Loading ...

Play interactive tourEdit tour

Analysis Report HU4TEm4Vr7

Overview

General Information

Sample Name:HU4TEm4Vr7 (renamed file extension from none to exe)
Analysis ID:408099
MD5:b15d974f421d3e19332c6094e56e314d
SHA1:b15f580af5e3e774fe02d8e7f1bce6fc250c05e6
SHA256:bc92df452b140f3ec4d88796ed0b9a5c74514349e785505ad55f0b82b1c9c1fa
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification

Startup

  • System is w10x64
  • HU4TEm4Vr7.exe (PID: 4084 cmdline: 'C:\Users\user\Desktop\HU4TEm4Vr7.exe' MD5: B15D974F421D3E19332C6094E56E314D)
    • HU4TEm4Vr7.exe (PID: 1084 cmdline: C:\Users\user\Desktop\HU4TEm4Vr7.exe MD5: B15D974F421D3E19332C6094E56E314D)
  • msrarunning.exe (PID: 5772 cmdline: C:\Windows\SysWOW64\msrarunning.exe MD5: B15D974F421D3E19332C6094E56E314D)
    • msrarunning.exe (PID: 5800 cmdline: C:\Windows\SysWOW64\msrarunning.exe MD5: B15D974F421D3E19332C6094E56E314D)
  • svchost.exe (PID: 5920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5812 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4872 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5900 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5728 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2588 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1752 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1256 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 4300 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6176 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 7056 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6616 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.212288486.0000000000D21000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.212288486.0000000000D21000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x5b80:$snippet4: 33 C0 C7 05 C0 4C D3 00 D0 0A D3 00 C7 05 C4 4C D3 00 D0 0A D3 00 A3 C8 4C D3 00 A3 CC 4C D3 00 ...
    00000005.00000002.229142026.0000000000B11000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000005.00000002.229142026.0000000000B11000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0x5b80:$snippet4: 33 C0 C7 05 C0 4C B2 00 D0 0A B2 00 C7 05 C4 4C B2 00 D0 0A B2 00 A3 C8 4C B2 00 A3 CC 4C B2 00 ...
      00000006.00000002.482015534.0000000001581000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.HU4TEm4Vr7.exe.d20000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          0.2.HU4TEm4Vr7.exe.d20000.3.unpackEmotetEmotet Payloadkevoreilly
          • 0x5f80:$snippet4: 33 C0 C7 05 C0 4C D3 00 D0 0A D3 00 C7 05 C4 4C D3 00 D0 0A D3 00 A3 C8 4C D3 00 A3 CC 4C D3 00 ...
          1.2.HU4TEm4Vr7.exe.aa0000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            1.2.HU4TEm4Vr7.exe.aa0000.2.unpackEmotetEmotet Payloadkevoreilly
            • 0x5f80:$snippet4: 33 C0 C7 05 C0 4C AB 00 D0 0A AB 00 C7 05 C4 4C AB 00 D0 0A AB 00 A3 C8 4C AB 00 A3 CC 4C AB 00 ...
            6.2.msrarunning.exe.1580000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 3 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: HU4TEm4Vr7.exeAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: HU4TEm4Vr7.exeVirustotal: Detection: 80%Perma Link
              Source: HU4TEm4Vr7.exeMetadefender: Detection: 67%Perma Link
              Source: HU4TEm4Vr7.exeReversingLabs: Detection: 100%
              Machine Learning detection for sampleShow sources
              Source: HU4TEm4Vr7.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA2496 CryptDestroyHash,1_2_00AA2496
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA24F6 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash,1_2_00AA24F6
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA2406 CryptDuplicateHash,1_2_00AA2406
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA2466 CryptEncrypt,CryptDestroyHash,1_2_00AA2466
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA2595 CryptVerifySignatureW,CryptDestroyHash,1_2_00AA2595
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA22C9 CryptGetHashParam,1_2_00AA22C9
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA2279 CryptExportKey,1_2_00AA2279
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA23B7 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,1_2_00AA23B7
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA2399 CryptGenKey,CryptDestroyKey,CryptReleaseContext,1_2_00AA2399
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA2335 CryptImportKey,LocalFree,CryptReleaseContext,1_2_00AA2335
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA2314 CryptReleaseContext,1_2_00AA2314
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_01582496 CryptDestroyHash,6_2_01582496
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_01582314 CryptDecodeObjectEx,CryptReleaseContext,6_2_01582314
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_01582335 CryptImportKey,LocalFree,CryptReleaseContext,6_2_01582335
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_01582399 CryptGenKey,CryptDestroyKey,CryptReleaseContext,6_2_01582399
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_015823B7 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,6_2_015823B7
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_01582279 CryptExportKey,6_2_01582279
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_015822F5 CryptAcquireContextW,6_2_015822F5
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_01582595 CryptVerifySignatureW,CryptDestroyHash,6_2_01582595
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_01582466 CryptEncrypt,CryptDestroyHash,6_2_01582466
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_01582406 CryptDuplicateHash,6_2_01582406
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_015824F6 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash,6_2_015824F6
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_015822C9 CryptGetHashParam,6_2_015822C9
              Source: HU4TEm4Vr7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: HU4TEm4Vr7.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: uigjhghio.pdb source: HU4TEm4Vr7.exe
              Source: global trafficTCP traffic: 192.168.2.3:49726 -> 105.228.198.254:7080
              Source: global trafficTCP traffic: 192.168.2.3:49731 -> 83.110.95.159:990
              Source: global trafficTCP traffic: 192.168.2.3:49738 -> 169.0.142.82:8080
              Source: global trafficTCP traffic: 192.168.2.3:49742 -> 187.205.170.3:990
              Source: global trafficTCP traffic: 192.168.2.3:49739 -> 189.152.183.239:80
              Source: unknownTCP traffic detected without corresponding DNS query: 105.228.198.254
              Source: unknownTCP traffic detected without corresponding DNS query: 105.228.198.254
              Source: unknownTCP traffic detected without corresponding DNS query: 105.228.198.254
              Source: unknownTCP traffic detected without corresponding DNS query: 169.0.142.82
              Source: unknownTCP traffic detected without corresponding DNS query: 169.0.142.82
              Source: unknownTCP traffic detected without corresponding DNS query: 169.0.142.82
              Source: unknownTCP traffic detected without corresponding DNS query: 189.152.183.239
              Source: unknownTCP traffic detected without corresponding DNS query: 189.152.183.239
              Source: unknownTCP traffic detected without corresponding DNS query: 189.152.183.239
              Source: unknownTCP traffic detected without corresponding DNS query: 187.205.170.3
              Source: unknownTCP traffic detected without corresponding DNS query: 187.205.170.3
              Source: unknownTCP traffic detected without corresponding DNS query: 187.205.170.3
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_01581628 InternetReadFile,6_2_01581628
              Source: msrarunning.exe, 00000006.00000003.315865067.00000000012D4000.00000004.00000001.sdmpString found in binary or memory: http://105.228.198.254:7080/
              Source: msrarunning.exe, 00000006.00000003.315865067.00000000012D4000.00000004.00000001.sdmpString found in binary or memory: http://105.228.198.254:7080/E
              Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmpString found in binary or memory: http://169.0.142.82:8080/
              Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmpString found in binary or memory: http://169.0.142.82:8080/54
              Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmpString found in binary or memory: http://169.0.142.82:8080/nd
              Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmpString found in binary or memory: http://169.0.142.82:8080/vd
              Source: msrarunning.exe, 00000006.00000002.480504793.0000000000EFC000.00000004.00000001.sdmp, msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmpString found in binary or memory: http://187.205.170.3:990/
              Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmpString found in binary or memory: http://187.205.170.3:990/.95.159:990/
              Source: msrarunning.exe, 00000006.00000002.481824760.00000000012D5000.00000004.00000020.sdmpString found in binary or memory: http://187.205.170.3:990/54
              Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmpString found in binary or memory: http://187.205.170.3:990/Nd
              Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmpString found in binary or memory: http://187.205.170.3:990/fd
              Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmpString found in binary or memory: http://189.152.183.239/
              Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmpString found in binary or memory: http://189.152.183.239/Y
              Source: msrarunning.exe, 00000006.00000002.481824760.00000000012D5000.00000004.00000020.sdmpString found in binary or memory: http://189.152.183.239/t
              Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmpString found in binary or memory: http://83.110.95.159:990/
              Source: msrarunning.exe, 00000006.00000002.481678795.0000000001297000.00000004.00000020.sdmpString found in binary or memory: http://83.110.95.159:990/&d7-
              Source: msrarunning.exe, 00000006.00000002.481824760.00000000012D5000.00000004.00000020.sdmpString found in binary or memory: http://83.110.95.159:990/0
              Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmpString found in binary or memory: http://83.110.95.159:990/54Q
              Source: msrarunning.exe, 00000006.00000003.407481618.00000000012D4000.00000004.00000001.sdmpString found in binary or memory: http://83.110.95.159:990/V
              Source: svchost.exe, 00000009.00000002.483913722.000002EC13812000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: svchost.exe, 00000009.00000002.483913722.000002EC13812000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: svchost.exe, 00000009.00000002.483913722.000002EC13812000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: svchost.exe, 00000009.00000002.484840244.000002EC13B10000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
              Source: svchost.exe, 00000011.00000002.308960216.000001569B613000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
              Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
              Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
              Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
              Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
              Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
              Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 0000000E.00000002.480441275.000001879DA41000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 00000011.00000003.308467618.000001569B65A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
              Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
              Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
              Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
              Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
              Source: svchost.exe, 00000011.00000003.308432109.000001569B648000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
              Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
              Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
              Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
              Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
              Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
              Source: svchost.exe, 00000011.00000003.308508445.000001569B640000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
              Source: svchost.exe, 00000011.00000003.308508445.000001569B640000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
              Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
              Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
              Source: svchost.exe, 00000011.00000003.308467618.000001569B65A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
              Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
              Source: svchost.exe, 00000011.00000002.309028609.000001569B65C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
              Source: svchost.exe, 00000011.00000003.308397736.000001569B664000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
              Source: svchost.exe, 00000011.00000003.308415825.000001569B661000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
              Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
              Source: svchost.exe, 00000011.00000002.309004954.000001569B63D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.308960216.000001569B613000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
              Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
              Source: svchost.exe, 00000011.00000003.308508445.000001569B640000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
              Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
              Source: svchost.exe, 00000011.00000003.286711862.000001569B632000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
              Source: svchost.exe, 00000011.00000003.308432109.000001569B648000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
              Source: HU4TEm4Vr7.exe, 00000000.00000002.212318844.0000000000D9A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Detected Emotet e-Banking trojanShow sources
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AACA891_2_00AACA89
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_0158CA896_2_0158CA89
              Yara detected EmotetShow sources
              Source: Yara matchFile source: 00000000.00000002.212288486.0000000000D21000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.229142026.0000000000B11000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.482015534.0000000001581000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.230150499.0000000000AA1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.HU4TEm4Vr7.exe.d20000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.HU4TEm4Vr7.exe.aa0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.msrarunning.exe.1580000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.msrarunning.exe.b10000.2.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA2335 CryptImportKey,LocalFree,CryptReleaseContext,1_2_00AA2335
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_01582335 CryptImportKey,LocalFree,CryptReleaseContext,6_2_01582335

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000000.00000002.212288486.0000000000D21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000005.00000002.229142026.0000000000B11000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000006.00000002.482015534.0000000001581000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000001.00000002.230150499.0000000000AA1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 0.2.HU4TEm4Vr7.exe.d20000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 1.2.HU4TEm4Vr7.exe.aa0000.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 6.2.msrarunning.exe.1580000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 5.2.msrarunning.exe.b10000.2.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AAC980 NtdllDefWindowProc_W,1_2_00AAC980
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_0158C980 NtdllDefWindowProc_W,6_2_0158C980
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AADC10 _snwprintf,OpenServiceW,DeleteService,CloseServiceHandle,1_2_00AADC10
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA210D CreateProcessAsUserW,1_2_00AA210D
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeFile deleted: C:\Windows\SysWOW64\msrarunning.exe:Zone.IdentifierJump to behavior
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 0_2_00B3A6920_2_00B3A692
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 0_2_00B3B0600_2_00B3B060
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 0_2_00B3B8D40_2_00B3B8D4
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 0_2_00B35CC00_2_00B35CC0
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 0_2_00B3A3300_2_00B3A330
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 0_2_00B34D6F0_2_00B34D6F
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 0_2_00B313570_2_00B31357
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA56EF1_2_00AA56EF
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA56EF1_2_00AA56EF
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 5_2_00B156EF5_2_00B156EF
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 5_2_00B156EF5_2_00B156EF
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_015856EF6_2_015856EF
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: 6_2_015856EF6_2_015856EF
              Source: HU4TEm4Vr7.exe, 00000001.00000002.231969004.0000000002D50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs HU4TEm4Vr7.exe
              Source: HU4TEm4Vr7.exe, 00000001.00000002.232783286.0000000002E50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs HU4TEm4Vr7.exe
              Source: HU4TEm4Vr7.exe, 00000001.00000002.232783286.0000000002E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs HU4TEm4Vr7.exe
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeSection loaded: lz32.dllJump to behavior
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeSection loaded: lz32.dllJump to behavior
              Source: C:\Windows\SysWOW64\msrarunning.exeSection loaded: lz32.dllJump to behavior
              Source: C:\Windows\SysWOW64\msrarunning.exeSection loaded: lz32.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
              Source: HU4TEm4Vr7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 00000000.00000002.212288486.0000000000D21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000005.00000002.229142026.0000000000B11000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000006.00000002.482015534.0000000001581000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000001.00000002.230150499.0000000000AA1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 0.2.HU4TEm4Vr7.exe.d20000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 1.2.HU4TEm4Vr7.exe.aa0000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 6.2.msrarunning.exe.1580000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 5.2.msrarunning.exe.b10000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: HU4TEm4Vr7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x1001 address: 0x0
              Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@20/8@0/6
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: _snwprintf,CreateServiceW,CloseServiceHandle,1_2_00AADCBB
              Source: C:\Windows\SysWOW64\msrarunning.exeCode function: _snwprintf,CreateServiceW,CloseServiceHandle,6_2_0158DCB9
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA1C10 CreateToolhelp32Snapshot,1_2_00AA1C10
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AADD3B ChangeServiceConfig2W,1_2_00AADD3B
              Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7064:120:WilError_01
              Source: C:\Windows\SysWOW64\msrarunning.exeMutant created: \BaseNamedObjects\Global\ICA34BF57
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MCA34BF57
              Source: C:\Windows\SysWOW64\msrarunning.exeMutant created: \BaseNamedObjects\PEM238
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeMutant created: \Sessions\1\BaseNamedObjects\Global\ICA34BF57
              Source: C:\Windows\SysWOW64\msrarunning.exeMutant created: \BaseNamedObjects\PEM168C
              Source: HU4TEm4Vr7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: HU4TEm4Vr7.exeVirustotal: Detection: 80%
              Source: HU4TEm4Vr7.exeMetadefender: Detection: 67%
              Source: HU4TEm4Vr7.exeReversingLabs: Detection: 100%
              Source: unknownProcess created: C:\Users\user\Desktop\HU4TEm4Vr7.exe 'C:\Users\user\Desktop\HU4TEm4Vr7.exe'
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeProcess created: C:\Users\user\Desktop\HU4TEm4Vr7.exe C:\Users\user\Desktop\HU4TEm4Vr7.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\msrarunning.exe C:\Windows\SysWOW64\msrarunning.exe
              Source: C:\Windows\SysWOW64\msrarunning.exeProcess created: C:\Windows\SysWOW64\msrarunning.exe C:\Windows\SysWOW64\msrarunning.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
              Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeProcess created: C:\Users\user\Desktop\HU4TEm4Vr7.exe C:\Users\user\Desktop\HU4TEm4Vr7.exeJump to behavior
              Source: C:\Windows\SysWOW64\msrarunning.exeProcess created: C:\Windows\SysWOW64\msrarunning.exe C:\Windows\SysWOW64\msrarunning.exeJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: HU4TEm4Vr7.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: HU4TEm4Vr7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: uigjhghio.pdb source: HU4TEm4Vr7.exe
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AA1A36 LoadLibraryA,GetProcAddress,1_2_00AA1A36
              Source: HU4TEm4Vr7.exeStatic PE information: real checksum: 0x1000 should be: 0x915d4

              Persistence and Installation Behavior:

              barindex
              Drops executables to the windows directory (C:\Windows) and starts themShow sources
              Source: C:\Windows\SysWOW64\msrarunning.exeExecutable created and started: C:\Windows\SysWOW64\msrarunning.exeJump to behavior
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exePE file moved: C:\Windows\SysWOW64\msrarunning.exeJump to behavior
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeCode function: 1_2_00AADD51 StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_00AADD51

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeFile opened: C:\Windows\SysWOW64\msrarunning.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeRDTSC instruction interceptor: First address: 0000000000B33AF1 second address: 0000000000B33AF7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 mov esi, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\msrarunning.exeRDTSC instruction interceptor: First address: 0000000000B33AF1 second address: 0000000000B33AF7 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 mov esi, eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\HU4TEm4Vr7.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior