Analysis Report HU4TEm4Vr7

Overview

General Information

Sample Name: HU4TEm4Vr7 (renamed file extension from none to exe)
Analysis ID: 408099
MD5: b15d974f421d3e19332c6094e56e314d
SHA1: b15f580af5e3e774fe02d8e7f1bce6fc250c05e6
SHA256: bc92df452b140f3ec4d88796ed0b9a5c74514349e785505ad55f0b82b1c9c1fa
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: HU4TEm4Vr7.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: HU4TEm4Vr7.exe Virustotal: Detection: 80% Perma Link
Source: HU4TEm4Vr7.exe Metadefender: Detection: 67% Perma Link
Source: HU4TEm4Vr7.exe ReversingLabs: Detection: 100%
Machine Learning detection for sample
Source: HU4TEm4Vr7.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA2496 CryptDestroyHash, 1_2_00AA2496
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA24F6 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash, 1_2_00AA24F6
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA2406 CryptDuplicateHash, 1_2_00AA2406
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA2466 CryptEncrypt,CryptDestroyHash, 1_2_00AA2466
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA2595 CryptVerifySignatureW,CryptDestroyHash, 1_2_00AA2595
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA22C9 CryptGetHashParam, 1_2_00AA22C9
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA2279 CryptExportKey, 1_2_00AA2279
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA23B7 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 1_2_00AA23B7
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA2399 CryptGenKey,CryptDestroyKey,CryptReleaseContext, 1_2_00AA2399
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA2335 CryptImportKey,LocalFree,CryptReleaseContext, 1_2_00AA2335
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA2314 CryptReleaseContext, 1_2_00AA2314
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_01582496 CryptDestroyHash, 6_2_01582496
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_01582314 CryptDecodeObjectEx,CryptReleaseContext, 6_2_01582314
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_01582335 CryptImportKey,LocalFree,CryptReleaseContext, 6_2_01582335
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_01582399 CryptGenKey,CryptDestroyKey,CryptReleaseContext, 6_2_01582399
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_015823B7 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 6_2_015823B7
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_01582279 CryptExportKey, 6_2_01582279
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_015822F5 CryptAcquireContextW, 6_2_015822F5
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_01582595 CryptVerifySignatureW,CryptDestroyHash, 6_2_01582595
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_01582466 CryptEncrypt,CryptDestroyHash, 6_2_01582466
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_01582406 CryptDuplicateHash, 6_2_01582406
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_015824F6 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash, 6_2_015824F6
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_015822C9 CryptGetHashParam, 6_2_015822C9

Compliance:

barindex
Uses 32bit PE files
Source: HU4TEm4Vr7.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: HU4TEm4Vr7.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: uigjhghio.pdb source: HU4TEm4Vr7.exe

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49726 -> 105.228.198.254:7080
Source: global traffic TCP traffic: 192.168.2.3:49731 -> 83.110.95.159:990
Source: global traffic TCP traffic: 192.168.2.3:49738 -> 169.0.142.82:8080
Source: global traffic TCP traffic: 192.168.2.3:49742 -> 187.205.170.3:990
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49739 -> 189.152.183.239:80
Source: unknown TCP traffic detected without corresponding DNS query: 105.228.198.254
Source: unknown TCP traffic detected without corresponding DNS query: 105.228.198.254
Source: unknown TCP traffic detected without corresponding DNS query: 105.228.198.254
Source: unknown TCP traffic detected without corresponding DNS query: 169.0.142.82
Source: unknown TCP traffic detected without corresponding DNS query: 169.0.142.82
Source: unknown TCP traffic detected without corresponding DNS query: 169.0.142.82
Source: unknown TCP traffic detected without corresponding DNS query: 189.152.183.239
Source: unknown TCP traffic detected without corresponding DNS query: 189.152.183.239
Source: unknown TCP traffic detected without corresponding DNS query: 189.152.183.239
Source: unknown TCP traffic detected without corresponding DNS query: 187.205.170.3
Source: unknown TCP traffic detected without corresponding DNS query: 187.205.170.3
Source: unknown TCP traffic detected without corresponding DNS query: 187.205.170.3
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_01581628 InternetReadFile, 6_2_01581628
Source: msrarunning.exe, 00000006.00000003.315865067.00000000012D4000.00000004.00000001.sdmp String found in binary or memory: http://105.228.198.254:7080/
Source: msrarunning.exe, 00000006.00000003.315865067.00000000012D4000.00000004.00000001.sdmp String found in binary or memory: http://105.228.198.254:7080/E
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp String found in binary or memory: http://169.0.142.82:8080/
Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmp String found in binary or memory: http://169.0.142.82:8080/54
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp String found in binary or memory: http://169.0.142.82:8080/nd
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp String found in binary or memory: http://169.0.142.82:8080/vd
Source: msrarunning.exe, 00000006.00000002.480504793.0000000000EFC000.00000004.00000001.sdmp, msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp String found in binary or memory: http://187.205.170.3:990/
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp String found in binary or memory: http://187.205.170.3:990/.95.159:990/
Source: msrarunning.exe, 00000006.00000002.481824760.00000000012D5000.00000004.00000020.sdmp String found in binary or memory: http://187.205.170.3:990/54
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp String found in binary or memory: http://187.205.170.3:990/Nd
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp String found in binary or memory: http://187.205.170.3:990/fd
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp String found in binary or memory: http://189.152.183.239/
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp String found in binary or memory: http://189.152.183.239/Y
Source: msrarunning.exe, 00000006.00000002.481824760.00000000012D5000.00000004.00000020.sdmp String found in binary or memory: http://189.152.183.239/t
Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmp String found in binary or memory: http://83.110.95.159:990/
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp String found in binary or memory: http://83.110.95.159:990/&d7-
Source: msrarunning.exe, 00000006.00000002.481824760.00000000012D5000.00000004.00000020.sdmp String found in binary or memory: http://83.110.95.159:990/0
Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmp String found in binary or memory: http://83.110.95.159:990/54Q
Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmp String found in binary or memory: http://83.110.95.159:990/V
Source: svchost.exe, 00000009.00000002.483913722.000002EC13812000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000009.00000002.483913722.000002EC13812000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000009.00000002.483913722.000002EC13812000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000009.00000002.484840244.000002EC13B10000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000011.00000002.308960216.000001569B613000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000011.00000003.308467618.000001569B65A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.308432109.000001569B648000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000011.00000003.308508445.000001569B640000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000011.00000003.308508445.000001569B640000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000011.00000003.308467618.000001569B65A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.308397736.000001569B664000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.308960216.000001569B613000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.308508445.000001569B640000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000011.00000003.308432109.000001569B648000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: HU4TEm4Vr7.exe, 00000000.00000002.212318844.0000000000D9A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojan
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AACA89 1_2_00AACA89
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_0158CA89 6_2_0158CA89
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.212288486.0000000000D21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.229142026.0000000000B11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.482015534.0000000001581000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.230150499.0000000000AA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.HU4TEm4Vr7.exe.d20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.HU4TEm4Vr7.exe.aa0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.msrarunning.exe.1580000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.msrarunning.exe.b10000.2.unpack, type: UNPACKEDPE
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA2335 CryptImportKey,LocalFree,CryptReleaseContext, 1_2_00AA2335
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_01582335 CryptImportKey,LocalFree,CryptReleaseContext, 6_2_01582335

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.212288486.0000000000D21000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.229142026.0000000000B11000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.482015534.0000000001581000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.230150499.0000000000AA1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.HU4TEm4Vr7.exe.d20000.3.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.HU4TEm4Vr7.exe.aa0000.2.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 6.2.msrarunning.exe.1580000.3.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 5.2.msrarunning.exe.b10000.2.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Contains functionality to call native functions
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AAC980 NtdllDefWindowProc_W, 1_2_00AAC980
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_0158C980 NtdllDefWindowProc_W, 6_2_0158C980
Contains functionality to delete services
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AADC10 _snwprintf,OpenServiceW,DeleteService,CloseServiceHandle, 1_2_00AADC10
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA210D CreateProcessAsUserW, 1_2_00AA210D
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe File deleted: C:\Windows\SysWOW64\msrarunning.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 0_2_00B3A692 0_2_00B3A692
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 0_2_00B3B060 0_2_00B3B060
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 0_2_00B3B8D4 0_2_00B3B8D4
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 0_2_00B35CC0 0_2_00B35CC0
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 0_2_00B3A330 0_2_00B3A330
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 0_2_00B34D6F 0_2_00B34D6F
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 0_2_00B31357 0_2_00B31357
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA56EF 1_2_00AA56EF
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA56EF 1_2_00AA56EF
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 5_2_00B156EF 5_2_00B156EF
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 5_2_00B156EF 5_2_00B156EF
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_015856EF 6_2_015856EF
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_015856EF 6_2_015856EF
Sample file is different than original file name gathered from version info
Source: HU4TEm4Vr7.exe, 00000001.00000002.231969004.0000000002D50000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs HU4TEm4Vr7.exe
Source: HU4TEm4Vr7.exe, 00000001.00000002.232783286.0000000002E50000.00000002.00000001.sdmp Binary or memory string: originalfilename vs HU4TEm4Vr7.exe
Source: HU4TEm4Vr7.exe, 00000001.00000002.232783286.0000000002E50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs HU4TEm4Vr7.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Section loaded: lz32.dll Jump to behavior
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Section loaded: lz32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msrarunning.exe Section loaded: lz32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msrarunning.exe Section loaded: lz32.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: HU4TEm4Vr7.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.212288486.0000000000D21000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.229142026.0000000000B11000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.482015534.0000000001581000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.230150499.0000000000AA1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.HU4TEm4Vr7.exe.d20000.3.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.HU4TEm4Vr7.exe.aa0000.2.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 6.2.msrarunning.exe.1580000.3.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 5.2.msrarunning.exe.b10000.2.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: HU4TEm4Vr7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x1001 address: 0x0
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@20/8@0/6
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: _snwprintf,CreateServiceW,CloseServiceHandle, 1_2_00AADCBB
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: _snwprintf,CreateServiceW,CloseServiceHandle, 6_2_0158DCB9
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA1C10 CreateToolhelp32Snapshot, 1_2_00AA1C10
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AADD3B ChangeServiceConfig2W, 1_2_00AADD3B
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7064:120:WilError_01
Source: C:\Windows\SysWOW64\msrarunning.exe Mutant created: \BaseNamedObjects\Global\ICA34BF57
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\MCA34BF57
Source: C:\Windows\SysWOW64\msrarunning.exe Mutant created: \BaseNamedObjects\PEM238
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\ICA34BF57
Source: C:\Windows\SysWOW64\msrarunning.exe Mutant created: \BaseNamedObjects\PEM168C
Source: HU4TEm4Vr7.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: HU4TEm4Vr7.exe Virustotal: Detection: 80%
Source: HU4TEm4Vr7.exe Metadefender: Detection: 67%
Source: HU4TEm4Vr7.exe ReversingLabs: Detection: 100%
Source: unknown Process created: C:\Users\user\Desktop\HU4TEm4Vr7.exe 'C:\Users\user\Desktop\HU4TEm4Vr7.exe'
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Process created: C:\Users\user\Desktop\HU4TEm4Vr7.exe C:\Users\user\Desktop\HU4TEm4Vr7.exe
Source: unknown Process created: C:\Windows\SysWOW64\msrarunning.exe C:\Windows\SysWOW64\msrarunning.exe
Source: C:\Windows\SysWOW64\msrarunning.exe Process created: C:\Windows\SysWOW64\msrarunning.exe C:\Windows\SysWOW64\msrarunning.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Process created: C:\Users\user\Desktop\HU4TEm4Vr7.exe C:\Users\user\Desktop\HU4TEm4Vr7.exe Jump to behavior
Source: C:\Windows\SysWOW64\msrarunning.exe Process created: C:\Windows\SysWOW64\msrarunning.exe C:\Windows\SysWOW64\msrarunning.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: HU4TEm4Vr7.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: HU4TEm4Vr7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: uigjhghio.pdb source: HU4TEm4Vr7.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA1A36 LoadLibraryA,GetProcAddress, 1_2_00AA1A36
PE file contains an invalid checksum
Source: HU4TEm4Vr7.exe Static PE information: real checksum: 0x1000 should be: 0x915d4

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\msrarunning.exe Executable created and started: C:\Windows\SysWOW64\msrarunning.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe PE file moved: C:\Windows\SysWOW64\msrarunning.exe Jump to behavior
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AADD51 StartServiceW,CloseServiceHandle,CloseServiceHandle, 1_2_00AADD51

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe File opened: C:\Windows\SysWOW64\msrarunning.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe RDTSC instruction interceptor: First address: 0000000000B33AF1 second address: 0000000000B33AF7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 mov esi, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msrarunning.exe RDTSC instruction interceptor: First address: 0000000000B33AF1 second address: 0000000000B33AF7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 mov esi, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 0_2_00B3C7F0 rdtsc 0_2_00B3C7F0
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW, 1_2_00AADA7D
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: EnumServicesStatusExW,GetLastError, 1_2_00AADA24
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW, 6_2_0158DA7D
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: EnumServicesStatusExW,GetLastError, 6_2_0158DA24
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\msrarunning.exe API coverage: 9.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 3016 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000007.00000002.250563753.0000023BACEA0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.299633906.0000021FC0F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.482752660.000001879E740000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.345743598.000001FAAE860000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 00000009.00000002.484316810.000002EC13860000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: msrarunning.exe, 00000006.00000003.315865067.00000000012D4000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.484208899.000002EC13853000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.480691086.0000021AD4602000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000009.00000002.480719156.000002EC0E229000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@Q
Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%q
Source: svchost.exe, 00000007.00000002.250563753.0000023BACEA0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.299633906.0000021FC0F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.482752660.000001879E740000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.345743598.000001FAAE860000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000007.00000002.250563753.0000023BACEA0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.299633906.0000021FC0F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.482752660.000001879E740000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.345743598.000001FAAE860000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.480907992.00000251E1029000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000007.00000002.250563753.0000023BACEA0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.299633906.0000021FC0F40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.482752660.000001879E740000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.345743598.000001FAAE860000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 0000000D.00000002.480881764.0000021AD463E000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll @
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 0_2_00B3C7F0 rdtsc 0_2_00B3C7F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA1A36 LoadLibraryA,GetProcAddress, 1_2_00AA1A36
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA21B0 mov eax, dword ptr fs:[00000030h] 1_2_00AA21B0
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA1530 mov eax, dword ptr fs:[00000030h] 1_2_00AA1530
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 5_2_00B121B0 mov eax, dword ptr fs:[00000030h] 5_2_00B121B0
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 5_2_00B11530 mov eax, dword ptr fs:[00000030h] 5_2_00B11530
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_01581530 mov eax, dword ptr fs:[00000030h] 6_2_01581530
Source: C:\Windows\SysWOW64\msrarunning.exe Code function: 6_2_015821B0 mov eax, dword ptr fs:[00000030h] 6_2_015821B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA17C0 GetProcessHeap,RtlAllocateHeap, 1_2_00AA17C0
Source: svchost.exe, 0000000F.00000002.481794332.00000174B4790000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: svchost.exe, 0000000F.00000002.481794332.00000174B4790000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 0000000F.00000002.481794332.00000174B4790000.00000002.00000001.sdmp Binary or memory string: Progman
Source: svchost.exe, 0000000F.00000002.481794332.00000174B4790000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msrarunning.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HU4TEm4Vr7.exe Code function: 1_2_00AA277F RtlGetVersion,GetNativeSystemInfo, 1_2_00AA277F
Source: C:\Windows\SysWOW64\msrarunning.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000013.00000002.480614182.000002A6ECD02000.00000004.00000001.sdmp Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000013.00000002.480614182.000002A6ECD02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.212288486.0000000000D21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.229142026.0000000000B11000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.482015534.0000000001581000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.230150499.0000000000AA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.HU4TEm4Vr7.exe.d20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.HU4TEm4Vr7.exe.aa0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.msrarunning.exe.1580000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.msrarunning.exe.b10000.2.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 408099 Sample: HU4TEm4Vr7 Startdate: 08/05/2021 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 2 other signatures 2->41 7 msrarunning.exe 2->7         started        10 HU4TEm4Vr7.exe 2->10         started        12 svchost.exe 2->12         started        14 10 other processes 2->14 process3 dnsIp4 45 Detected Emotet e-Banking trojan 7->45 47 Drops executables to the windows directory (C:\Windows) and starts them 7->47 49 Tries to detect virtualization through RDTSC time measurements 7->49 17 msrarunning.exe 7->17         started        20 HU4TEm4Vr7.exe 1 10->20         started        51 Changes security center settings (notifications, updates, antivirus, firewall) 12->51 23 MpCmdRun.exe 1 12->23         started        33 127.0.0.1 unknown unknown 14->33 signatures5 process6 dnsIp7 27 187.205.170.3, 990 UninetSAdeCVMX Mexico 17->27 29 189.152.183.239, 80 UninetSAdeCVMX Mexico 17->29 31 3 other IPs or domains 17->31 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->43 25 conhost.exe 23->25         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
189.152.183.239
 unknown Mexico
8151 UninetSAdeCVMX false
105.228.198.254
 unknown South Africa
37457 Telkom-InternetZA false
187.205.170.3
 unknown Mexico
8151 UninetSAdeCVMX false
169.0.142.82
 unknown South Africa
37611 AfrihostZA false
83.110.95.159
 unknown United Arab Emirates
5384 EMIRATES-INTERNETEmiratesInternetAE false

Private
IP
127.0.0.1