2_022F0C0C
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F1743 mov eax, dword ptr fs:[00000030h]	1_2_022F1743
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E12CD mov eax, dword ptr fs:[00000030h]	1_2_023E12CD
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1E04 mov eax, dword ptr fs:[00000030h]	1_2_023E1E04
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E40467 mov eax, dword ptr fs:[00000030h]	2_2_00E40467
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E40C0C mov eax, dword ptr fs:[00000030h]	2_2_00E40C0C
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E41743 mov eax, dword ptr fs:[00000030h]	2_2_00E41743
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E512CD mov eax, dword ptr fs:[00000030h]	2_2_00E512CD
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E51E04 mov eax, dword ptr fs:[00000030h]	2_2_00E51E04
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E40467 mov eax, dword ptr fs:[00000030h]	3_2_00E40467
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E40C0C mov eax, dword ptr fs:[00000030h]	3_2_00E40C0C
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E41743 mov eax, dword ptr fs:[00000030h]	3_2_00E41743
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E712CD mov eax, dword ptr fs:[00000030h]	3_2_00E712CD
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71E04 mov eax, dword ptr fs:[00000030h]	3_2_00E71E04

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_023114F2 GetProcessHeap,RtlAllocateHeap,

0_2_023114F2

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00430650 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00430650
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_004366C1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004366C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043B152 SetUnhandledExceptionFilter,	0_2_0043B152
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043BF7D __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043BF7D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00430650 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00430650
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_004366C1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_004366C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043B152 SetUnhandledExceptionFilter,	1_2_0043B152
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043BF7D __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0043BF7D

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_022FD587 cpuid

0_2_022FD587

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_004420D1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	0_2_0043C0B5
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_004421F9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00442192
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	0_2_00442235
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	0_2_004429C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	0_2_0044298D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00442B00
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00440CFD
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	0_2_00415026
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	0_2_0044136B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	0_2_004415C3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	0_2_00441889
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,	0_2_00443A6E
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	0_2_00441CDC
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00441DF3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00441EFF
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	0_2_00441E8B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	1_2_004420D1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	1_2_0043C0B5
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_004421F9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_00442192
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	1_2_00442235
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	1_2_004429C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	1_2_0044298D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_00442B00
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_00440CFD
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	1_2_00415026
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	1_2_0044136B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	1_2_004415C3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	1_2_00441889
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,	1_2_00443A6E
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	1_2_00441CDC
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	1_2_00441DF3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	1_2_00441EFF
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	1_2_00441E8B

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_0043BA29 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0043BA29

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_0043EB76 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_0043EB76

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_004016F0 GetVersion,GetVersion,GetVersion,DragAcceptFiles,UpdateWindow,

0_2_004016F0

Source: C:\Windows\SysWOW64\fwdrrebrand.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
144.76.62.10	unknown	Germany	24940	HETZNER-ASDE	false
203.99.188.203	unknown	Pakistan	45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	false
201.196.15.79	unknown	Costa Rica	11830	InstitutoCostarricensedeElectricidadyTelecomCR	false
200.55.168.82	unknown	Cuba	27725	EmpresadeTelecomunicacionesdeCubaSACU	false
213.138.100.98	unknown	United Kingdom	35425	BYTEMARK-ASGB	false
190.117.206.153	unknown	Peru	12252	AmericaMovilPeruSACPE	false
203.99.187.137	unknown	Pakistan	45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	false
70.32.94.58	unknown	United States	398110	GO-DADDY-COM-LLCUS	false

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: YF4dF4w2Cr.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: YF4dF4w2Cr.exe	Metadefender: Detection: 41%			Perma Link
Source: YF4dF4w2Cr.exe	ReversingLabs: Detection: 86%

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.fwdrrebrand.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.ddim
Source: 0.0.YF4dF4w2Cr.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.ddim
Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.YF4dF4w2Cr.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.ddim
Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.fwdrrebrand.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.ddim

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,	1_2_023E207B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,	1_2_023E215A
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1F11 CryptExportKey,	1_2_023E1F11
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,	1_2_023E1F75
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1F56 CryptGetHashParam,	1_2_023E1F56
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	1_2_023E1FFC
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E7207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,	3_2_00E7207B
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	3_2_00E71FFC
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,	3_2_00E71F75
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71F11 CryptExportKey,	3_2_00E71F11
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71F56 CryptGetHashParam,	3_2_00E71F56
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E7215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,	3_2_00E7215A

Compliance:

Uses 32bit PE files

Source: YF4dF4w2Cr.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0042E202 lstrlenA,FindFirstFileA,FindClose,	0_2_0042E202
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	0_2_00429112
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0042E202 lstrlenA,FindFirstFileA,FindClose,	1_2_0042E202
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	1_2_00429112

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49739 -> 200.55.168.82:20
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 70.32.94.58:8080
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 213.138.100.98:8080
Source: global traffic	TCP traffic: 192.168.2.4:49751 -> 144.76.62.10:8080
Source: global traffic	TCP traffic: 192.168.2.4:49752 -> 203.99.188.203:990
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 201.196.15.79:990

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 190.117.206.153 190.117.206.153

Source: unknown	TCP traffic detected without corresponding DNS query: 190.117.206.153
Source: unknown	TCP traffic detected without corresponding DNS query: 190.117.206.153
Source: unknown	TCP traffic detected without corresponding DNS query: 190.117.206.153
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.187.137
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.187.137
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.187.137
Source: unknown	TCP traffic detected without corresponding DNS query: 200.55.168.82
Source: unknown	TCP traffic detected without corresponding DNS query: 200.55.168.82
Source: unknown	TCP traffic detected without corresponding DNS query: 200.55.168.82
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.94.58
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.94.58
Source: unknown	TCP traffic detected without corresponding DNS query: 70.32.94.58
Source: unknown	TCP traffic detected without corresponding DNS query: 213.138.100.98
Source: unknown	TCP traffic detected without corresponding DNS query: 213.138.100.98
Source: unknown	TCP traffic detected without corresponding DNS query: 213.138.100.98
Source: unknown	TCP traffic detected without corresponding DNS query: 144.76.62.10
Source: unknown	TCP traffic detected without corresponding DNS query: 144.76.62.10
Source: unknown	TCP traffic detected without corresponding DNS query: 144.76.62.10
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.188.203
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.188.203
Source: unknown	TCP traffic detected without corresponding DNS query: 203.99.188.203
Source: unknown	TCP traffic detected without corresponding DNS query: 201.196.15.79
Source: unknown	TCP traffic detected without corresponding DNS query: 201.196.15.79
Source: unknown	TCP traffic detected without corresponding DNS query: 201.196.15.79

Source: C:\Windows\SysWOW64\fwdrrebrand.exe

Code function: 3_2_00E71383 InternetReadFile,

3_2_00E71383

Source: fwdrrebrand.exe, 00000003.00000002.911061816.0000000000199000.00000004.00000001.sdmp

String found in binary or memory: http://201.196.15.79/pnp/splash/loadan/merge/

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: YF4dF4w2Cr.exe, 00000000.00000002.646439364.00000000007DA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00424B11 GetKeyState,GetKeyState,GetKeyState,	0_2_00424B11
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0042EEC9 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,	0_2_0042EEC9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0040F3F3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_0040F3F3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0040963B SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,	0_2_0040963B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00421E22 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	0_2_00421E22
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00424B11 GetKeyState,GetKeyState,GetKeyState,	1_2_00424B11
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0042EEC9 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,	1_2_0042EEC9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0040F3F3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	1_2_0040F3F3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0040963B SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,	1_2_0040963B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00421E22 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	1_2_00421E22

E-Banking Fraud:

Detected Emotet e-Banking trojan

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023ED229		1_2_023ED229
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E7D229		3_2_00E7D229

Yara detected Emotet

Source: Yara match	File source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,		1_2_023E1F75
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,		3_2_00E71F75

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly

Contains functionality to delete services

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 1_2_023ED3F5 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,

1_2_023ED3F5

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 1_2_023E1D2B CreateProcessAsUserW,CreateProcessW,

1_2_023E1D2B

Creates files inside the system directory

Source: C:\Windows\SysWOW64\fwdrrebrand.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

File deleted: C:\Windows\SysWOW64\fwdrrebrand.exe:Zone.Identifier

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_004110C4	0_2_004110C4
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00403470	0_2_00403470
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00432286	0_2_00432286
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_004445DA	0_2_004445DA
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043A5F0	0_2_0043A5F0
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043265A	0_2_0043265A
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043C699	0_2_0043C699
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_004468E1	0_2_004468E1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00432A66	0_2_00432A66
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00444B1E	0_2_00444B1E
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00432E86	0_2_00432E86
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00445062	0_2_00445062
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0042B39D	0_2_0042B39D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0044575A	0_2_0044575A
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00431DB1	0_2_00431DB1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F28C1	0_2_022F28C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F30E8	0_2_022F30E8
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F30E4	0_2_022F30E4
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_023137A5	0_2_023137A5
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_023137A9	0_2_023137A9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_02312F82	0_2_02312F82
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_004110C4	1_2_004110C4
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00403470	1_2_00403470
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00432286	1_2_00432286
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_004445DA	1_2_004445DA
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043A5F0	1_2_0043A5F0
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043265A	1_2_0043265A
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043C699	1_2_0043C699
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_004468E1	1_2_004468E1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00432A66	1_2_00432A66
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00444B1E	1_2_00444B1E
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00432E86	1_2_00432E86
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00445062	1_2_00445062
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0042B39D	1_2_0042B39D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0044575A	1_2_0044575A
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00431DB1	1_2_00431DB1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F28C1	1_2_022F28C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F30E8	1_2_022F30E8
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F30E4	1_2_022F30E4
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E37A9	1_2_023E37A9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E37A5	1_2_023E37A5
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E2F82	1_2_023E2F82
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E430E4	2_2_00E430E4
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E430E8	2_2_00E430E8
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E428C1	2_2_00E428C1
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E537A5	2_2_00E537A5
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E537A9	2_2_00E537A9
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E52F82	2_2_00E52F82
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E430E4	3_2_00E430E4
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E430E8	3_2_00E430E8
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E428C1	3_2_00E428C1
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E737A5	3_2_00E737A5
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E737A9	3_2_00E737A9
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E72F82	3_2_00E72F82

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00431A9B appears 430 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 004015A0 appears 56 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00439FE5 appears 52 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00431818 appears 142 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00431ACE appears 50 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00401170 appears 34 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 0041F363 appears 42 times
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: String function: 00431B04 appears 52 times

Sample file is different than original file name gathered from version info

Source: YF4dF4w2Cr.exe, 00000000.00000002.646492673.00000000022D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs YF4dF4w2Cr.exe
Source: YF4dF4w2Cr.exe, 00000001.00000002.659892079.0000000002710000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs YF4dF4w2Cr.exe
Source: YF4dF4w2Cr.exe, 00000001.00000002.659567664.00000000022D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs YF4dF4w2Cr.exe
Source: YF4dF4w2Cr.exe, 00000001.00000002.659959901.0000000002770000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs YF4dF4w2Cr.exe
Source: YF4dF4w2Cr.exe, 00000001.00000002.659959901.0000000002770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs YF4dF4w2Cr.exe

Uses 32bit PE files

Source: YF4dF4w2Cr.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Yara signature match

Source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Source: classification engine

Classification label: mal92.bank.troj.evad.winEXE@6/0@0/8

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_0041D7DD __EH_prolog3_GS,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,

0_2_0041D7DD

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,		1_2_023ED4C5
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,		3_2_00E7D4C5

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_02311943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_02311943

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_0042B11B __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,CoInitializeEx,CoCreateInstance,

0_2_0042B11B

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_00402500 FindResourceA,WideCharToMultiByte,WideCharToMultiByte,

0_2_00402500

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 1_2_023ED4C5 OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

1_2_023ED4C5

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ID1A8F11D
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Mutant created: \BaseNamedObjects\Global\ID1A8F11D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MD1A8F11D

Source: YF4dF4w2Cr.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: YF4dF4w2Cr.exe	Metadefender: Detection: 41%
Source: YF4dF4w2Cr.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

Source: unknown	Process created: C:\Users\user\Desktop\YF4dF4w2Cr.exe 'C:\Users\user\Desktop\YF4dF4w2Cr.exe'
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process created: C:\Users\user\Desktop\YF4dF4w2Cr.exe --5c8d8ab7
Source: unknown	Process created: C:\Windows\SysWOW64\fwdrrebrand.exe C:\Windows\SysWOW64\fwdrrebrand.exe
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process created: C:\Windows\SysWOW64\fwdrrebrand.exe --1cbc15eb
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process created: C:\Users\user\Desktop\YF4dF4w2Cr.exe --5c8d8ab7	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process created: C:\Windows\SysWOW64\fwdrrebrand.exe --1cbc15eb	Jump to behavior

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_CURSOR
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_BITMAP
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_ICON
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_MENU
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_DIALOG
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_STRING
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_ACCELERATOR
Source: YF4dF4w2Cr.exe	Static PE information: section name: RT_GROUP_ICON

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

0_2_00442426

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043185D push ecx; ret	0_2_00431870
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00431B73 push ecx; ret	0_2_00431B86
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022FE932 pushad ; ret	0_2_022FE933
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022FE9EA pushad ; iretd	0_2_022FE9ED
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043185D push ecx; ret	1_2_00431870
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00431B73 push ecx; ret	1_2_00431B86
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022FE932 pushad ; ret	1_2_022FE933
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022FE9EA pushad ; iretd	1_2_022FE9ED
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E4E9EA pushad ; iretd	2_2_00E4E9ED
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E4E932 pushad ; ret	2_2_00E4E933
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E4E9EA pushad ; iretd	3_2_00E4E9ED
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E4E932 pushad ; ret	3_2_00E4E933

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\fwdrrebrand.exe

Executable created and started: C:\Windows\SysWOW64\fwdrrebrand.exe

Jump to behavior

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

PE file moved: C:\Windows\SysWOW64\fwdrrebrand.exe

Jump to behavior

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 1_2_023ED4C5 OpenSCManagerW,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,

1_2_023ED4C5

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

File opened: C:\Windows\SysWOW64\fwdrrebrand.exe:Zone.Identifier read attributes | delete

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0040C49C IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0040C49C
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00418BD1 GetParent,GetParent,IsIconic,GetParent,	0_2_00418BD1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00409E32 IsWindowVisible,IsIconic,	0_2_00409E32
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00427FD5 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	0_2_00427FD5
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0040C49C IsIconic,GetWindowPlacement,GetWindowRect,	1_2_0040C49C
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00418BD1 GetParent,GetParent,IsIconic,GetParent,	1_2_00418BD1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00409E32 IsWindowVisible,IsIconic,	1_2_00409E32
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00427FD5 __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	1_2_00427FD5

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,		1_2_023ED229
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,		3_2_00E7D229

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	API coverage: 7.8 %
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	API coverage: 9.1 %

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0042E202 lstrlenA,FindFirstFileA,FindClose,	0_2_0042E202
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	0_2_00429112
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0042E202 lstrlenA,FindFirstFileA,FindClose,	1_2_0042E202
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00429112 __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	1_2_00429112

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\fwdrrebrand.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_00430650 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00430650

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

0_2_00442426

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00401AF0 mov eax, dword ptr fs:[00000030h]	0_2_00401AF0
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F0467 mov eax, dword ptr fs:[00000030h]	0_2_022F0467
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F0C0C mov eax, dword ptr fs:[00000030h]	0_2_022F0C0C
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_022F1743 mov eax, dword ptr fs:[00000030h]	0_2_022F1743
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_023112CD mov eax, dword ptr fs:[00000030h]	0_2_023112CD
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_02311E04 mov eax, dword ptr fs:[00000030h]	0_2_02311E04
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00401AF0 mov eax, dword ptr fs:[00000030h]	1_2_00401AF0
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F0467 mov eax, dword ptr fs:[00000030h]	1_2_022F0467
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F0C0C mov eax, dword ptr fs:[00000030h]	1_2_022F0C0C
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_022F1743 mov eax, dword ptr fs:[00000030h]	1_2_022F1743
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E12CD mov eax, dword ptr fs:[00000030h]	1_2_023E12CD
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_023E1E04 mov eax, dword ptr fs:[00000030h]	1_2_023E1E04
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E40467 mov eax, dword ptr fs:[00000030h]	2_2_00E40467
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E40C0C mov eax, dword ptr fs:[00000030h]	2_2_00E40C0C
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E41743 mov eax, dword ptr fs:[00000030h]	2_2_00E41743
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E512CD mov eax, dword ptr fs:[00000030h]	2_2_00E512CD
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 2_2_00E51E04 mov eax, dword ptr fs:[00000030h]	2_2_00E51E04
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E40467 mov eax, dword ptr fs:[00000030h]	3_2_00E40467
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E40C0C mov eax, dword ptr fs:[00000030h]	3_2_00E40C0C
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E41743 mov eax, dword ptr fs:[00000030h]	3_2_00E41743
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E712CD mov eax, dword ptr fs:[00000030h]	3_2_00E712CD
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Code function: 3_2_00E71E04 mov eax, dword ptr fs:[00000030h]	3_2_00E71E04

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_023114F2 GetProcessHeap,RtlAllocateHeap,

0_2_023114F2

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_00430650 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00430650
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_004366C1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004366C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043B152 SetUnhandledExceptionFilter,	0_2_0043B152
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 0_2_0043BF7D __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043BF7D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_00430650 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00430650
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_004366C1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_004366C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043B152 SetUnhandledExceptionFilter,	1_2_0043B152
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: 1_2_0043BF7D __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0043BF7D

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_022FD587 cpuid

0_2_022FD587

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_004420D1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	0_2_0043C0B5
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_004421F9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00442192
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	0_2_00442235
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	0_2_004429C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	0_2_0044298D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00442B00
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00440CFD
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	0_2_00415026
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	0_2_0044136B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	0_2_004415C3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	0_2_00441889
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,	0_2_00443A6E
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	0_2_00441CDC
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00441DF3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00441EFF
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	0_2_00441E8B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	1_2_004420D1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	1_2_0043C0B5
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_004421F9
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_00442192
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	1_2_00442235
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	1_2_004429C1
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	1_2_0044298D
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_00442B00
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_00440CFD
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,	1_2_00415026
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	1_2_0044136B
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	1_2_004415C3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	1_2_00441889
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,	1_2_00443A6E
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	1_2_00441CDC
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	1_2_00441DF3
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	1_2_00441EFF
Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	1_2_00441E8B

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\fwdrrebrand.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_0043BA29 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0043BA29

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

0_2_0043EB76

Source: C:\Users\user\Desktop\YF4dF4w2Cr.exe

Code function: 0_2_004016F0 GetVersion,GetVersion,GetVersion,DragAcceptFiles,UpdateWindow,

0_2_004016F0

Source: C:\Windows\SysWOW64\fwdrrebrand.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000003.00000002.911351133.0000000000E71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.659738344.00000000023E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.659583488.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.911329225.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.646512151.0000000002311000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.646499888.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.658516120.0000000000E51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.658502869.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YF4dF4w2Cr.exe.22f053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.fwdrrebrand.exe.e4053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YF4dF4w2Cr.exe.22f053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fwdrrebrand.exe.e4053f.2.unpack, type: UNPACKEDPE

ID:	376398
Product:	CloudBasic
Start time:	13:31:05
Start date:	26.03.2021
Sample:	YF4dF4w2Cr
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f4d1470af3a7d82560b38558b132d468
SHA1:	0c45cf4e32116eae8d73b52c140f5d91a19ee8ea
SHA256:	6fa0dd6002d4b4e7ebabefc7f4f90f36fc53069e0cf4e845f683fb087d476e90
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Analysis Report YF4dF4w2Cr

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs