Windows Analysis Report mormanti.exe

Overview

General Information

Sample Name: mormanti.exe
Analysis ID: 449959
MD5: 6c94edfea6e5ee001b00122c9d01bd8a
SHA1: a8d0cc5088ee86c2be77afe157695d12e951f369
SHA256: 0154d1d06e755bda091168038f25c1dde101e3b77c66f88b73c71be84ffdaf6e
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: mormanti.exe Avira: detected
Found malware configuration
Source: 0.2.mormanti.exe.2db053f.1.raw.unpack Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["58.171.153.81:80", "104.131.103.128:443", "66.228.49.173:8080", "104.131.103.37:8080", "149.62.173.247:8080", "72.47.248.48:7080", "68.183.170.114:8080", "81.198.69.61:80", "217.13.106.14:8080", "77.90.136.129:8080", "217.199.160.224:7080", "178.79.163.131:8080", "2.47.112.152:80", "83.169.21.32:7080", "190.163.31.26:80", "185.94.252.27:443", "12.162.84.2:8080", "73.116.193.136:80", "177.72.13.80:80", "116.125.120.88:443", "213.181.91.224:80", "104.131.41.185:8080", "46.28.111.142:7080", "181.129.96.162:8080", "189.2.177.210:443", "111.67.12.221:8080", "189.194.58.119:80", "51.255.165.160:8080", "170.81.48.2:80", "177.74.228.34:80", "70.32.84.74:8080", "213.60.96.117:80", "186.250.52.226:8080", "70.32.115.157:8080", "190.190.148.27:8080", "204.225.249.100:7080", "192.241.143.52:8080", "202.62.39.111:80", "82.76.111.249:443", "190.147.137.153:443", "80.249.176.206:80", "91.219.169.180:80", "212.71.237.140:8080", "114.109.179.60:80", "5.196.35.138:7080", "87.106.46.107:8080", "190.6.193.152:8080", "172.104.169.32:8080", "186.103.141.250:443", "212.231.60.98:80", "147.91.184.91:80", "50.28.51.143:8080", "61.92.159.208:8080", "187.162.248.237:80", "191.182.6.118:80", "94.206.45.18:80", "219.92.13.25:80", "145.236.8.174:80", "89.32.150.160:8080", "93.151.186.85:80", "190.17.195.202:80", "181.120.79.227:80", "177.73.0.98:443", "192.241.146.84:8080", "217.160.182.191:8080", "68.183.190.199:8080", "137.74.106.111:7080", "177.144.135.2:80", "201.213.156.176:80", "82.196.15.205:8080", "104.236.161.64:8080", "209.236.123.42:8080", "77.55.211.77:8080", "177.66.190.130:80", "143.0.87.101:80", "94.176.234.118:443", "191.99.160.58:80", "185.94.252.12:80", "45.161.242.102:80", "181.36.42.205:443"]}
Multi AV Scanner detection for submitted file
Source: mormanti.exe Virustotal: Detection: 74% Perma Link
Source: mormanti.exe ReversingLabs: Detection: 82%

Compliance:

barindex
Uses 32bit PE files
Source: mormanti.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\mormanti.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll Jump to behavior
Source: mormanti.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb` source: mormanti.exe, 00000000.00000002.203184717.0000000000C14000.00000002.00020000.sdmp, eventvwr.exe, 00000002.00000002.465026006.0000000000C14000.00000002.00020000.sdmp
Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb`@ source: mormanti.exe
Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb source: mormanti.exe
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_02DC2871 FindFirstFileW,FindNextFileW,FindClose, 0_2_02DC2871

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.131.103.37: -> 192.168.2.3:
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 58.171.153.81:80
Source: Malware configuration extractor IPs: 104.131.103.128:443
Source: Malware configuration extractor IPs: 66.228.49.173:8080
Source: Malware configuration extractor IPs: 104.131.103.37:8080
Source: Malware configuration extractor IPs: 149.62.173.247:8080
Source: Malware configuration extractor IPs: 72.47.248.48:7080
Source: Malware configuration extractor IPs: 68.183.170.114:8080
Source: Malware configuration extractor IPs: 81.198.69.61:80
Source: Malware configuration extractor IPs: 217.13.106.14:8080
Source: Malware configuration extractor IPs: 77.90.136.129:8080
Source: Malware configuration extractor IPs: 217.199.160.224:7080
Source: Malware configuration extractor IPs: 178.79.163.131:8080
Source: Malware configuration extractor IPs: 2.47.112.152:80
Source: Malware configuration extractor IPs: 83.169.21.32:7080
Source: Malware configuration extractor IPs: 190.163.31.26:80
Source: Malware configuration extractor IPs: 185.94.252.27:443
Source: Malware configuration extractor IPs: 12.162.84.2:8080
Source: Malware configuration extractor IPs: 73.116.193.136:80
Source: Malware configuration extractor IPs: 177.72.13.80:80
Source: Malware configuration extractor IPs: 116.125.120.88:443
Source: Malware configuration extractor IPs: 213.181.91.224:80
Source: Malware configuration extractor IPs: 104.131.41.185:8080
Source: Malware configuration extractor IPs: 46.28.111.142:7080
Source: Malware configuration extractor IPs: 181.129.96.162:8080
Source: Malware configuration extractor IPs: 189.2.177.210:443
Source: Malware configuration extractor IPs: 111.67.12.221:8080
Source: Malware configuration extractor IPs: 189.194.58.119:80
Source: Malware configuration extractor IPs: 51.255.165.160:8080
Source: Malware configuration extractor IPs: 170.81.48.2:80
Source: Malware configuration extractor IPs: 177.74.228.34:80
Source: Malware configuration extractor IPs: 70.32.84.74:8080
Source: Malware configuration extractor IPs: 213.60.96.117:80
Source: Malware configuration extractor IPs: 186.250.52.226:8080
Source: Malware configuration extractor IPs: 70.32.115.157:8080
Source: Malware configuration extractor IPs: 190.190.148.27:8080
Source: Malware configuration extractor IPs: 204.225.249.100:7080
Source: Malware configuration extractor IPs: 192.241.143.52:8080
Source: Malware configuration extractor IPs: 202.62.39.111:80
Source: Malware configuration extractor IPs: 82.76.111.249:443
Source: Malware configuration extractor IPs: 190.147.137.153:443
Source: Malware configuration extractor IPs: 80.249.176.206:80
Source: Malware configuration extractor IPs: 91.219.169.180:80
Source: Malware configuration extractor IPs: 212.71.237.140:8080
Source: Malware configuration extractor IPs: 114.109.179.60:80
Source: Malware configuration extractor IPs: 5.196.35.138:7080
Source: Malware configuration extractor IPs: 87.106.46.107:8080
Source: Malware configuration extractor IPs: 190.6.193.152:8080
Source: Malware configuration extractor IPs: 172.104.169.32:8080
Source: Malware configuration extractor IPs: 186.103.141.250:443
Source: Malware configuration extractor IPs: 212.231.60.98:80
Source: Malware configuration extractor IPs: 147.91.184.91:80
Source: Malware configuration extractor IPs: 50.28.51.143:8080
Source: Malware configuration extractor IPs: 61.92.159.208:8080
Source: Malware configuration extractor IPs: 187.162.248.237:80
Source: Malware configuration extractor IPs: 191.182.6.118:80
Source: Malware configuration extractor IPs: 94.206.45.18:80
Source: Malware configuration extractor IPs: 219.92.13.25:80
Source: Malware configuration extractor IPs: 145.236.8.174:80
Source: Malware configuration extractor IPs: 89.32.150.160:8080
Source: Malware configuration extractor IPs: 93.151.186.85:80
Source: Malware configuration extractor IPs: 190.17.195.202:80
Source: Malware configuration extractor IPs: 181.120.79.227:80
Source: Malware configuration extractor IPs: 177.73.0.98:443
Source: Malware configuration extractor IPs: 192.241.146.84:8080
Source: Malware configuration extractor IPs: 217.160.182.191:8080
Source: Malware configuration extractor IPs: 68.183.190.199:8080
Source: Malware configuration extractor IPs: 137.74.106.111:7080
Source: Malware configuration extractor IPs: 177.144.135.2:80
Source: Malware configuration extractor IPs: 201.213.156.176:80
Source: Malware configuration extractor IPs: 82.196.15.205:8080
Source: Malware configuration extractor IPs: 104.236.161.64:8080
Source: Malware configuration extractor IPs: 209.236.123.42:8080
Source: Malware configuration extractor IPs: 77.55.211.77:8080
Source: Malware configuration extractor IPs: 177.66.190.130:80
Source: Malware configuration extractor IPs: 143.0.87.101:80
Source: Malware configuration extractor IPs: 94.176.234.118:443
Source: Malware configuration extractor IPs: 191.99.160.58:80
Source: Malware configuration extractor IPs: 185.94.252.12:80
Source: Malware configuration extractor IPs: 45.161.242.102:80
Source: Malware configuration extractor IPs: 181.36.42.205:443
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 34
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49728 -> 66.228.49.173:8080
Source: global traffic TCP traffic: 192.168.2.3:49734 -> 104.131.103.37:8080
Source: global traffic TCP traffic: 192.168.2.3:49740 -> 149.62.173.247:8080
Source: global traffic TCP traffic: 192.168.2.3:49741 -> 72.47.248.48:7080
Source: global traffic TCP traffic: 192.168.2.3:49744 -> 68.183.170.114:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.62.173.247 149.62.173.247
Source: Joe Sandbox View IP Address: 204.225.249.100 204.225.249.100
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INFORTELECOM-ASES INFORTELECOM-ASES
Source: Joe Sandbox View ASN Name: CLAROSABR CLAROSABR
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: unknown TCP traffic detected without corresponding DNS query: 58.171.153.81
Source: unknown TCP traffic detected without corresponding DNS query: 58.171.153.81
Source: unknown TCP traffic detected without corresponding DNS query: 58.171.153.81
Source: unknown TCP traffic detected without corresponding DNS query: 104.131.103.128
Source: unknown TCP traffic detected without corresponding DNS query: 104.131.103.128
Source: unknown TCP traffic detected without corresponding DNS query: 104.131.103.128
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.49.173
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.49.173
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.49.173
Source: unknown TCP traffic detected without corresponding DNS query: 104.131.103.37
Source: unknown TCP traffic detected without corresponding DNS query: 104.131.103.37
Source: unknown TCP traffic detected without corresponding DNS query: 104.131.103.37
Source: unknown TCP traffic detected without corresponding DNS query: 149.62.173.247
Source: unknown TCP traffic detected without corresponding DNS query: 149.62.173.247
Source: unknown TCP traffic detected without corresponding DNS query: 149.62.173.247
Source: unknown TCP traffic detected without corresponding DNS query: 72.47.248.48
Source: unknown TCP traffic detected without corresponding DNS query: 72.47.248.48
Source: unknown TCP traffic detected without corresponding DNS query: 72.47.248.48
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.170.114
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.170.114
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.170.114
Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp String found in binary or memory: http://104.131.103.128:443/iNVKl1XPWZqml34fy2r/3FDoguFdfDtjz/
Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp String found in binary or memory: http://149.62.173.247/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV8xFle
Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp String found in binary or memory: http://149.62.173.247:8080/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV
Source: eventvwr.exe, 00000002.00000003.334412522.00000000034DC000.00000004.00000001.sdmp String found in binary or memory: http://58.171.153.81/j4XmHhlvX7h4pe/uu11HumRcyQn/3XzJ/ymPM07W/vKmfGodTznrrD/
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: http://66.228.49.173/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/s(KF
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp String found in binary or memory: http://68.183.170.114/nFzrf7w0/EO2pZ/MQ0xve/
Source: eventvwr.exe, 00000002.00000002.466095172.0000000002ED6000.00000004.00000001.sdmp, eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp String found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/
Source: eventvwr.exe, 00000002.00000002.466095172.0000000002ED6000.00000004.00000001.sdmp String found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/:
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp String found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/c
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp String found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp String found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/6O
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp String found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/CL:
Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000006.00000002.465692005.0000022B08EA3000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/
Source: svchost.exe, 00000006.00000002.466806888.0000022B0E690000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000E.00000002.309089370.00000265B8A13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: https://fs.microsoft.c
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309089370.00000265B8A13000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308721293.00000265B8A3A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0.2.mormanti.exe.2db053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.eventvwr.exe.114053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mormanti.exe.2db053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.eventvwr.exe.114053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.465228013.0000000001140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.203541228.0000000002DC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.203533038.0000000002DB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.465253689.0000000001151000.00000020.00000001.sdmp, type: MEMORY

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\mormanti.exe File created: C:\Windows\SysWOW64\msmpeg2vdec\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\mormanti.exe File deleted: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_02DB23AF 0_2_02DB23AF
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_02DB253B 0_2_02DB253B
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_02DC2BFC 0_2_02DC2BFC
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_02DC2A70 0_2_02DC2A70
PE file contains strange resources
Source: mormanti.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mormanti.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mormanti.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mormanti.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mormanti.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mormanti.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: mormanti.exe, 00000000.00000002.203709994.0000000003060000.00000002.00000001.sdmp Binary or memory string: originalfilename vs mormanti.exe
Source: mormanti.exe, 00000000.00000002.203709994.0000000003060000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs mormanti.exe
Source: mormanti.exe, 00000000.00000002.203665960.0000000003000000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs mormanti.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: mormanti.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: mal100.troj.evad.winEXE@17/8@0/81
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5024:120:WilError_01
Source: C:\Users\user\Desktop\mormanti.exe Command line argument: schtasks.exe 0_2_00C121FD
Source: C:\Users\user\Desktop\mormanti.exe Command line argument: 4096 0_2_00C121FD
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Command line argument: schtasks.exe 2_2_00C121FD
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Command line argument: 4096 2_2_00C121FD
Source: mormanti.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\mormanti.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\mormanti.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: mormanti.exe Virustotal: Detection: 74%
Source: mormanti.exe ReversingLabs: Detection: 82%
Source: unknown Process created: C:\Users\user\Desktop\mormanti.exe 'C:\Users\user\Desktop\mormanti.exe'
Source: C:\Users\user\Desktop\mormanti.exe Process created: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mormanti.exe Process created: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\mormanti.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\mormanti.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll Jump to behavior
Source: mormanti.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mormanti.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mormanti.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mormanti.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mormanti.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mormanti.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: mormanti.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: mormanti.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb` source: mormanti.exe, 00000000.00000002.203184717.0000000000C14000.00000002.00020000.sdmp, eventvwr.exe, 00000002.00000002.465026006.0000000000C14000.00000002.00020000.sdmp
Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb`@ source: mormanti.exe
Source: Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb source: mormanti.exe
Source: mormanti.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mormanti.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mormanti.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mormanti.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mormanti.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_00C12D89 push ecx; ret 0_2_00C12D9C
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_00C13121 push ecx; ret 0_2_00C13134
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Code function: 2_2_00C12D89 push ecx; ret 2_2_00C12D9C
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Code function: 2_2_00C13121 push ecx; ret 2_2_00C13134

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\mormanti.exe Executable created and started: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\mormanti.exe PE file moved: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\mormanti.exe File opened: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\mormanti.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\mormanti.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 3980 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\mormanti.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_02DC2871 FindFirstFileW,FindNextFileW,FindClose, 0_2_02DC2871
Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000006.00000002.466653401.0000022B0E460000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.466637022.0000022B0E453000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.465149550.000001E006C02000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000006.00000002.465518449.0000022B08E29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@aF
Source: svchost.exe, 0000000A.00000002.465212488.000001E006C29000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.465407534.000001C4AD251000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.465492639.0000016AC822A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_00C1272C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_00C1272C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_00C11FF2 mov eax, dword ptr fs:[00000030h] 0_2_00C11FF2
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_02DB304D mov eax, dword ptr fs:[00000030h] 0_2_02DB304D
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_02DB0467 mov eax, dword ptr fs:[00000030h] 0_2_02DB0467
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_02DB277C mov eax, dword ptr fs:[00000030h] 0_2_02DB277C
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_02DC370E mov eax, dword ptr fs:[00000030h] 0_2_02DC370E
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_02DC2E3D mov eax, dword ptr fs:[00000030h] 0_2_02DC2E3D
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Code function: 2_2_00C11FF2 mov eax, dword ptr fs:[00000030h] 2_2_00C11FF2
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_00C1272C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_00C1272C
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Code function: 2_2_00C1272C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 2_2_00C1272C
Source: eventvwr.exe, 00000002.00000002.465850573.00000000019E0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465566691.00000284E1A60000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: eventvwr.exe, 00000002.00000002.465850573.00000000019E0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465566691.00000284E1A60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: eventvwr.exe, 00000002.00000002.465850573.00000000019E0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465566691.00000284E1A60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: eventvwr.exe, 00000002.00000002.465850573.00000000019E0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465566691.00000284E1A60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mormanti.exe Code function: 0_2_00C12FF8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00C12FF8
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000010.00000002.465576432.0000013FA9502000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.465525101.0000013FA943D000.00000004.00000001.sdmp Binary or memory string: @\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0.2.mormanti.exe.2db053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.eventvwr.exe.114053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mormanti.exe.2db053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.eventvwr.exe.114053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.465228013.0000000001140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.203541228.0000000002DC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.203533038.0000000002DB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.465253689.0000000001151000.00000020.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449959 Sample: mormanti.exe Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 25 46.28.111.142 WEDOSCZ Czech Republic 2->25 27 190.163.31.26 VTRBANDAANCHASACL Chile 2->27 29 71 other IPs or domains 2->29 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 3 other signatures 2->45 8 mormanti.exe 2 2->8         started        11 svchost.exe 2->11         started        13 svchost.exe 9 1 2->13         started        16 9 other processes 2->16 signatures3 process4 dnsIp5 47 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->47 49 Drops executables to the windows directory (C:\Windows) and starts them 8->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->51 18 eventvwr.exe 12 8->18         started        53 Changes security center settings (notifications, updates, antivirus, firewall) 11->53 21 MpCmdRun.exe 1 11->21         started        37 127.0.0.1 unknown unknown 13->37 signatures6 process7 dnsIp8 31 72.47.248.48, 7080 MEDIATEMPLEUS United States 18->31 33 66.228.49.173, 8080 LINODE-APLinodeLLCUS United States 18->33 35 5 other IPs or domains 18->35 23 conhost.exe 21->23         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.62.173.247
 unknown Spain
50926 INFORTELECOM-ASES true
191.182.6.118
 unknown Brazil
28573 CLAROSABR true
104.131.103.37
 unknown United States
14061 DIGITALOCEAN-ASNUS true
204.225.249.100
 unknown Canada
22652 FIBRENOIRE-INTERNETCA true
94.176.234.118
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
70.32.84.74
 unknown United States
398110 GO-DADDY-COM-LLCUS true
177.73.0.98
 unknown Brazil
53184 INBTelecomEIRELIBR true
12.162.84.2
 unknown United States
7018 ATT-INTERNET4US true
116.125.120.88
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
58.171.153.81
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
170.81.48.2
 unknown Brazil
263634 TACNETTELECOMBR true
219.92.13.25
 unknown Malaysia
4788 TMNET-AS-APTMNetInternetServiceProviderMY true
202.62.39.111
 unknown Cambodia
23673 ONLINE-ASCogetelOnlineCambodiaISPKH true
209.236.123.42
 unknown United States
393398 ASN-DISUS true
213.181.91.224
 unknown Spain
49000 TELECABLEJUMILLA-ASES true
5.196.35.138
 unknown France
16276 OVHFR true
187.162.248.237
 unknown Mexico
6503 AxtelSABdeCVMX true
189.2.177.210
 unknown Brazil
4230 CLAROSABR true
93.151.186.85
 unknown Italy
30722 VODAFONE-IT-ASNIT true
217.199.160.224
 unknown United Kingdom
20738 GD-EMEA-DC-LD5GB true
114.109.179.60
 unknown Thailand
17552 TRUE-AS-APTrueInternetCoLtdTH true
143.0.87.101
 unknown Brazil
263998 MMTelecomBR true
186.103.141.250
 unknown Chile
15311 TelefonicaEmpresasCL true
77.90.136.129
 unknown Germany
42821 RAPIDNET-DEHaunstetterStr19DE true
181.129.96.162
 unknown Colombia
13489 EPMTelecomunicacionesSAESPCO true
50.28.51.143
 unknown United States
32244 LIQUIDWEBUS true
68.183.190.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
94.206.45.18
 unknown United Arab Emirates
15802 DU-AS1AE true
190.17.195.202
 unknown Argentina
10318 TelecomArgentinaSAAR true
73.116.193.136
 unknown United States
7922 COMCAST-7922US true
82.76.111.249
 unknown Romania
8708 RCS-RDS73-75DrStaicoviciRO true
189.194.58.119
 unknown Mexico
13999 MegaCableSAdeCVMX true
80.249.176.206
 unknown Russian Federation
31376 SMART-ASRU true
145.236.8.174
 unknown Hungary
5483 MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU true
191.99.160.58
 unknown Ecuador
27738 EcuadortelecomSAEC true
217.13.106.14
 unknown Hungary
12301 INVITECHHU true
147.91.184.91
 unknown Serbia
13092 UB-ASRS true
68.183.170.114
 unknown United States
14061 DIGITALOCEAN-ASNUS true
81.198.69.61
 unknown Latvia
12578 APOLLO-ASLatviaLV true
177.66.190.130
 unknown Brazil
262502 FLYLinkTelecomBR true
177.72.13.80
 unknown Brazil
52814 INTERNETPLAYLTDABR true
61.92.159.208
 unknown Hong Kong
9269 HKBN-AS-APHongKongBroadbandNetworkLtdHK true
178.79.163.131
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
46.28.111.142
 unknown Czech Republic
197019 WEDOSCZ true
77.55.211.77
 unknown Poland
15967 NAZWAPL true
190.163.31.26
 unknown Chile
22047 VTRBANDAANCHASACL true
137.74.106.111
 unknown France
16276 OVHFR true
172.104.169.32
 unknown United States
63949 LINODE-APLinodeLLCUS true
72.47.248.48
 unknown United States
31815 MEDIATEMPLEUS true
181.120.79.227
 unknown Paraguay
23201 TelecelSAPY true
89.32.150.160
 unknown Romania
43927 HOSTERIONRO true
104.131.41.185
 unknown United States
14061 DIGITALOCEAN-ASNUS true
186.250.52.226
 unknown Brazil
262807 RedfoxTelecomunicacoesLtdaBR true
87.106.46.107
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
177.144.135.2
 unknown Brazil
27699 TELEFONICABRASILSABR true
217.160.182.191
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
201.213.156.176
 unknown Argentina
10481 TelecomArgentinaSAAR true
83.169.21.32
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
70.32.115.157
 unknown United States
31815 MEDIATEMPLEUS true
213.60.96.117
 unknown Spain
12334 Galicia-SpainES true
212.231.60.98
 unknown Spain
15704 AS15704ES true
181.36.42.205
 unknown Dominican Republic
28118 ALTICEDOMINICANASADO true
104.131.103.128
 unknown United States
14061 DIGITALOCEAN-ASNUS true
190.190.148.27
 unknown Argentina
10481 TelecomArgentinaSAAR true
190.6.193.152
 unknown Honduras
27884 CABLECOLORSAHN true
51.255.165.160
 unknown France
16276 OVHFR true
212.71.237.140
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
185.94.252.27
 unknown Germany
197890 MEGASERVERS-DE true
2.47.112.152
 unknown Italy
30722 VODAFONE-IT-ASNIT true
104.236.161.64
 unknown United States
14061 DIGITALOCEAN-ASNUS true
192.241.143.52
 unknown United States
14061 DIGITALOCEAN-ASNUS true
192.241.146.84
 unknown United States
14061 DIGITALOCEAN-ASNUS true
45.161.242.102
 unknown Brazil
268479 AntonioMarcosdosSantos-MEBR true
66.228.49.173
 unknown United States
63949 LINODE-APLinodeLLCUS true
190.147.137.153
 unknown Colombia
10620 TelmexColombiaSACO true
82.196.15.205
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
111.67.12.221
 unknown Australia
55803 DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU true
177.74.228.34
 unknown Brazil
263652 CMDNETInternetInformaticaLtdaBR true
91.219.169.180
 unknown Ukraine
52191 LOCALKA-NET-AS true
185.94.252.12
 unknown Germany
197890 MEGASERVERS-DE true

Private
IP
127.0.0.1