Analysis Report lK8vF3n2e7.exe

Overview

General Information

Sample Name: lK8vF3n2e7.exe
Analysis ID: 383022
MD5: d7cd602eb9e9ad8272d4ad0910815835
SHA1: cefae0fd990a5491e893796ab8ab56fc9edc015b
SHA256: bca575b21c8b02010cde26b2bd7b2e8cdc313f135f97363b34f8bf0f389a990b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: lK8vF3n2e7.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: lK8vF3n2e7.exe Virustotal: Detection: 71% Perma Link
Source: lK8vF3n2e7.exe ReversingLabs: Detection: 90%
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.lK8vF3n2e7.exe.400000.0.unpack Avira: Label: TR/AD.Emotet.dzjt
Source: 2.0.lK8vF3n2e7.exe.400000.0.unpack Avira: Label: TR/AD.Emotet.dzjt
Source: 3.0.corsangle.exe.400000.0.unpack Avira: Label: TR/AD.Emotet.dzjt
Source: 4.0.corsangle.exe.400000.0.unpack Avira: Label: TR/AD.Emotet.dzjt

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_0222207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash, 2_2_0222207B
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_0222215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash, 2_2_0222215A
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_02221F11 CryptExportKey, 2_2_02221F11
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_02221F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext, 2_2_02221F75
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_02221F56 CryptGetHashParam, 2_2_02221F56
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_02221FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 2_2_02221FFC

Compliance:

barindex
Uses 32bit PE files
Source: lK8vF3n2e7.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_004290C4 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_004290C4
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_004290C4 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 2_2_004290C4

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49729 -> 104.236.137.72:8080
Source: global traffic TCP traffic: 192.168.2.3:49740 -> 213.189.36.51:8080
Source: global traffic TCP traffic: 192.168.2.3:49741 -> 85.234.143.94:8080
Source: global traffic TCP traffic: 192.168.2.3:49744 -> 119.59.124.163:8080
Source: global traffic TCP traffic: 192.168.2.3:49745 -> 190.146.131.105:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 119.59.124.163 119.59.124.163
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.137.72
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.137.72
Source: unknown TCP traffic detected without corresponding DNS query: 104.236.137.72
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.233.225
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.233.225
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.233.225
Source: unknown TCP traffic detected without corresponding DNS query: 213.189.36.51
Source: unknown TCP traffic detected without corresponding DNS query: 213.189.36.51
Source: unknown TCP traffic detected without corresponding DNS query: 213.189.36.51
Source: unknown TCP traffic detected without corresponding DNS query: 85.234.143.94
Source: unknown TCP traffic detected without corresponding DNS query: 85.234.143.94
Source: unknown TCP traffic detected without corresponding DNS query: 85.234.143.94
Source: unknown TCP traffic detected without corresponding DNS query: 119.59.124.163
Source: unknown TCP traffic detected without corresponding DNS query: 119.59.124.163
Source: unknown TCP traffic detected without corresponding DNS query: 119.59.124.163
Source: unknown TCP traffic detected without corresponding DNS query: 190.146.131.105
Source: unknown TCP traffic detected without corresponding DNS query: 190.146.131.105
Source: unknown TCP traffic detected without corresponding DNS query: 190.146.131.105
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://104.236.137.72:8080/NuFfY0fKFWZKA4NUbs
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://104.236.137.72:8080/NuFfY0fKFWZKA4NUbs$
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://104.236.137.72:8080/NuFfY0fKFWZKA4NUbsI
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://104.236.137.72:8080/NuFfY0fKFWZKA4NUbsT
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://119.59.124.163:8080/7gWpLeeuBCj
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://119.59.124.163:8080/7gWpLeeuBCjW
Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmp String found in binary or memory: http://172.104.233.225:8080/coIxQuMWPxi
Source: corsangle.exe, 00000004.00000002.454210782.0000000000199000.00000004.00000001.sdmp, corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://190.146.131.105/K1dG1qa5hXkSLaRnHQw
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://190.146.131.105/K1dG1qa5hXkSLaRnHQww
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://190.146.131.105:8080/K1dG1qa5hXkSLaRnHQw
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://190.146.131.105:8080/K1dG1qa5hXkSLaRnHQw80/7gWpLeeuBCj
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://190.146.131.105:8080/K1dG1qa5hXkSLaRnHQws
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://190.146.131.105:8080/K1dG1qa5hXkSLaRnHQw~
Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmp String found in binary or memory: http://213.189.36.51/u0gALfm0zDZMJ
Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmp String found in binary or memory: http://213.189.36.51:8080/u0gALfm0zDZMJ
Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmp String found in binary or memory: http://213.189.36.51:8080/u0gALfm0zDZMJ4
Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmp String found in binary or memory: http://213.189.36.51:8080/u0gALfm0zDZMJW
Source: corsangle.exe, 00000004.00000003.359738057.00000000007E3000.00000004.00000001.sdmp String found in binary or memory: http://213.189.36.51:8080/u0gALfm0zDZMJm32
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://85.234.143.94:8080/hroFtzD6dRMJ
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://85.234.143.94:8080/hroFtzD6dRMJ4
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://85.234.143.94:8080/hroFtzD6dRh
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp String found in binary or memory: http://85.234.143.94:8080/hroFtzD6dRxi
Source: svchost.exe, 00000009.00000002.459340968.0000026126C16000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000009.00000002.459340968.0000026126C16000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000009.00000002.459340968.0000026126C16000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000009.00000002.455590105.000002612149F000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/0
Source: svchost.exe, 00000009.00000002.459027918.0000026126B70000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000011.00000002.309158276.000002B714A13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000E.00000002.455681474.000001B859242000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000E.00000002.455681474.000001B859242000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000E.00000002.455681474.000001B859242000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000E.00000002.455681474.000001B859242000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000002.455681474.000001B859242000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000011.00000003.308726736.000002B714A49000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.309206913.000002B714A3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000002.309238217.000002B714A52000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000003.286829183.000002B714A31000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.309206913.000002B714A3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000011.00000003.308782224.000002B714A41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000011.00000003.308782224.000002B714A41000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000002.309251737.000002B714A5C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.308754094.000002B714A40000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000011.00000003.308726736.000002B714A49000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000002.309251737.000002B714A5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000002.309251737.000002B714A5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.308726736.000002B714A49000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000011.00000003.308702175.000002B714A60000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.309206913.000002B714A3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.286829183.000002B714A31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000002.309206913.000002B714A3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.309158276.000002B714A13000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.309206913.000002B714A3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.308754094.000002B714A40000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.308754094.000002B714A40000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.286829183.000002B714A31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000003.286829183.000002B714A31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000011.00000002.309238217.000002B714A52000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_004267FF GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_004267FF
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_004267FF GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_004267FF

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojan
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_0222DE9C 2_2_0222DE9C
Yara detected Emotet
Source: Yara match File source: 00000002.00000002.233128075.0000000002221000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.456108284.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.194289287.0000000000591000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.456134629.0000000000721000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.233094123.00000000021E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.229558668.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.194269122.0000000000570000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.229583434.0000000000E51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.corsangle.exe.70053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.lK8vF3n2e7.exe.21e053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.corsangle.exe.e3053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lK8vF3n2e7.exe.57053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPE
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_02221F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext, 2_2_02221F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000002.00000002.233128075.0000000002221000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.456108284.0000000000700000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.194289287.0000000000591000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000004.00000002.456134629.0000000000721000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000002.00000002.233094123.00000000021E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.229558668.0000000000E30000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.194269122.0000000000570000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000003.00000002.229583434.0000000000E51000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 4.2.corsangle.exe.70053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 2.2.lK8vF3n2e7.exe.21e053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.corsangle.exe.e3053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.lK8vF3n2e7.exe.57053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Contains functionality to call native functions
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_0040215A NtAllocateVirtualMemory, 0_2_0040215A
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_0040215A NtAllocateVirtualMemory, 2_2_0040215A
Contains functionality to delete services
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_0222E068 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle, 2_2_0222E068
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_02221D2B CreateProcessAsUserW,CreateProcessW, 2_2_02221D2B
Creates files inside the system directory
Source: C:\Windows\SysWOW64\corsangle.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe File deleted: C:\Windows\SysWOW64\corsangle.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00401117 0_2_00401117
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_0042787E 0_2_0042787E
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00412BF0 0_2_00412BF0
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00414EDC 0_2_00414EDC
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_0040EF2E 0_2_0040EF2E
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_00401117 2_2_00401117
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_0042787E 2_2_0042787E
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_00412BF0 2_2_00412BF0
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_00414EDC 2_2_00414EDC
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_0040EF2E 2_2_0040EF2E
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021E30E8 2_2_021E30E8
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021E30E4 2_2_021E30E4
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021E28C1 2_2_021E28C1
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_022237A5 2_2_022237A5
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_022237A9 2_2_022237A9
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_02222F82 2_2_02222F82
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E330E4 3_2_00E330E4
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E330E8 3_2_00E330E8
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E328C1 3_2_00E328C1
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E537A5 3_2_00E537A5
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E537A9 3_2_00E537A9
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E52F82 3_2_00E52F82
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: String function: 004128A0 appears 334 times
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: String function: 00412BA4 appears 128 times
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: String function: 00416254 appears 50 times
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: String function: 00424E33 appears 62 times
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: String function: 00414843 appears 52 times
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: String function: 0042D179 appears 50 times
PE file contains strange resources
Source: lK8vF3n2e7.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lK8vF3n2e7.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lK8vF3n2e7.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: lK8vF3n2e7.exe, 00000000.00000002.194191938.000000000045C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMSADODLG.EXE vs lK8vF3n2e7.exe
Source: lK8vF3n2e7.exe, 00000002.00000002.232381898.000000000045C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMSADODLG.EXE vs lK8vF3n2e7.exe
Source: lK8vF3n2e7.exe, 00000002.00000002.235071054.0000000003110000.00000002.00000001.sdmp Binary or memory string: originalfilename vs lK8vF3n2e7.exe
Source: lK8vF3n2e7.exe, 00000002.00000002.235071054.0000000003110000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs lK8vF3n2e7.exe
Source: lK8vF3n2e7.exe, 00000002.00000002.234823605.0000000003010000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs lK8vF3n2e7.exe
Source: lK8vF3n2e7.exe Binary or memory string: OriginalFilenameMSADODLG.EXE vs lK8vF3n2e7.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: lK8vF3n2e7.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000002.00000002.233128075.0000000002221000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.456108284.0000000000700000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.194289287.0000000000591000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000004.00000002.456134629.0000000000721000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000002.00000002.233094123.00000000021E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.229558668.0000000000E30000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.194269122.0000000000570000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000003.00000002.229583434.0000000000E51000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.2.corsangle.exe.70053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 4.2.corsangle.exe.70053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 2.2.lK8vF3n2e7.exe.21e053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 2.2.lK8vF3n2e7.exe.21e053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.corsangle.exe.e3053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 3.2.corsangle.exe.e3053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.lK8vF3n2e7.exe.57053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.lK8vF3n2e7.exe.57053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: classification engine Classification label: mal96.bank.troj.evad.winEXE@20/10@0/8
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 2_2_0222E138
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_02221943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 2_2_02221943
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_004070AE CoCreateInstance,OleRun,CoCreateInstance, 0_2_004070AE
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00428065 FindResourceA,LoadResource,LockResource,FreeResource, 0_2_00428065
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_0222E138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 2_2_0222E138
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3892:120:WilError_01
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\I8B93DEAF
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\M8B93DEAF
Source: lK8vF3n2e7.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: lK8vF3n2e7.exe Virustotal: Detection: 71%
Source: lK8vF3n2e7.exe ReversingLabs: Detection: 90%
Source: lK8vF3n2e7.exe String found in binary or memory: E4aXdlyDax6W5yGUiK+zzQuWwVX3LQqecci4Bees2GBp2ZfSbW1N/xyzbDoL5kOQMKqS6lAS2/WhX9uuPN5/wbyYciuvEhs8ykVZDbTGjBH91qRxKvGQ5GYH3N9xEy/V2mEBZ62Z02jtwgYTBKhCC0h0lehcWwrv9Qjn2XVFR5GMc/+duWl4uL7VE3z/4aSrX3sdAXeY75/vn7/r/aDDHEJfkkMt1sZprUyeoJcSBqisgyi6dXzPHz5Ec9N7ohNSzkTK
Source: lK8vF3n2e7.exe String found in binary or memory: E4aXdlyDax6W5yGUiK+zzQuWwVX3LQqecci4Bees2GBp2ZfSbW1N/xyzbDoL5kOQMKqS6lAS2/WhX9uuPN5/wbyYciuvEhs8ykVZDbTGjBH91qRxKvGQ5GYH3N9xEy/V2mEBZ62Z02jtwgYTBKhCC0h0lehcWwrv9Qjn2XVFR5GMc/+duWl4uL7VE3z/4aSrX3sdAXeY75/vn7/r/aDDHEJfkkMt1sZprUyeoJcSBqisgyi6dXzPHz5Ec9N7ohNSzkTK
Source: lK8vF3n2e7.exe String found in binary or memory: E4aXdlyDax6W5yGUiK+zzQuWwVX3LQqecci4Bees2GBp2ZfSbW1N/xyzbDoL5kOQMKqS6lAS2/WhX9uuPN5/wbyYciuvEhs8ykVZDbTGjBH91qRxKvGQ5GYH3N9xEy/V2mEBZ62Z02jtwgYTBKhCC0h0lehcWwrv9Qjn2XVFR5GMc/+duWl4uL7VE3z/4aSrX3sdAXeY75/vn7/r/aDDHEJfkkMt1sZprUyeoJcSBqisgyi6dXzPHz5Ec9N7ohNSzkTKnmBqmvDkrvxT506X5bGiBGtkKG/80QKfhVuyj235bs5QG82arNmrJN2+bTrIZNQFZ4pgH9uSw8lfE1EsR0jsqJMMaUAUxowX2vu/xeUcgZ/tiKhhnIuBJSLGWh7GX1sDqvI9FQtvWVieRJqXOdS5iTebfqmw43C+6BXr9HXvmLJeEujPfwgE1mxWk35QY+DPdkJj13tvAdBVg4yNE5wZzz9OW53s9AShzyrpPeUSGIWuRvOw
Source: C:\Windows\SysWOW64\corsangle.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Users\user\Desktop\lK8vF3n2e7.exe 'C:\Users\user\Desktop\lK8vF3n2e7.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Process created: C:\Users\user\Desktop\lK8vF3n2e7.exe --b0af2bca
Source: unknown Process created: C:\Windows\SysWOW64\corsangle.exe C:\Windows\SysWOW64\corsangle.exe
Source: C:\Windows\SysWOW64\corsangle.exe Process created: C:\Windows\SysWOW64\corsangle.exe --2e5419fc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Process created: C:\Users\user\Desktop\lK8vF3n2e7.exe --b0af2bca Jump to behavior
Source: C:\Windows\SysWOW64\corsangle.exe Process created: C:\Windows\SysWOW64\corsangle.exe --2e5419fc Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00401784 LoadLibraryW,GetProcAddress, 0_2_00401784
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00412260 push eax; ret 0_2_00412274
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00412260 push eax; ret 0_2_0041229C
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_004128A0 push eax; ret 0_2_004128BE
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00412BDF push ecx; ret 0_2_00412BEF
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_00412260 push eax; ret 2_2_00412274
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_00412260 push eax; ret 2_2_0041229C
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_004128A0 push eax; ret 2_2_004128BE
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_00412BDF push ecx; ret 2_2_00412BEF
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021EFAD3 push edx; iretd 2_2_021EFAD4
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021EFAF1 push edx; retf 2_2_021EFAF8
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021EFB1A push edx; retf 2_2_021EFB48
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021EFB0F push edx; retf 2_2_021EFB10
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021EFB77 push edx; iretd 2_2_021EFB84
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021EFD52 push edx; iretd 2_2_021EFD70
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021EFD71 push edx; retf 2_2_021EFD80
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E3FAF1 push edx; retf 3_2_00E3FAF8
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E3FAD3 push edx; iretd 3_2_00E3FAD4
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E3FD71 push edx; retf 3_2_00E3FD80
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E3FB77 push edx; iretd 3_2_00E3FB84
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E3FD52 push edx; iretd 3_2_00E3FD70
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E3FB0F push edx; retf 3_2_00E3FB10
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E3FB1A push edx; retf 3_2_00E3FB48

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\corsangle.exe Executable created and started: C:\Windows\SysWOW64\corsangle.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe PE file moved: C:\Windows\SysWOW64\corsangle.exe Jump to behavior
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_0222E138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 2_2_0222E138

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe File opened: C:\Windows\SysWOW64\corsangle.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_0040921B IsIconic,GetWindowPlacement,GetWindowRect, 0_2_0040921B
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_0040658E IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 0_2_0040658E
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_0040921B IsIconic,GetWindowPlacement,GetWindowRect, 2_2_0040921B
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_0040658E IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 2_2_0040658E
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\corsangle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\corsangle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\corsangle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\corsangle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\corsangle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\corsangle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\corsangle.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle, 2_2_0222DE9C
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe API coverage: 3.7 %
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe API coverage: 7.3 %
Source: C:\Windows\SysWOW64\corsangle.exe API coverage: 9.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5628 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_004290C4 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_004290C4
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_004290C4 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 2_2_004290C4
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00412ABE VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_00412ABE
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW8
Source: lK8vF3n2e7.exe Binary or memory string: I8oKGytdP622n9WmGxbgmPhIfDzm3srNwnaDwLHaPuaIqKpKHJ+haXU4Lc/uxCygu3VYhfJXxbxfrqdeVt4kZAyaSSnVvXW0zfVXghGFS0LXjfmFDY7skNksCX66umEr8XOIxu8DVf/SLy0Y+CoBz14kYiA8CK3s/p/RPI/LVlsM47LNREhppES52ibX8zLNfqvGlsGDuvFvpXwN8FkJRxlJhksfuNqWAaun7Qgh0yyvLtn88xpWIzGLITTamiabjmuLwCMRlqY3XA6SgfZ+uca8a/1MdG0lStphN7lGEhfdKLw/e9YivSGh6sdeo5SNqldYl1zYJva6AvF4jcl6YVFubX4iG3pw7nmSwBe/JK9ZicF9v/BX4AYVJbXCbvpRLpbRqHbXINRefB8RH38YwI+uF8Hz/1vFqg6WrFLQA6ZcFqcDzVJQNgnvH6neKppl4IUwk2dBE9rkVxl0vZ5z94kZ9xBxad1rnEgLwjyH8T1CJUHTiH4g
Source: svchost.exe, 00000001.00000002.196850072.0000029294540000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.262909344.000001B354940000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.288780129.00000244C3AC0000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.458125183.000001B859D90000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: corsangle.exe, 00000004.00000003.237988000.00000000012BC000.00000004.00000001.sdmp Binary or memory string: IMFjW6I6tWuQs0GEkwYUvArgbqKadyGhMtLKRP17z2E2SeGKH+5funxtr4DQXTMjNmbQ8G+be6VAA52gkNCwDVS7RqTPF5/AdHrXxnJVBGRZuMzC4r6+tiE3LHY2ILkWazR3xJqrBgeTKqf0pVK+OwzXM26MCMJsja+Yfduu6TCypj0tfHkn7c92hyUEdQpWAHNIiugOsYdKDztsa9pg9JUf/cneguWpnWryjDJpQdXggukiVSgK38QDmf+FnLvgoO3iT3UPGadCYvOyy2LEGDtE8qrNhlyQLxFI8sSD1sl7Y+qxvcDPc9gYUpfs6Zz/dO7l1WkPo8dmaHK2vglAR/DfZzM95esEmvlI6onL3XTg5/GU5HDGiWeGdKXEm1WfQ1y/1FE5zFVJnLXZ2/kYEQXsHBRpyzKWOVi9Rr3LAKYTqUF2CcKp1xa86o7EhnKkhnluMX+TT17XNSIVSD5nt+nSUVW8qv48vH6CajzqTwMFiDVJVvhZNOtWNaCJXsqr3FEdCvAMgEb6dJZiyYrKwAfVe5+LOjhyLveg//krqG1NP4wkQw/oRxad1ygfqhJ8pvdLwZShC7/Gv0SXegoWOJWLlXY+R4kTHY1FkvKIMCk1mUha7Sn8+Gni2hGWIACl5PH5m6KIO1dGiP3Z5ncSzg8Wzh1XRkrX2jgzrFNUU1JeziR2tOU38vNfgjX9YPZwUtKhsdUfEy8kdFseUjqxPLi3skzjm/42Lejc/C+qERQfsxaM6i2XrTZQW9HpWf56/I69Oi8XpuvuuyN1FfKEyjxgPgeL6S0FKcIhWtqxe/liDdw2qY6cMbfLxxaUAPNLeAwPBPBsq6ybunsXkgf2gIyKacXMw8QwQFZTvp59JXeBC+bxbbCvNrMT8G1yRpNbTBc0wFLV19HQJH74m6+CNOAEj76DPGEIil8YQ7D2ZsUn2Mx3VbfeiW2kFLwgQ1bkef/4z3liv/vzkz4MtOM8V5pVMk7kgiDoyTZi6dryeiF1CG2GfQlWPZJvaXpyh76Ey6haX+69ZAwzN+dHAQZuFyA60de+an5c/Y4PBmiNHrOfU3F0b/N4ztM5LHtgdqDp06yP+bcaC2S4no0ZFw1Y5bCTSvW7OEQhAOyiZcJJNZ9B+fWBpf00FShLQkPZ5T7DkbMD9Te2yYmJdp6CTQIDKEV/7gqGP4etQTRFZR/PR0k6eMNObpa+jq6BphfGmlM/TPc90OKXxSmD0jZAiM9lNQ/Che8PXZaHzJSINRnXGeA2XK1BjzRCf4xxqgfTWH3umZGpcvK6RJqDV11Q/SbIzkyCFfkA8qxD8CE4+sM9jQZ+81jKXXr5SxOKG0Rz/9pWYwWpaXbiIUYd7YMSPNZmOZNmM71DRlh51ivw9nikHLuZqbk8hNvdgjM5XQ/zYC+dQljkQ22BeUtKh5owEv2SI6s0fq+mg+ix9OJi4VZ8nBsk8fGqAhOZKar5OY/qn4lLmEfHuTV6KDbGSP0nIlbT50gxM33IYVPSfOpByeWLohz8VYgU7U7hCPQRLmu5WN1qmBuIrlhJQWqCc/WpsSg36fJ7nsA1V08+bovCiUCY1rk8UkCb3gvZDwZS4mth8W20aWKL8bINQAVHFGMYyOL1FoQK5RCUZsFsYbKJwD8wlEfJDT3m0KRLCjM0Za5RE8Nob9jRy2AV6eCFEGADc47DlSDCWilQGUIZdzfgloZ6q51KY4qorDg3ygbyP+6VdE6FNcuR+NcVI4BSdcVbhdorjsK6XPjuBXqqs7FFAsfbEpHb/yb9G12XmVcx50yhf1+UVvpIoTBkBbfB8WoRW6Jau7j6eESGMKJbfw3nZkQws4Pl5+OpDWmtI4SjwKUNpGxBshvOuJ/hxAzN4/ivT5wyi/5BBhWD7W+xRMJJnf3NAazWNSgzbVqQGWFN11N2E8dkOwkFp54TxWO7njC3J78kJlF7eaxZRMgMM3T8Wyu4vcPBQxE3/eDVoVGGCYv/nIF88s8u0g2+P0+HU26hK/LWceAVeuSkNiR8z8LgBdFEQL3GovY1H57h9PMe/+GZtdOhpOnSw7JgzKWXEaAFeCFbeCI9nHWijcI+Gy39zjiMmmgV+ia37/CLcqxkz0U75u1H8yecEFJkDXkY9AiQCw0baRHMEYpigHTZZJcJjExSDxKn5tBNshgzAKxw4xNZlo03Fl3WdZbc/RhfGj5VOA+crwluHxKZuUzJvXpQ11zt8VzabHXqRSPh/87HFRAq58dFxrHgPzRfSmncORhe/4kxnWzfTZ9Ip7d6wop2nsc6QdQaB7wQrbrknenqWtfoaN82YpzRD32GW4pk8jSkFnKPDE6r2ml0GtvFaD1nyGTEwEin21iCtTVV7+HG8a6uo3Hgl6/+Cy37hmkDD2wAXv6wAUQ4XTrbzL0PUz9tlj9XHEjNCopkVOKg+r/T7qXdYrydFs1DzTf12IBAqb4lrjOnPgFv6wyulmRou7gMWCoz7IroLTytBeOX7FcZwqRCRvvX5QyEEHCaYvuL7t0AwcsdP4jYT2J895En/HKXrYjhM9t69VNP9hzT9o1s7pQrcEYzgh+3LcChyG0x6fDcvkRbwpuxi9lgNEEMn1Rf54easQcXvdl/1DiaUXjWRgUB5XiXaY+jiguNRxTQjyULVgU0T1OIxTwDDWX0f0sCAOHlLKSW2PKJyhYpYYxaH05bb5kukNXHdjuoQBETYbeS5LPHe0SIFz53ojVvd0HzSG/3m+UrawBSSR+bd/s/ws++ldBpRYXL7CyRgXIZqr3EWJ2e+x+2IAyLWE1Ta1yTkks5GelZdYOZ+h+GUEgcZXsqDObqGjbczoJYxaQGIH+klo0iVnZlcrW0lnCbDIzKwcLGxqg03zCMOaYEc8Z3f6GLDnDixuK3sdHT/POqGOO7wRvajVgy0y8hcLTBv0noAHYEvx5qB7FIj2XoeO1fqFyYm5oOifh3EvuXnvOSxies9ToavkX3FO8mS3xWCgoc4dUq7Q85hC1Nx5c99fRK
Source: svchost.exe, 00000009.00000002.459529652.0000026126C61000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: lK8vF3n2e7.exe Binary or memory string: I8oKGytdP622n9WmGxbgmPhIfDzm3srNwnaDwLHaPuaIqKpKHJ+haXU4Lc/uxCygu3VYhfJXxbxfrqdeVt4kZAyaSSnVvXW0zfVXghGFS0LXjfmFDY7skNksCX66umEr8XOIxu8DVf/SLy0Y+CoBz14kYiA8CK3s/p/RPI/LVlsM47LNREhppES52ibX8zLNfqvGlsGDuvFvpXwN8FkJRxlJhksfuNqWAaun7Qgh0yyvLtn88xpWIzGLITTamiabjmuL
Source: lK8vF3n2e7.exe Binary or memory string: Ssqj+A77eGYtJq8ICEcGHdOAF8zZ/g+lz66vQgUol6twX/hZSXEQhn/P2i+iLwrXI+afbu5s41pTPUk/zpU2fSBxplNRL7EdT8M9SolAnFpa4BtbPcZKxQhxc3BpZiUhXY8wowA3xHMp7vT/hdkN8ybdR5SQ7TZ431qX+GG7n/xLXAcYfozyvRb6gE7S04VNvLKch31pEJrlB1uo7dcrNPIQmxejicPSa7MiCCNtjFQU3W7j3GhgfSrD45h9wj+TNfkZ
Source: lK8vF3n2e7.exe Binary or memory string: Ssqj+A77eGYtJq8ICEcGHdOAF8zZ/g+lz66vQgUol6twX/hZSXEQhn/P2i+iLwrXI+afbu5s41pTPUk/zpU2fSBxplNRL7EdT8M9SolAnFpa4BtbPcZKxQhxc3BpZiUhXY8wowA3xHMp7vT/hdkN8ybdR5SQ7TZ431qX+GG7n/xLXAcYfozyvRb6gE7S04VNvLKch31pEJrlB1uo7dcrNPIQmxejicPSa7MiCCNtjFQU3W7j3GhgfSrD45h9wj+TNfkZchUUDK8svyeS+Z/voEHonpq3usa7Lwi/i0Pw5x9Z3ZtR1679CMDqgJwF5YSgq7cWmfaWRyFDlh4WAuxDUAoQAyLo6hNF2UAgQcx8JroW9hrqbbJkaP7kCEU965cuQSyCecHV20zrpFbsla589glBVHdIGLVOohoF+V7E9uoLiegRTQ3CQWmHPd+uqEGacP+6jvWF4VGVuMwWuMpBRs+WgjCxhS3fSjktJgRC7oHYBcTsX0vy
Source: corsangle.exe, 00000004.00000002.456309381.00000000007B9000.00000004.00000020.sdmp, svchost.exe, 00000009.00000002.455342615.0000026121429000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.455110546.000001E07A202000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: lK8vF3n2e7.exe, 00000000.00000003.190971964.000000000235C000.00000004.00000001.sdmp Binary or memory string: IMFjW6I6tWuQs0GEkwYUvArgbqKadyGhMtLKRP17z2E2SeGKH+5funxtr4DQXTMjNmbQ8G+be6VAA52gkNCwDVS7RqTPF5/AdHrXxnJVBGRZuMzC4r6+tiE3LHY2ILkWazR3xJqrBgeTKqf0pVK+OwzXM26MCMJsja+Yfduu6TCypj0tfHkn7c92hyUEdQpWAHNIiugOsYdKDztsa9pg9JUf/cneguWpnWryjDJpQdXggukiVSgK38QDmf+FnLvgoO3iT3UPGadCYvOyy2LEGDtE8qrNhlyQLxFI8sSD1sl7Y+qxvcDPc9gYUpfs6Zz/dO7l1WkPo8dmaHK2vglAR/DfZzM95esEmvlI6onL3XTg5/GU5HDGiWeGdKXEm1WfQ1y/1FE5zFVJnLXZ2/kYEQXsHBRpyzKWOVi9Rr3LAKYTqUF2CcKp1xa86o7EhnKkhnluMX+TT17XNSIVSD5nt+nSUVW8qv48vH6CajzqTwMFiDVJVvhZNOtWNaCJXsqr3FEdCvAMgEb6dJZiyYrKwAfVe5+LOjhyLveg//krqG1NP4wkQw/oRxad1ygfqhJ8pvdLwZShC7/Gv0SXegoWOJWLlXY+R4kTHY1FkvKIMCk1mUha7Sn8+Gni2hGWIACl5PH5m6KIO1dGiP3Z5ncSzg8Wzh1XRkrX2jgzrFNUU1JeziR2tOU38vNfgjX9YPZwUtKhsdUfEy8kdFseUjqxPLi3skzjm/42Lejc/C+qERQfsxaM6i2XrTZQW9HpWf56/I69Oi8XpuvuuyN1FfKEyjxgPgeL6S0FKcIhWtqxe/liDdw2qY6cMbfLxxaUAPNLeAwPBPBsq6ybunsXkgf2gIyKacXMw8QwQFZTvp59JXeBC+bxbbCvNrMT8G1yRpNbTBc0wFLV19HQJH74m6+CNOAEj76DPGEIil8YQ7D2ZsUn2Mx3VbfeiW2kFLwgQ1bkef/4z3liv/vzkz4MtOM8V5pVMk7kgiDoyTZi6dryeiF1CG2GfQlWPZJvaXpyh76Ey6haX+69ZAwzN+dHAQZuFyA60de+an5c/Y4PBmiNHrOfU3F0b/N4ztM5LHtgdqDp06yP+bcaC2S4no0ZFw1Y5bCTSvW7OEQhAOyiZcJJNZ9B+fWBpf00FShLQkPZ5T7DkbMD9Te2yYmJdp6CTQIDKEV/7gqGP4etQTRFZR/PR0k6eMNObpa+jq6BphfGmlM/TPc90OKXxSmD0jZAiM9lNQ/Che8PXZaHzJSINRnXGeA2XK1BjzRCf4xxqgfTWH3umZGpcvK6RJqDV11Q/SbIzkyCFfkA8qxD8CE4+sM9jQZ+81jKXXr5SxOKG0Rz/9pWYwWpaXbiIUYd7YMSPNZmOZNmM71DRlh51ivw9nikHLuZqbk8hNvdgjM5XQ/zYC+dQljkQ22BeUtKh5owEv2SI6s0fq+mg+ix9OJi4VZ8nBsk8fGqAhOZKar5OY/qn4lLmEfHuTV6KDbGSP0nIlbT50gxM33IYVPSfOpByeWLohz8VYgU7U7hCPQRLmu5WN1qmBuIrlhJQWqCc/WpsSg36fJ7nsA1V08+bovCiUCY1rk8UkCb3gvZDwZS4mth8W20aWKL8bINQAVHFGMYyOL1FoQK5RCUZsFsYbKJwD8wlEfJDT3m0KRLCjM0Za5RE8Nob9jRy2AV6eCFEGADc47DlSDCWilQGUIZdzfgloZ6q51KY4qorDg3ygbyP+6VdE6FNcuR+NcVI4BSdcVbhdorjsK6XPjuBXqqs7FFAsfbEpHb/yb9G12XmVcx50yhf1+UVvpIoTBkBbfB8WoRW6Jau7j6eESGMKJbfw3nZkQws4Pl5+OpDWmtI4SjwKUNpGxBshvOuJ/hxAzN4/ivT5wyi/5BBhWD7W+xRMJJnf3NAazWNSgzbVqQGWFN11N2E8dkOwkFp54TxWO7njC3J78kJlF7eaxZRMgMM3T8Wyu4vcPBQxE3/eDVoVGGCYv/nIF88s8u0g2+P0+HU26hK/LWceAVeuSkNiR8z8LgBdFEQL3GovY1H57h9PMe/+GZtdOhpOnSw7JgzKWXEaAFeCFbeCI9nHWijcI+Gy39zjiMmmgV+ia37/CLcqxkz0U75u1H8yecEFJkDXkY9AiQCw0baRHMEYpigHTZZJcJjExSDxKn5tBNshgzAKxw4xNZlo03Fl3WdZbc/RhfGj5VOA+crwluHxKZuUzJvXpQ11zt8VzabHXqRSPh/87HFRAq58dFxrHgPzRfSmncORhe/4kxnWzfTZ9Ip7d6wop2nsc6QdQaB7wQrbrknenqWtfoaN82YpzRD32GW4pk8jSkFnKPDE6r2ml0GtvFaD1nyGTEwEin21iCtTVV7+HG8a6uo3Hgl6/+Cy37hmkDD2wAXv6wAUQ4XTrbzL0PUz9tlj9XHEjNCopkVOKg+r/T7qXdYrydFs1DzTf12IBAqb4lrjOnPgFv6wyulmRou7gMWCoz7IroLTytBeOX7FcZwqRCRvvX5QyEEHCaYvuL7t0AwcsdP4jYT2J895En/HKXrYjhM9t69VNP9hzT9o1s7pQrcEYzgh+3LcChyG0x6fDcvkRbwpuxi9lgNEEMn1Rf54easQcXvdl/1DiaUXjWRgUB5XiXaY+jiguNRxTQjyULVgU0T1OIxTwDDWX0f0sCAOHlLKSW2PKJyhYpYYxaH05bb5kukNXHdjuoQBETYbeS5LPHe0SIFz53ojVvd0HzSG/3m+UrawBSSR+bd/s/ws++ldBpRYXL7CyRgXIZqr3EWJ2e+x+2IAyLWE1Ta1yTkks5GelZdYOZ+h+GUEgcZXsqDObqGjbczoJYxaQGIH+klo0iVnZlcrW0lnCbDIzKwcLGxqg03zCMOaYEc8Z3f6GLDnDixuK3sdHT/POqGOO7wRvajVgy0y8hcLTBv0noAHYEvx5qB7FIj2XoeO1fqFyYm5oOifh3EvuXnvOSxies9ToavkX3FO8mS3xWCgoc4dUq7Q85hC1Nx5c99fRK
Source: lK8vF3n2e7.exe, 00000000.00000003.190971964.000000000235C000.00000004.00000001.sdmp, lK8vF3n2e7.exe, 00000002.00000003.200863845.000000000237C000.00000004.00000001.sdmp, corsangle.exe, 00000003.00000003.225948136.000000000129C000.00000004.00000001.sdmp, corsangle.exe, 00000004.00000003.237988000.00000000012BC000.00000004.00000001.sdmp Binary or memory string: IMFjW6I6tWuQs0GEkwYUvArgbqKadyGhMtLKRP17z2E2SeGKH+5funxtr4DQXTMjNmbQ8G+be6VAA52gkNCwDVS7RqTPF5/AdHrXxnJVBGRZuMzC4r6+tiE3LHY2ILkWazR3xJqrBgeTKqf0pVK+OwzXM26MCMJsja+Yfduu6TCypj0tfHkn7c92hyUEdQpWAHNIiugOsYdKDztsa9pg9JUf/cneguWpnWryjDJpQdXggukiVSgK38QDmf+FnLvgoO3iT3UPGadCYvOyy2LEGDtE8qrNhlyQLxFI8sSD1sl7Y+qxvcDPc9gYUpfs6Zz/dO7l1WkPo8dmaHK2vglAR/DfZzM95esEmvlI6onL3XTg5/GU5HDGiWeGdKXEm1WfQ1y/1FE5zFVJnLXZ2/kYEQXsHBRpyzKWOVi9Rr3LAKYTqUF2CcKp1xa86o7EhnKkhnluMX+TT17XNSIVSD5nt+nSUVW8qv48vH6CajzqTwMFiDVJVvhZNOtWNaCJXsqr3FEdCvAMgEb6dJZiyYrKwAfVe5+LOjhyLveg//krqG1NP4wkQw/oRxad1ygfqhJ8pvdLwZShC7/Gv0SXegoWOJWLlXY+R4kTHY1FkvKIMCk1mUha7Sn8+Gni2hGWIACl5PH5m6KIO1dGiP3Z5ncSzg8Wzh1XRkrX2jgzrFNUU1JeziR2tOU38vNfgjX9YPZwUtKhsdUfEy8kdFseUjqxPLi3skzjm/42Lejc/C+qERQfsxaM6i2XrTZQW9HpWf56/I69Oi8XpuvuuyN1FfKEyjxgPgeL6S0FKcIhWtqxe/liDdw2qY6cMbfLxxaUAPNLeAwPBPBsq6ybunsXkgf2gIyKacXMw8QwQFZTvp59JXeBC+bxbbCvNrMT8G1yRpNbTBc0wFLV19HQJH74m6+CNOAEj76DPGEIil8YQ7D2ZsUn2Mx3VbfeiW2kFLwgQ1bkef/4z3liv/vzkz4MtOM8V5pVMk7kgiDoyTZi6dryeiF1CG2GfQlWPZJvaXpyh76Ey6haX+69ZAwzN+dHAQZuFyA60de+an5c/Y4PBmiNHrOfU3F0b/N4ztM5LHtgdqDp06yP+bcaC2S4no0ZFw1Y5bCTSvW7OEQhAOyiZcJJNZ9B+fWBpf00FShLQkPZ5T7DkbMD9Te2yYmJdp6CTQIDKEV/7gqGP4etQTRFZR/PR0k6eMNObpa+jq6BphfGmlM/TPc90OKXxSmD0jZAiM9lNQ/Che8PXZaHzJSINRnXGeA2XK1BjzRCf4xxqgfTWH3umZGpcvK6RJqDV11Q/SbIzkyCFfkA8qxD8CE4+sM9jQZ+81jKXXr5SxOKG0Rz/9pWYwWpaXbiIUYd7YMSPNZmOZNmM71DRlh51ivw9nikHLuZqbk8hNvdgjM5XQ/zYC+dQljkQ22BeUtKh5owEv2SI6s0fq+mg+ix9OJi4VZ8nBsk8fGqAhOZKar5OY/qn4lLmEfHuTV6KDbGSP0nIlbT50gxM33IYVPSfOpByeWLohz8VYgU7U7hCPQRLmu5WN1qmBuIrlhJQWqCc/WpsSg36fJ7nsA1V08+bovCiUCY1rk8UkCb3gvZDwZS4mth8W20aWKL8bINQAVHFGMYyOL1FoQK5RCUZsFsYbKJwD8wlEfJDT3m0KRLCjM0Za5RE8Nob9jRy2AV6eCFEGADc47DlSDCWilQGUIZdzfgloZ6q51KY4qorDg3ygbyP+6VdE6FNcuR+NcVI4BSdcVbhdorjsK6XPjuBXqqs7FFAsfbEpHb/yb9G12XmVcx50yhf1+UVvpIoTBkBbfB8WoRW6Jau7j6eESGMKJbfw3nZkQws4Pl5+OpDWmtI4SjwKUNpGxBshvOuJ/hxAzN4/ivT5wyi/5BBhWD7W+xRMJJnf3NAazWNSgzbVqQGWFN11N2E8dkOwkFp54TxWO7njC3J78kJlF7eaxZRMgMM3T8Wyu4vcPBQxE3/eDVoVGGCYv/nIF88s8u0g2+P0+HU26hK/LWceAVeuSkNiR8z8LgBdFEQL3GovY1H57h9PMe/+GZtdOhpOnSw7JgzKWXEaAFeCFbeCI9nHWijcI+Gy39zjiMmmgV+ia37/CLcqxkz0U75u1H8yecEFJkDXkY9AiQCw0baRHMEYpigHTZZJcJjExSDxKn5tBNshgzAKxw4xNZlo03Fl3WdZbc/RhfGj5VOA+crwluHxKZuUzJvXpQ11zt8VzabHXqRSPh/87HFRAq58dFxrHgPzRfSmncORhe/4kxnWzfTZ9Ip7d6wop2nsc6QdQaB7wQrbrknenqWtfoaN82YpzRD32GW4pk8jSkFnKPDE6r2ml0GtvFaD1nyGTEwEin21iCtTVV7+HG8a6uo3Hgl6/+Cy37hmkDD2wAXv6wAUQ4XTrbzL0PUz9tlj9XHEjNCopkVOKg+r/T7qXdYrydFs1DzTf12IBAqb4lrjOnPgFv6wyulmRou7gMWCoz7IroLTytBeOX7FcZwqRCRvvX5QyEEHCaYvuL7t0AwcsdP4jYT2J895En/HKXrYjhM9t69VNP9hzT9o1s7pQrcEYzgh+3LcChyG0x6fDcvkRbwpuxi9lgNEEMn1Rf54easQcXvdl/1DiaUXjWRgUB5XiXaY+jiguNRxTQjyULVgU0T1OIxTwDDWX0f0sCAOHlLKSW2PKJyhYpYYxaH05bb5kukNXHdjuoQBETYbeS5LPHe0SIFz53ojVvd0HzSG/3m+UrawBSSR+bd/s/ws++ldBpRYXL7CyRgXIZqr3EWJ2e+x+2IAyLWE1Ta1yTkks5GelZdYOZ+h+GUEgcZXsqDObqGjbczoJYxaQGIH+klo0iVnZlcrW0lnCbDIzKwcLGxqg03zCMOaYEc8Z3f6GLDnDixuK3sdHT/POqGOO7wRvajVgy0y8hcLTBv0noAHYEvx5qB7FIj2XoeO1fqFyYm5oOifh3EvuXnvOSxies9ToavkX3FO8mS3xWCgoc4dUq7Q85hC1Nx5c99fRK
Source: svchost.exe, 00000001.00000002.196850072.0000029294540000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.262909344.000001B354940000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.288780129.00000244C3AC0000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.458125183.000001B859D90000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.196850072.0000029294540000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.262909344.000001B354940000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.288780129.00000244C3AC0000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.458125183.000001B859D90000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000D.00000002.455406725.000001E07A23E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.455681474.000001B859242000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.455121527.00000242A942A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000001.00000002.196850072.0000029294540000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.262909344.000001B354940000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.288780129.00000244C3AC0000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.458125183.000001B859D90000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\corsangle.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\corsangle.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00401784 LoadLibraryW,GetProcAddress, 0_2_00401784
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00401693 mov eax, dword ptr fs:[00000030h] 0_2_00401693
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_00401693 mov eax, dword ptr fs:[00000030h] 2_2_00401693
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021E1743 mov eax, dword ptr fs:[00000030h] 2_2_021E1743
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021E0467 mov eax, dword ptr fs:[00000030h] 2_2_021E0467
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021E0C0C mov eax, dword ptr fs:[00000030h] 2_2_021E0C0C
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_022212CD mov eax, dword ptr fs:[00000030h] 2_2_022212CD
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_02221E04 mov eax, dword ptr fs:[00000030h] 2_2_02221E04
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E30467 mov eax, dword ptr fs:[00000030h] 3_2_00E30467
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E30C0C mov eax, dword ptr fs:[00000030h] 3_2_00E30C0C
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E31743 mov eax, dword ptr fs:[00000030h] 3_2_00E31743
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E512CD mov eax, dword ptr fs:[00000030h] 3_2_00E512CD
Source: C:\Windows\SysWOW64\corsangle.exe Code function: 3_2_00E51E04 mov eax, dword ptr fs:[00000030h] 3_2_00E51E04
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_022214F2 GetProcessHeap,RtlAllocateHeap, 2_2_022214F2
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00416EBA SetUnhandledExceptionFilter, 0_2_00416EBA
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00416ECE SetUnhandledExceptionFilter, 0_2_00416ECE
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_00416EBA SetUnhandledExceptionFilter, 2_2_00416EBA
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_00416ECE SetUnhandledExceptionFilter, 2_2_00416ECE
Source: svchost.exe, 0000000F.00000002.455972537.000002466C660000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: svchost.exe, 0000000F.00000002.455972537.000002466C660000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 0000000F.00000002.455972537.000002466C660000.00000002.00000001.sdmp Binary or memory string: Progman
Source: svchost.exe, 0000000F.00000002.455972537.000002466C660000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 2_2_021EE1F7 cpuid 2_2_021EE1F7
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_00406115
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 0_2_0042C2AE
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0041C3C6
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 0_2_0041C3FD
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat, 0_2_0041C4D8
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: _strlen,EnumSystemLocalesA, 0_2_0041C483
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 0_2_0041EDB9
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 0_2_0041EE75
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoA, 0_2_0041AED4
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 0_2_0041EEE9
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoA,_strncpy, 0_2_0041BEA7
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 0_2_0041EF9C
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_00406115
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 2_2_0042C2AE
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: _strlen,EnumSystemLocalesA, 2_2_0041C3C6
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: _strlen,_strlen,EnumSystemLocalesA, 2_2_0041C3FD
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat, 2_2_0041C4D8
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: _strlen,EnumSystemLocalesA, 2_2_0041C483
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 2_2_0041EDB9
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 2_2_0041EE75
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoA, 2_2_0041AED4
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 2_2_0041EEE9
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoA,_strncpy, 2_2_0041BEA7
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 2_2_0041EF9C
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\corsangle.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00418520 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00418520
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_0041A554 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy, 0_2_0041A554
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Code function: 0_2_00409088 GetVersionExA, 0_2_00409088
Source: C:\Users\user\Desktop\lK8vF3n2e7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000013.00000002.455118908.000001E666C3D000.00000004.00000001.sdmp Binary or memory string: "@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000013.00000002.455313869.000001E666D02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000002.00000002.233128075.0000000002221000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.456108284.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.194289287.0000000000591000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.456134629.0000000000721000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.233094123.00000000021E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.229558668.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.194269122.0000000000570000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.229583434.0000000000E51000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.corsangle.exe.70053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.corsangle.exe.e3053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.lK8vF3n2e7.exe.21e053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.corsangle.exe.e3053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lK8vF3n2e7.exe.57053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.corsangle.exe.70053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.lK8vF3n2e7.exe.21e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.lK8vF3n2e7.exe.57053f.1.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383022 Sample: lK8vF3n2e7.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 96 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Emotet 2->45 7 lK8vF3n2e7.exe 17 2->7         started        10 corsangle.exe 17 2->10         started        12 svchost.exe 2->12         started        14 10 other processes 2->14 process3 dnsIp4 47 Detected Emotet e-Banking trojan 7->47 49 Found evasive API chain (may stop execution after checking mutex) 7->49 17 lK8vF3n2e7.exe 13 7->17         started        51 Drops executables to the windows directory (C:\Windows) and starts them 10->51 20 corsangle.exe 27 10->20         started        53 Changes security center settings (notifications, updates, antivirus, firewall) 12->53 23 MpCmdRun.exe 1 12->23         started        33 127.0.0.1 unknown unknown 14->33 35 192.168.2.1 unknown unknown 14->35 signatures5 process6 dnsIp7 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->37 27 190.146.131.105, 8080 TelmexColombiaSACO Colombia 20->27 29 85.234.143.94, 8080 SIMPLYTRANSITGB United Kingdom 20->29 31 4 other IPs or domains 20->31 25 conhost.exe 23->25         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
190.146.131.105
 unknown Colombia
10620 TelmexColombiaSACO false
85.234.143.94
 unknown United Kingdom
29550 SIMPLYTRANSITGB false
119.59.124.163
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH false
104.236.137.72
 unknown United States
14061 DIGITALOCEAN-ASNUS false
172.104.233.225
 unknown United States
63949 LINODE-APLinodeLLCUS false
213.189.36.51
 unknown Poland
15694 ATMAN-ISP-ASATMSAPL false

Private
IP
192.168.2.1
127.0.0.1