Play interactive tour

Edit tour

Windows Analysis Report mormanti.exe

Overview

General Information

Sample Name:	mormanti.exe
Analysis ID:	449959
MD5:	6c94edfea6e5ee001b00122c9d01bd8a
SHA1:	a8d0cc5088ee86c2be77afe157695d12e951f369
SHA256:	0154d1d06e755bda091168038f25c1dde101e3b77c66f88b73c71be84ffdaf6e
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides that the sample has been downloaded from the Internet (zone.identifier)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to several IPs in different countries

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

mormanti.exe (PID: 3412 cmdline: 'C:\Users\user\Desktop\mormanti.exe' MD5: 6C94EDFEA6E5EE001B00122C9D01BD8A)

eventvwr.exe (PID: 2416 cmdline: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe MD5: 6C94EDFEA6E5EE001B00122C9D01BD8A)

svchost.exe (PID: 3148 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 384 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2168 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5924 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4744 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4880 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1276 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4936 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5588 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 3468 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 2648 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 4820 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["58.171.153.81:80", "104.131.103.128:443", "66.228.49.173:8080", "104.131.103.37:8080", "149.62.173.247:8080", "72.47.248.48:7080", "68.183.170.114:8080", "81.198.69.61:80", "217.13.106.14:8080", "77.90.136.129:8080", "217.199.160.224:7080", "178.79.163.131:8080", "2.47.112.152:80", "83.169.21.32:7080", "190.163.31.26:80", "185.94.252.27:443", "12.162.84.2:8080", "73.116.193.136:80", "177.72.13.80:80", "116.125.120.88:443", "213.181.91.224:80", "104.131.41.185:8080", "46.28.111.142:7080", "181.129.96.162:8080", "189.2.177.210:443", "111.67.12.221:8080", "189.194.58.119:80", "51.255.165.160:8080", "170.81.48.2:80", "177.74.228.34:80", "70.32.84.74:8080", "213.60.96.117:80", "186.250.52.226:8080", "70.32.115.157:8080", "190.190.148.27:8080", "204.225.249.100:7080", "192.241.143.52:8080", "202.62.39.111:80", "82.76.111.249:443", "190.147.137.153:443", "80.249.176.206:80", "91.219.169.180:80", "212.71.237.140:8080", "114.109.179.60:80", "5.196.35.138:7080", "87.106.46.107:8080", "190.6.193.152:8080", "172.104.169.32:8080", "186.103.141.250:443", "212.231.60.98:80", "147.91.184.91:80", "50.28.51.143:8080", "61.92.159.208:8080", "187.162.248.237:80", "191.182.6.118:80", "94.206.45.18:80", "219.92.13.25:80", "145.236.8.174:80", "89.32.150.160:8080", "93.151.186.85:80", "190.17.195.202:80", "181.120.79.227:80", "177.73.0.98:443", "192.241.146.84:8080", "217.160.182.191:8080", "68.183.190.199:8080", "137.74.106.111:7080", "177.144.135.2:80", "201.213.156.176:80", "82.196.15.205:8080", "104.236.161.64:8080", "209.236.123.42:8080", "77.55.211.77:8080", "177.66.190.130:80", "143.0.87.101:80", "94.176.234.118:443", "191.99.160.58:80", "185.94.252.12:80", "45.161.242.102:80", "181.36.42.205:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.465228013.0000000001140000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.203541228.0000000002DC1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.203533038.0000000002DB0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.465253689.0000000001151000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.mormanti.exe.2db053f.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.eventvwr.exe.114053f.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.mormanti.exe.2db053f.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.eventvwr.exe.114053f.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: mormanti.exe

Avira: detected

Found malware configuration

Show sources

Source: 0.2.mormanti.exe.2db053f.1.raw.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["58.171.153.81:80", "104.131.103.128:443", "66.228.49.173:8080", "104.131.103.37:8080", "149.62.173.247:8080", "72.47.248.48:7080", "68.183.170.114:8080", "81.198.69.61:80", "217.13.106.14:8080", "77.90.136.129:8080", "217.199.160.224:7080", "178.79.163.131:8080", "2.47.112.152:80", "83.169.21.32:7080", "190.163.31.26:80", "185.94.252.27:443", "12.162.84.2:8080", "73.116.193.136:80", "177.72.13.80:80", "116.125.120.88:443", "213.181.91.224:80", "104.131.41.185:8080", "46.28.111.142:7080", "181.129.96.162:8080", "189.2.177.210:443", "111.67.12.221:8080", "189.194.58.119:80", "51.255.165.160:8080", "170.81.48.2:80", "177.74.228.34:80", "70.32.84.74:8080", "213.60.96.117:80", "186.250.52.226:8080", "70.32.115.157:8080", "190.190.148.27:8080", "204.225.249.100:7080", "192.241.143.52:8080", "202.62.39.111:80", "82.76.111.249:443", "190.147.137.153:443", "80.249.176.206:80", "91.219.169.180:80", "212.71.237.140:8080", "114.109.179.60:80", "5.196.35.138:7080", "87.106.46.107:8080", "190.6.193.152:8080", "172.104.169.32:8080", "186.103.141.250:443", "212.231.60.98:80", "147.91.184.91:80", "50.28.51.143:8080", "61.92.159.208:8080", "187.162.248.237:80", "191.182.6.118:80", "94.206.45.18:80", "219.92.13.25:80", "145.236.8.174:80", "89.32.150.160:8080", "93.151.186.85:80", "190.17.195.202:80", "181.120.79.227:80", "177.73.0.98:443", "192.241.146.84:8080", "217.160.182.191:8080", "68.183.190.199:8080", "137.74.106.111:7080", "177.144.135.2:80", "201.213.156.176:80", "82.196.15.205:8080", "104.236.161.64:8080", "209.236.123.42:8080", "77.55.211.77:8080", "177.66.190.130:80", "143.0.87.101:80", "94.176.234.118:443", "191.99.160.58:80", "185.94.252.12:80", "45.161.242.102:80", "181.36.42.205:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: mormanti.exe	Virustotal: Detection: 74%			Perma Link
Source: mormanti.exe	ReversingLabs: Detection: 82%

Source: mormanti.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\mormanti.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll

Source: mormanti.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb` source: mormanti.exe, 00000000.00000002.203184717.0000000000C14000.00000002.00020000.sdmp, eventvwr.exe, 00000002.00000002.465026006.0000000000C14000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb`@ source: mormanti.exe
Source:	Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb source: mormanti.exe

Source: C:\Users\user\Desktop\mormanti.exe

Code function: 0_2_02DC2871 FindFirstFileW,FindNextFileW,FindClose,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.131.103.37: -> 192.168.2.3:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 58.171.153.81:80
Source: Malware configuration extractor	IPs: 104.131.103.128:443
Source: Malware configuration extractor	IPs: 66.228.49.173:8080
Source: Malware configuration extractor	IPs: 104.131.103.37:8080
Source: Malware configuration extractor	IPs: 149.62.173.247:8080
Source: Malware configuration extractor	IPs: 72.47.248.48:7080
Source: Malware configuration extractor	IPs: 68.183.170.114:8080
Source: Malware configuration extractor	IPs: 81.198.69.61:80
Source: Malware configuration extractor	IPs: 217.13.106.14:8080
Source: Malware configuration extractor	IPs: 77.90.136.129:8080
Source: Malware configuration extractor	IPs: 217.199.160.224:7080
Source: Malware configuration extractor	IPs: 178.79.163.131:8080
Source: Malware configuration extractor	IPs: 2.47.112.152:80
Source: Malware configuration extractor	IPs: 83.169.21.32:7080
Source: Malware configuration extractor	IPs: 190.163.31.26:80
Source: Malware configuration extractor	IPs: 185.94.252.27:443
Source: Malware configuration extractor	IPs: 12.162.84.2:8080
Source: Malware configuration extractor	IPs: 73.116.193.136:80
Source: Malware configuration extractor	IPs: 177.72.13.80:80
Source: Malware configuration extractor	IPs: 116.125.120.88:443
Source: Malware configuration extractor	IPs: 213.181.91.224:80
Source: Malware configuration extractor	IPs: 104.131.41.185:8080
Source: Malware configuration extractor	IPs: 46.28.111.142:7080
Source: Malware configuration extractor	IPs: 181.129.96.162:8080
Source: Malware configuration extractor	IPs: 189.2.177.210:443
Source: Malware configuration extractor	IPs: 111.67.12.221:8080
Source: Malware configuration extractor	IPs: 189.194.58.119:80
Source: Malware configuration extractor	IPs: 51.255.165.160:8080
Source: Malware configuration extractor	IPs: 170.81.48.2:80
Source: Malware configuration extractor	IPs: 177.74.228.34:80
Source: Malware configuration extractor	IPs: 70.32.84.74:8080
Source: Malware configuration extractor	IPs: 213.60.96.117:80
Source: Malware configuration extractor	IPs: 186.250.52.226:8080
Source: Malware configuration extractor	IPs: 70.32.115.157:8080
Source: Malware configuration extractor	IPs: 190.190.148.27:8080
Source: Malware configuration extractor	IPs: 204.225.249.100:7080
Source: Malware configuration extractor	IPs: 192.241.143.52:8080
Source: Malware configuration extractor	IPs: 202.62.39.111:80
Source: Malware configuration extractor	IPs: 82.76.111.249:443
Source: Malware configuration extractor	IPs: 190.147.137.153:443
Source: Malware configuration extractor	IPs: 80.249.176.206:80
Source: Malware configuration extractor	IPs: 91.219.169.180:80
Source: Malware configuration extractor	IPs: 212.71.237.140:8080
Source: Malware configuration extractor	IPs: 114.109.179.60:80
Source: Malware configuration extractor	IPs: 5.196.35.138:7080
Source: Malware configuration extractor	IPs: 87.106.46.107:8080
Source: Malware configuration extractor	IPs: 190.6.193.152:8080
Source: Malware configuration extractor	IPs: 172.104.169.32:8080
Source: Malware configuration extractor	IPs: 186.103.141.250:443
Source: Malware configuration extractor	IPs: 212.231.60.98:80
Source: Malware configuration extractor	IPs: 147.91.184.91:80
Source: Malware configuration extractor	IPs: 50.28.51.143:8080
Source: Malware configuration extractor	IPs: 61.92.159.208:8080
Source: Malware configuration extractor	IPs: 187.162.248.237:80
Source: Malware configuration extractor	IPs: 191.182.6.118:80
Source: Malware configuration extractor	IPs: 94.206.45.18:80
Source: Malware configuration extractor	IPs: 219.92.13.25:80
Source: Malware configuration extractor	IPs: 145.236.8.174:80
Source: Malware configuration extractor	IPs: 89.32.150.160:8080
Source: Malware configuration extractor	IPs: 93.151.186.85:80
Source: Malware configuration extractor	IPs: 190.17.195.202:80
Source: Malware configuration extractor	IPs: 181.120.79.227:80
Source: Malware configuration extractor	IPs: 177.73.0.98:443
Source: Malware configuration extractor	IPs: 192.241.146.84:8080
Source: Malware configuration extractor	IPs: 217.160.182.191:8080
Source: Malware configuration extractor	IPs: 68.183.190.199:8080
Source: Malware configuration extractor	IPs: 137.74.106.111:7080
Source: Malware configuration extractor	IPs: 177.144.135.2:80
Source: Malware configuration extractor	IPs: 201.213.156.176:80
Source: Malware configuration extractor	IPs: 82.196.15.205:8080
Source: Malware configuration extractor	IPs: 104.236.161.64:8080
Source: Malware configuration extractor	IPs: 209.236.123.42:8080
Source: Malware configuration extractor	IPs: 77.55.211.77:8080
Source: Malware configuration extractor	IPs: 177.66.190.130:80
Source: Malware configuration extractor	IPs: 143.0.87.101:80
Source: Malware configuration extractor	IPs: 94.176.234.118:443
Source: Malware configuration extractor	IPs: 191.99.160.58:80
Source: Malware configuration extractor	IPs: 185.94.252.12:80
Source: Malware configuration extractor	IPs: 45.161.242.102:80
Source: Malware configuration extractor	IPs: 181.36.42.205:443

Source: unknown

Network traffic detected: IP country count 34

Source: global traffic	TCP traffic: 192.168.2.3:49728 -> 66.228.49.173:8080
Source: global traffic	TCP traffic: 192.168.2.3:49734 -> 104.131.103.37:8080
Source: global traffic	TCP traffic: 192.168.2.3:49740 -> 149.62.173.247:8080
Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 72.47.248.48:7080
Source: global traffic	TCP traffic: 192.168.2.3:49744 -> 68.183.170.114:8080

Source: Joe Sandbox View	IP Address: 149.62.173.247 149.62.173.247
Source: Joe Sandbox View	IP Address: 204.225.249.100 204.225.249.100

Source: Joe Sandbox View	ASN Name: INFORTELECOM-ASES INFORTELECOM-ASES
Source: Joe Sandbox View	ASN Name: CLAROSABR CLAROSABR
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: unknown	TCP traffic detected without corresponding DNS query: 58.171.153.81
Source: unknown	TCP traffic detected without corresponding DNS query: 58.171.153.81
Source: unknown	TCP traffic detected without corresponding DNS query: 58.171.153.81
Source: unknown	TCP traffic detected without corresponding DNS query: 104.131.103.128
Source: unknown	TCP traffic detected without corresponding DNS query: 104.131.103.128
Source: unknown	TCP traffic detected without corresponding DNS query: 104.131.103.128
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.49.173
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.49.173
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.49.173
Source: unknown	TCP traffic detected without corresponding DNS query: 104.131.103.37
Source: unknown	TCP traffic detected without corresponding DNS query: 104.131.103.37
Source: unknown	TCP traffic detected without corresponding DNS query: 104.131.103.37
Source: unknown	TCP traffic detected without corresponding DNS query: 149.62.173.247
Source: unknown	TCP traffic detected without corresponding DNS query: 149.62.173.247
Source: unknown	TCP traffic detected without corresponding DNS query: 149.62.173.247
Source: unknown	TCP traffic detected without corresponding DNS query: 72.47.248.48
Source: unknown	TCP traffic detected without corresponding DNS query: 72.47.248.48
Source: unknown	TCP traffic detected without corresponding DNS query: 72.47.248.48
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.170.114
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.170.114
Source: unknown	TCP traffic detected without corresponding DNS query: 68.183.170.114

Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp	String found in binary or memory: http://104.131.103.128:443/iNVKl1XPWZqml34fy2r/3FDoguFdfDtjz/
Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp	String found in binary or memory: http://149.62.173.247/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV8xFle
Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp	String found in binary or memory: http://149.62.173.247:8080/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV
Source: eventvwr.exe, 00000002.00000003.334412522.00000000034DC000.00000004.00000001.sdmp	String found in binary or memory: http://58.171.153.81/j4XmHhlvX7h4pe/uu11HumRcyQn/3XzJ/ymPM07W/vKmfGodTznrrD/
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: http://66.228.49.173/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/s(KF
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	String found in binary or memory: http://68.183.170.114/nFzrf7w0/EO2pZ/MQ0xve/
Source: eventvwr.exe, 00000002.00000002.466095172.0000000002ED6000.00000004.00000001.sdmp, eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	String found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/
Source: eventvwr.exe, 00000002.00000002.466095172.0000000002ED6000.00000004.00000001.sdmp	String found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/:
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	String found in binary or memory: http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/c
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	String found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	String found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/6O
Source: eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	String found in binary or memory: http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/CL:
Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000006.00000002.466542718.0000022B0E414000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000006.00000002.465692005.0000022B08EA3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/
Source: svchost.exe, 00000006.00000002.466806888.0000022B0E690000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000E.00000002.309089370.00000265B8A13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp	String found in binary or memory: https://fs.microsoft.c
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309089370.00000265B8A13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.308721293.00000265B8A3A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0.2.mormanti.exe.2db053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.eventvwr.exe.114053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mormanti.exe.2db053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.eventvwr.exe.114053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.465228013.0000000001140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.203541228.0000000002DC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.203533038.0000000002DB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.465253689.0000000001151000.00000020.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\mormanti.exe

File created: C:\Windows\SysWOW64\msmpeg2vdec\

Jump to behavior

Source: C:\Users\user\Desktop\mormanti.exe

File deleted: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_02DB23AF
Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_02DB253B
Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_02DC2BFC
Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_02DC2A70

Source: mormanti.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mormanti.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mormanti.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mormanti.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mormanti.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mormanti.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: mormanti.exe, 00000000.00000002.203709994.0000000003060000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs mormanti.exe
Source: mormanti.exe, 00000000.00000002.203709994.0000000003060000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs mormanti.exe
Source: mormanti.exe, 00000000.00000002.203665960.0000000003000000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs mormanti.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: mormanti.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/8@0/81

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:5024:120:WilError_01

Source: C:\Users\user\Desktop\mormanti.exe	Command line argument: schtasks.exe
Source: C:\Users\user\Desktop\mormanti.exe	Command line argument: 4096
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe	Command line argument: schtasks.exe
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe	Command line argument: 4096

Source: mormanti.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mormanti.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\mormanti.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: mormanti.exe	Virustotal: Detection: 74%
Source: mormanti.exe	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Users\user\Desktop\mormanti.exe 'C:\Users\user\Desktop\mormanti.exe'
Source: C:\Users\user\Desktop\mormanti.exe	Process created: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mormanti.exe	Process created: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable

Source: C:\Users\user\Desktop\mormanti.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\mormanti.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll

Source: mormanti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mormanti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mormanti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mormanti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mormanti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mormanti.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: mormanti.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: mormanti.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb` source: mormanti.exe, 00000000.00000002.203184717.0000000000C14000.00000002.00020000.sdmp, eventvwr.exe, 00000002.00000002.465026006.0000000000C14000.00000002.00020000.sdmp
Source:	Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb`@ source: mormanti.exe
Source:	Binary string: C:\Users\DODO\Pictures\win32_memdc_src\Release\Win32_MemDC.pdb source: mormanti.exe

Source: mormanti.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mormanti.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mormanti.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mormanti.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mormanti.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_00C12D89 push ecx; ret
Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_00C13121 push ecx; ret
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe	Code function: 2_2_00C12D89 push ecx; ret
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe	Code function: 2_2_00C13121 push ecx; ret

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\mormanti.exe

Executable created and started: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe

Source: C:\Users\user\Desktop\mormanti.exe

PE file moved: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\mormanti.exe

File opened: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\mormanti.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Show sources

Source: C:\Users\user\Desktop\mormanti.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: C:\Windows\System32\svchost.exe TID: 3980

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\mormanti.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\mormanti.exe

Code function: 0_2_02DC2871 FindFirstFileW,FindNextFileW,FindClose,

Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000006.00000002.466653401.0000022B0E460000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.466637022.0000022B0E453000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.465149550.000001E006C02000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000006.00000002.465518449.0000022B08E29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@aF
Source: svchost.exe, 0000000A.00000002.465212488.000001E006C29000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.465407534.000001C4AD251000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.465492639.0000016AC822A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.227092288.0000025121F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.276841534.000001F85F660000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.291456589.000001F7F1260000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.466345591.000001C4ADF40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\mormanti.exe

Code function: 0_2_00C1272C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_00C11FF2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_02DB304D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_02DB0467 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_02DB277C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_02DC370E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_02DC2E3D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe	Code function: 2_2_00C11FF2 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\mormanti.exe	Code function: 0_2_00C1272C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe	Code function: 2_2_00C1272C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

Source: eventvwr.exe, 00000002.00000002.465850573.00000000019E0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465566691.00000284E1A60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: eventvwr.exe, 00000002.00000002.465850573.00000000019E0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465566691.00000284E1A60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: eventvwr.exe, 00000002.00000002.465850573.00000000019E0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465566691.00000284E1A60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: eventvwr.exe, 00000002.00000002.465850573.00000000019E0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.465566691.00000284E1A60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\mormanti.exe

Code function: 0_2_00C12FF8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000010.00000002.465576432.0000013FA9502000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.465525101.0000013FA943D000.00000004.00000001.sdmp	Binary or memory string: @\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0.2.mormanti.exe.2db053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.eventvwr.exe.114053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mormanti.exe.2db053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.eventvwr.exe.114053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.465228013.0000000001140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.203541228.0000000002DC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.203533038.0000000002DB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.465253689.0000000001151000.00000020.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection2	Masquerading121	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery41	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	System Information Discovery24	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mormanti.exe	75%	Virustotal		Browse
mormanti.exe	82%	ReversingLabs	Win32.Trojan.Emotet
mormanti.exe	100%	Avira	TR/Kryptik.vhuzo

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.eventvwr.exe.c10000.0.unpack	100%	Avira	HEUR/AGEN.1138886	Download File
0.0.mormanti.exe.c10000.0.unpack	100%	Avira	HEUR/AGEN.1138886	Download File
0.2.mormanti.exe.c10000.0.unpack	100%	Avira	HEUR/AGEN.1138886	Download File
2.0.eventvwr.exe.c10000.0.unpack	100%	Avira	HEUR/AGEN.1138886	Download File
0.2.mormanti.exe.2db053f.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.eventvwr.exe.114053f.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://68.183.170.114/nFzrf7w0/EO2pZ/MQ0xve/	0%	Avira URL Cloud	safe
https://fs.microsoft.c	0%	Avira URL Cloud	safe
http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/	0%	Avira URL Cloud	safe
http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/	0%	Avira URL Cloud	safe
http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/s(KF	0%	Avira URL Cloud	safe
http://66.228.49.173/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/	0%	Avira URL Cloud	safe
http://149.62.173.247:8080/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV	0%	Avira URL Cloud	safe
http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/c	0%	Avira URL Cloud	safe
http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/	0%	Avira URL Cloud	safe
http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/CL:	0%	Avira URL Cloud	safe
http://149.62.173.247/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV8xFle	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/6O	0%	Avira URL Cloud	safe
http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/:	0%	Avira URL Cloud	safe
http://58.171.153.81/j4XmHhlvX7h4pe/uu11HumRcyQn/3XzJ/ymPM07W/vKmfGodTznrrD/	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://68.183.170.114/nFzrf7w0/EO2pZ/MQ0xve/	eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://fs.microsoft.c	eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp	false		high
http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/	eventvwr.exe, 00000002.00000002.466095172.0000000002ED6000.00000004.00000001.sdmp, eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/	svchost.exe, 00000006.00000002.465692005.0000022B08EA3000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp	false		high
http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/	eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/s(KF	eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://66.228.49.173/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/	eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp	false		high
http://149.62.173.247:8080/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV	eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp	false		high
http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/c	eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp	false		high
http://66.228.49.173:8080/TyLIHl4nuj0XCeB/C12IKmccuoQw2U92z/	eventvwr.exe, 00000002.00000003.334420749.00000000034E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000E.00000002.309089370.00000265B8A13000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp	false		high
http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/CL:	eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp	false		high
http://149.62.173.247/kH8ALNiaGV/5bEuMKuJNKlslD3n/rvXy2RpDwZlslOQBeY7/BCLTdgbwF6J8vsIGfDq/jZ9iV8xFle	eventvwr.exe, 00000002.00000003.394916417.00000000034DC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000002.309140351.00000265B8A3E000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309089370.00000265B8A13000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000E.00000003.286870020.00000265B8A31000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000006.00000002.466806888.0000022B0E690000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000E.00000003.308695347.00000265B8A45000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309153516.00000265B8A42000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000E.00000003.308721293.00000265B8A3A000.00000004.00000001.sdmp	false		high
http://72.47.248.48:7080/VTzYrEpbArBozqZBhS/6O	eventvwr.exe, 00000002.00000002.467254710.00000000034DB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://68.183.170.114:8080/nFzrf7w0/EO2pZ/MQ0xve/:	eventvwr.exe, 00000002.00000002.466095172.0000000002ED6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000002.309177417.00000265B8A58000.00000004.00000001.sdmp	false		high
http://58.171.153.81/j4XmHhlvX7h4pe/uu11HumRcyQn/3XzJ/ymPM07W/vKmfGodTznrrD/	eventvwr.exe, 00000002.00000003.334412522.00000000034DC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000E.00000003.308632739.00000265B8A61000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 0000000B.00000002.465372736.000001C4AD22A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000003.308646998.00000265B8A5C000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
149.62.173.247	unknown	Spain	50926	INFORTELECOM-ASES	true
191.182.6.118	unknown	Brazil	28573	CLAROSABR	true
104.131.103.37	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
204.225.249.100	unknown	Canada	22652	FIBRENOIRE-INTERNETCA	true
94.176.234.118	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
70.32.84.74	unknown	United States	398110	GO-DADDY-COM-LLCUS	true
177.73.0.98	unknown	Brazil	53184	INBTelecomEIRELIBR	true
12.162.84.2	unknown	United States	7018	ATT-INTERNET4US	true
116.125.120.88	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
58.171.153.81	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
170.81.48.2	unknown	Brazil	263634	TACNETTELECOMBR	true
219.92.13.25	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	true
202.62.39.111	unknown	Cambodia	23673	ONLINE-ASCogetelOnlineCambodiaISPKH	true
209.236.123.42	unknown	United States	393398	ASN-DISUS	true
213.181.91.224	unknown	Spain	49000	TELECABLEJUMILLA-ASES	true
5.196.35.138	unknown	France	16276	OVHFR	true
187.162.248.237	unknown	Mexico	6503	AxtelSABdeCVMX	true
189.2.177.210	unknown	Brazil	4230	CLAROSABR	true
93.151.186.85	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
217.199.160.224	unknown	United Kingdom	20738	GD-EMEA-DC-LD5GB	true
114.109.179.60	unknown	Thailand	17552	TRUE-AS-APTrueInternetCoLtdTH	true
143.0.87.101	unknown	Brazil	263998	MMTelecomBR	true
186.103.141.250	unknown	Chile	15311	TelefonicaEmpresasCL	true
77.90.136.129	unknown	Germany	42821	RAPIDNET-DEHaunstetterStr19DE	true
181.129.96.162	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
50.28.51.143	unknown	United States	32244	LIQUIDWEBUS	true
68.183.190.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
94.206.45.18	unknown	United Arab Emirates	15802	DU-AS1AE	true
190.17.195.202	unknown	Argentina	10318	TelecomArgentinaSAAR	true
73.116.193.136	unknown	United States	7922	COMCAST-7922US	true
82.76.111.249	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
189.194.58.119	unknown	Mexico	13999	MegaCableSAdeCVMX	true
80.249.176.206	unknown	Russian Federation	31376	SMART-ASRU	true
145.236.8.174	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	true
191.99.160.58	unknown	Ecuador	27738	EcuadortelecomSAEC	true
217.13.106.14	unknown	Hungary	12301	INVITECHHU	true
147.91.184.91	unknown	Serbia	13092	UB-ASRS	true
68.183.170.114	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
81.198.69.61	unknown	Latvia	12578	APOLLO-ASLatviaLV	true
177.66.190.130	unknown	Brazil	262502	FLYLinkTelecomBR	true
177.72.13.80	unknown	Brazil	52814	INTERNETPLAYLTDABR	true
61.92.159.208	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	true
178.79.163.131	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
46.28.111.142	unknown	Czech Republic	197019	WEDOSCZ	true
77.55.211.77	unknown	Poland	15967	NAZWAPL	true
190.163.31.26	unknown	Chile	22047	VTRBANDAANCHASACL	true
137.74.106.111	unknown	France	16276	OVHFR	true
172.104.169.32	unknown	United States	63949	LINODE-APLinodeLLCUS	true
72.47.248.48	unknown	United States	31815	MEDIATEMPLEUS	true
181.120.79.227	unknown	Paraguay	23201	TelecelSAPY	true
89.32.150.160	unknown	Romania	43927	HOSTERIONRO	true
104.131.41.185	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
186.250.52.226	unknown	Brazil	262807	RedfoxTelecomunicacoesLtdaBR	true
87.106.46.107	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
177.144.135.2	unknown	Brazil	27699	TELEFONICABRASILSABR	true
217.160.182.191	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
201.213.156.176	unknown	Argentina	10481	TelecomArgentinaSAAR	true
83.169.21.32	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
70.32.115.157	unknown	United States	31815	MEDIATEMPLEUS	true
213.60.96.117	unknown	Spain	12334	Galicia-SpainES	true
212.231.60.98	unknown	Spain	15704	AS15704ES	true
181.36.42.205	unknown	Dominican Republic	28118	ALTICEDOMINICANASADO	true
104.131.103.128	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
190.190.148.27	unknown	Argentina	10481	TelecomArgentinaSAAR	true
190.6.193.152	unknown	Honduras	27884	CABLECOLORSAHN	true
51.255.165.160	unknown	France	16276	OVHFR	true
212.71.237.140	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
185.94.252.27	unknown	Germany	197890	MEGASERVERS-DE	true
2.47.112.152	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
104.236.161.64	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
192.241.143.52	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
192.241.146.84	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
45.161.242.102	unknown	Brazil	268479	AntonioMarcosdosSantos-MEBR	true
66.228.49.173	unknown	United States	63949	LINODE-APLinodeLLCUS	true
190.147.137.153	unknown	Colombia	10620	TelmexColombiaSACO	true
82.196.15.205	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
111.67.12.221	unknown	Australia	55803	DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU	true
177.74.228.34	unknown	Brazil	263652	CMDNETInternetInformaticaLtdaBR	true
91.219.169.180	unknown	Ukraine	52191	LOCALKA-NET-AS	true
185.94.252.12	unknown	Germany	197890	MEGASERVERS-DE	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	449959
Start date:	16.07.2021
Start time:	17:05:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	mormanti.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/8@0/81
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 40.8% (good quality ratio 34%) Quality average: 59.9% Quality standard deviation: 36.4%
HCA Information:	Successful, ratio: 89% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 20.82.210.154, 52.147.198.201, 104.42.151.234, 23.211.6.115, 20.50.102.62, 23.35.236.56, 40.112.88.60, 8.238.85.126, 67.26.117.254, 8.241.89.254, 8.241.89.126, 8.238.85.254, 80.67.82.235, 80.67.82.211 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:06:35	API Interceptor	2x Sleep call for process: svchost.exe modified
17:07:51	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
149.62.173.247	4IyFGqHAVD.exe	Get hash	malicious	Browse	149.62.173.247:8080/IBsG2ITcQO3MqUs1a/eWW1CTn3/VLHN/zvqFvAYTs8Wn1umCE/
	3svzK4vdKM.exe	Get hash	malicious	Browse	149.62.173.247:8080/V3H3/psfTQ/T6gzY4u9nPfs/
	2ToKPHUu99.exe	Get hash	malicious	Browse	149.62.173.247:8080/87Cxqpcon5mO7BWL/kNWYVSfiQZ1/XJcpkT2gFE/Hco5ZCWlpmRP/zLI7rXAgPV20IUMXnp0/
	kzE7zbx.exe	Get hash	malicious	Browse	149.62.173.247:8080/dlbDdKCLEFM/kILzAtumIq4D8Z50q/
	CKPeR3qE.exe	Get hash	malicious	Browse	149.62.173.247:8080/Gb1SCLpYr1nryoMy/
	FhkjwhQzcCHjL5eJAPSd.exe	Get hash	malicious	Browse	149.62.173.247:8080/O3IlwiDkTOJb9kSszV/
	PWALJSok9Jmx.exe	Get hash	malicious	Browse	149.62.173.247:8080/UEN3UQF/RPhkq/Thdgzp8FPfhtu5Kzeq/jbAoM9TOYekxcG3f/
	XmlHuNZL0oAoQ.exe	Get hash	malicious	Browse	149.62.173.247:8080/09OFIpDnBnX6Ch9VQR/
	zH2RXXcJJRwzkFPvoiO.exe	Get hash	malicious	Browse	149.62.173.247:8080/TUUPUH/g2IoLl6V0MswbJJvtr/zFXxOI/
	List-20200731-79226.doc	Get hash	malicious	Browse	149.62.173.247:8080/gC8G5H3mS6JLGBy7kW/eFDaGGEbn/6oQ6Pr5pkoT/
	LIST-20200731-88494.doc	Get hash	malicious	Browse	149.62.173.247:8080/1COfPTBiLdjTj/3uD573T7jVFWo/
	Rep_20200731.doc	Get hash	malicious	Browse	149.62.173.247:8080/16fP0l2bHkKP/yllWZmZ8qJUp3b5wMA5/8jJDZebNHK64THon/
	messaggio_072020.doc	Get hash	malicious	Browse	149.62.173.247:8080/HwFR5iVEHHADWDZIQtY/JEbgpm3H3Dba/F68osD9sJD6glZa/EYYDB32/uZcdM8DI/ONVv5X8DQM593V/
	File 072020.doc	Get hash	malicious	Browse	149.62.173.247:8080/B4RsHPT/aFO997jDYlKpx/
	SecuriteInfo.com.Emotet-FROC3EC4AC84139.exe	Get hash	malicious	Browse	149.62.173.247:8080/ezcsx8phECXl/oUCR96bNNx/gxL6EXuCo05e1gD/
	SecuriteInfo.com.Emotet-FRO9F97F1034DC9.exe	Get hash	malicious	Browse	149.62.173.247:8080/XBUhtV6sX6/m779xLLC04UeYEs/ScltlmqyP4XZ8/5A8BpJp5AfE/SY44egi1/
	doc-20200730-FFF8570.doc	Get hash	malicious	Browse	149.62.173.247:8080/aXKPKdd3SCmd/
	Rep_20200730_K264404.doc	Get hash	malicious	Browse	149.62.173.247:8080/ynBo0VuXDLlNeLaPaE/
	rep-0168630.doc	Get hash	malicious	Browse	149.62.173.247:8080/6ozhezxENEAqUETEyn/
	00_29_G-087448.doc	Get hash	malicious	Browse	149.62.173.247:8080/J6jxvFJ3SOWdv/80iHzW50w9Thz/N513Uqua/dDyHLa4nW7VJ9x9/
104.131.103.37	2ToKPHUu99.exe	Get hash	malicious	Browse
	tvNMxIhI.exe	Get hash	malicious	Browse
	YpVLv2JU.exe	Get hash	malicious	Browse
204.225.249.100	http://204.225.249.100	Get hash	malicious	Browse	204.225.249.100/favicon.ico

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLAROSABR	i	Get hash	malicious	Browse	189.33.64.216
	Q8qbmLCf1b	Get hash	malicious	Browse	201.65.97.21
	segYCksCNt.exe	Get hash	malicious	Browse	189.103.150.9
	mssecsvr.exe	Get hash	malicious	Browse	179.211.205.91
	fraps.exe	Get hash	malicious	Browse	187.69.114.104
	2126316AB22061FED599E07630759E814DB86A71B0001.exe	Get hash	malicious	Browse	201.80.87.3
	mon117_cr(1).dll	Get hash	malicious	Browse	187.20.217.129
	x86_unpacked	Get hash	malicious	Browse	191.186.71.139
	ppc_unpacked	Get hash	malicious	Browse	179.217.83.5
	ldr.sh	Get hash	malicious	Browse	201.30.209.174
	MGuvcs6Ocz	Get hash	malicious	Browse	189.52.247.3
	z3hir.x86	Get hash	malicious	Browse	201.39.243.114
	YPJ9DZYIpO	Get hash	malicious	Browse	179.211.54.16
	godrop.exe	Get hash	malicious	Browse	189.53.70.50
	SecuriteInfo.com.Heur.4905.xls	Get hash	malicious	Browse	187.20.217.129
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	200.243.153.66
	wEcncyxrEe	Get hash	malicious	Browse	187.68.37.156
	WUHU95Apq3	Get hash	malicious	Browse	179.219.28.135
	oHqMFmPndx.exe	Get hash	malicious	Browse	189.34.127.42
	svchost.exe	Get hash	malicious	Browse	179.216.199.141
DIGITALOCEAN-ASNUS	deepRats.exe	Get hash	malicious	Browse	37.139.8.104
	DpuO7oic9y.exe	Get hash	malicious	Browse	157.245.127.231
	Loader.exe	Get hash	malicious	Browse	157.245.5.40
	Machine Service.xlsx	Get hash	malicious	Browse	188.166.192.89
	Machine Service.xlsx	Get hash	malicious	Browse	188.166.192.89
	c22MANsVPI.xls	Get hash	malicious	Browse	128.199.243.169
	document.xlsm	Get hash	malicious	Browse	138.68.174.10
	document.xlsm	Get hash	malicious	Browse	138.68.174.10
	document.xlsm	Get hash	malicious	Browse	138.68.174.10
	document.xlsm	Get hash	malicious	Browse	138.68.174.10
	lNiby9ahcU.jar	Get hash	malicious	Browse	157.230.10.241
	2UUlKfJYJN.exe	Get hash	malicious	Browse	162.243.173.152
	r3Bdb4R6aX.exe	Get hash	malicious	Browse	68.183.192.109
	P7bm3wqSDh.xls	Get hash	malicious	Browse	128.199.243.169
	T7lwV5Cutg.exe	Get hash	malicious	Browse	178.62.61.85
	RFQ_GS_45_009_GlobalSuppl_.xlsx	Get hash	malicious	Browse	178.62.61.85
	9yW6QklfU7.exe	Get hash	malicious	Browse	178.62.61.85
	SPARE PARTS Provision List.xlsx	Get hash	malicious	Browse	178.62.61.85
	04006279e16979c72a6ffa4266149e911d3f3399183b3.exe	Get hash	malicious	Browse	165.22.105.227
	748dYNDiTO.exe	Get hash	malicious	Browse	68.183.192.109
INFORTELECOM-ASES	005AS7SD44F4H7J7I4D7DF4s44ffg7hj44g4d7d44d.js	Get hash	malicious	Browse	149.62.168.145
	005AS7SD44F4H7J7I4D7DF4s44ffg7hj44g4d7d44d.js	Get hash	malicious	Browse	149.62.168.145
	56UDmImzPe.dll	Get hash	malicious	Browse	31.24.158.56
	PowerShell_Input.ps1	Get hash	malicious	Browse	5.175.41.244
	Sample.doc	Get hash	malicious	Browse	5.175.41.244
	Sample.doc	Get hash	malicious	Browse	5.175.41.244
	3zuPInon2U.dll	Get hash	malicious	Browse	31.24.158.56
	3zuPInon2U.dll	Get hash	malicious	Browse	31.24.158.56
	lZyOllK1Rs.dll	Get hash	malicious	Browse	31.24.158.56
	lZyOllK1Rs.dll	Get hash	malicious	Browse	31.24.158.56
	3ZXUCm62TH.dll	Get hash	malicious	Browse	31.24.158.56
	3ZXUCm62TH.dll	Get hash	malicious	Browse	31.24.158.56
	y3JQD3Xzos.dll	Get hash	malicious	Browse	31.24.158.56
	y3JQD3Xzos.dll	Get hash	malicious	Browse	31.24.158.56
	MmTsqqQREG.dll	Get hash	malicious	Browse	31.24.158.56
	MmTsqqQREG.dll	Get hash	malicious	Browse	31.24.158.56
	ZchEM36552.dll	Get hash	malicious	Browse	31.24.158.56
	yLmDpCx1xp.dll	Get hash	malicious	Browse	31.24.158.56
	dnW1mfW27L.dll	Get hash	malicious	Browse	31.24.158.56
	K0or0EZubp.dll	Get hash	malicious	Browse	31.24.158.56

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5918524708219107
Encrypted:	false
SSDEEP:	6:b8ek1GaD0JOCEfMuaaD0JOCEfMKQmDjjAl/gz2cE0fMbhEZolrRSQ2hyYIIT:b8NGaD0JcaaD0JwQQjjAg/0bjSQJ
MD5:	9EB1288EAAF777CF31B19FC8052D9DDD
SHA1:	D0366555B0FF7D5F716C215B7253373231FE1F4B
SHA-256:	1AB4A321F9958011E0E2AA7DF522A3567EFC956F36513C512EEA3BBA3F7E2F22
SHA-512:	E916EAE79313765EBED1A5A407594EEBAD546A7963C3E6E96FBC869B431BB491C40E973D58FC69D1D9977855B8FAC8002D1C435E855378A1508DF71343C6752E
Malicious:	false
Preview:	....E..h..(.....#....yq.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................#....yq...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x0656ce7e, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09325297057693027
Encrypted:	false
SSDEEP:	6:agAzwl/+z6RIE11Y8TRXuo/Xx1qKIgAzwl/+z6RIE11Y8TRXuo/Xx1qK:aX0++O4blj/h1qKIX0++O4blj/h1qK
MD5:	01DC05B086437F44DADEBE72F42AE6E4
SHA1:	5ED9C40BDF29C734FDB24E80573BFAB46285828A
SHA-256:	88194003F7E242AECDD75F00695B39A37441BF6C57A9812A12F9F7735BD43BA3
SHA-512:	C1CFDEBA81E79AC3C92B208FD5E625E9625D853F518F0114FB6DF66EA1530A87F10A125A99E9E6FF3E6556568B0DC84B4C356173A2362B656E7B81698EDAB9B3
Malicious:	false
Preview:	.V.~... ................e.f.3...w........................&..........w..#....yq.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................t\..#....yqk................M...#....yq.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.10801090337418041
Encrypted:	false
SSDEEP:	3:kE17EvGZ0i0lcSXl/bJdAtizjlD/ill:kE1iGZ0hlc8t4U1G
MD5:	518B806DEB454B700E818B345A95C61C
SHA1:	53C2FB38B4AB68FC2414D36920212E45895260FB
SHA-256:	6F4DEAA5EDE225FB203717C88BAE62EB1EE0789B07C1548185C9338FE5A29C7A
SHA-512:	D17D2469510FA2AA3F080A8EF6C8D2657E0CB6AE65D5930FD08BB94A32CB5C2E0F7844FB991FDED7885E5D209269F718A76844CEA288CBBCBAC71EFA55C18F27
Malicious:	false
Preview:	k........................................3...w..#....yq......w...............w.......w....:O.....w..................M...#....yq.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11017776630826032
Encrypted:	false
SSDEEP:	12:265Xm/Ey6q99954Klq3qQ10nMCldimE8eawHjcmj:26kl68wLyMCldzE9BHjc8
MD5:	D8C933C4D3562115CDA8EC19E4C40BAB
SHA1:	B56A16C4CCB98D25D5DFE0F211C87C28F6BAE8D5
SHA-256:	FAE8B7380E73264FFA75864B9F212C841A62D927153EC739D80DEDB876A482BB
SHA-512:	E75F13F453D4619F7722B799A8CAA47EF12184BFF7394309A12DEF148B5BA7DB20D6EA2A512B27B86B380BF6DE624F68B2AF8408D90F356517888C8524EAD3CA
Malicious:	false
Preview:	........................................................................................t.S......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................=.m.*..... .....-[...z..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P..........S.....................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11280925407263487
Encrypted:	false
SSDEEP:	12:UrXm/Ey6q999549r1z1miM3qQ10nMCldimE8eawHza1miI5Z:/l684h1tMLyMCldzE9BHza1tIn
MD5:	9D91B6F5D908F8FA9457289284D99D90
SHA1:	7FA4F2CC6A51660A2767B533B9629484DD209C00
SHA-256:	348FCA3B1B0151D5A3E0AB8F2EC51DD4404ABDB779CB3319255F5C4B7C7E77CF
SHA-512:	110A3DEE834FB3E03DA0152E809F2CD0A50294CFF62DB8CA2C9E96F9324729840EB44DCCC46D2815F50D14ED61A67CFBE06D5F2550A8FF48DEE6A0F43087CB09
Malicious:	false
Preview:	.........................................................................................nQ......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................=.m.*..... ........z..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.........<yQ.....................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11273590727037369
Encrypted:	false
SSDEEP:	12:U0Xm/Ey6q99954iH0z1mK2P3qQ10nMCldimE8eawHza1mKQe:Al68S1iPLyMCldzE9BHza13
MD5:	0573B48E6E823B072B981744C4EC755A
SHA1:	B0AC5879397474AF40AEE8E06E193A277A89D30C
SHA-256:	CAFED707C6D08E422CC295DD756129A2BDA528D830225142ABD5F4862CEAF3DC
SHA-512:	33F8D03E6DAC4E202ECAFE1D7491E131E8496D25FB8A0DF090EF7397B45350B9DEE82D286BA184EBD0DC319D92CC817AFFCB7CA5B3D1A42340A6156DC78C4F97
Malicious:	false
Preview:	..........................................................................................P......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................=.m.*..... ........z..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P..........1P.....................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.152601704217562
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rABD2iCk9+MlWlLehB4yAq7ejCpBD2iP:OaqdmuF3rg2iV+kWReH4yJ7M42iP
MD5:	2CA5726DE33B7191699EBFEEC4F7210C
SHA1:	0613DF20921345EFB902DFE198764AEF58BF6C9E
SHA-256:	00CFCED40E9C57E6C01FE432F6C4470A9330DE3DD47676C30294BB085A9EC9D5
SHA-512:	9D63083245C34A426097B74D9EF78CE8105CAA5B4CF4586F751C02774B91A2E79873A5B71F9C9694C22325031D6F97B4C617EF223DDC16884F18488E5F5A269A
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. J.u.l. .. 1.6. .. 2.0.2.1. .1.7.:.0.7.:.5.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. J.u.l. .. 1.6. .. 2.0.2.1. .1.7.:.0.7.:.5.1.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.359134894428257
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mormanti.exe
File size:	102912
MD5:	6c94edfea6e5ee001b00122c9d01bd8a
SHA1:	a8d0cc5088ee86c2be77afe157695d12e951f369
SHA256:	0154d1d06e755bda091168038f25c1dde101e3b77c66f88b73c71be84ffdaf6e
SHA512:	8e4f44f2680feb8fa564a26b3f283ce360d966e01b1585686e6eb23900f5e09d39e3b62b154604972091cc928f99f835ec2e042a5c06d7df29b8c225e3db447f
SSDEEP:	1536:jw9fHY8jOMiep0McpHa74EuSFGMpJ7q06VSE:srOMiep0ZpeuQJmpSE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$~..J-..J-..J-:..-..J-...-..J-...-..J-...-..J-...-..J-.61-..J-..K-..J-...-..J-...-..J-...-..J-Rich..J-.......................

File Icon


Icon Hash:	9a8a808292808000

Static PE Info

General
Entrypoint:	0x402b60
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F325807 [Tue Aug 11 08:34:15 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	c75ae73417f3d8c7926ca2cc9989d6f5

Entrypoint Preview

Instruction
call 00007FA204A14198h
jmp 00007FA204A13A3Ch
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [004061D8h], eax
mov dword ptr [004061D4h], ecx
mov dword ptr [004061D0h], edx
mov dword ptr [004061CCh], ebx
mov dword ptr [004061C8h], esi
mov dword ptr [004061C4h], edi
mov word ptr [004061F0h], ss
mov word ptr [004061E4h], cs
mov word ptr [004061C0h], ds
mov word ptr [004061BCh], es
mov word ptr [004061B8h], fs
mov word ptr [004061B4h], gs
pushfd
pop dword ptr [004061E8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004061DCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004061E0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004061ECh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00406128h], 00010001h
mov eax, dword ptr [004061E0h]
mov dword ptr [004060DCh], eax
mov dword ptr [004060D0h], C0000409h
mov dword ptr [004060D4h], 00000001h
mov eax, dword ptr [00406018h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0040601Ch]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000068h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[IMP] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x48dc	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7000	0x144c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0x454	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4230	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4450	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4000	0x200	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x243c	0x2600	False	0.655324835526	COM executable for DOS	6.36850956542	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4000	0x1702	0x1800	False	0.40625	data	5.1131105028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x648	0x200	False	0.232421875	data	2.09168969639	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x7000	0x144c4	0x14600	False	0.486459930982	data	6.30306243713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c000	0x70c	0x800	False	0.49853515625	data	4.44276595657	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x7550	0x2e8	data	English	United States
RT_ICON	0x7838	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x7960	0xea8	data	English	United States
RT_ICON	0x8808	0x8a8	data	English	United States
RT_ICON	0x90b0	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x9618	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0xbbc0	0x10a8	data	English	United States
RT_ICON	0xcc68	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xd0d0	0x2e8	data	English	United States
RT_ICON	0xd3b8	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xd4e0	0xea8	data	English	United States
RT_ICON	0xe388	0x8a8	data	English	United States
RT_ICON	0xec30	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xf198	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x11740	0x10a8	data	English	United States
RT_ICON	0x127e8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0x12c50	0x4a	data	English	United States
RT_DIALOG	0x12c9c	0x140	data	English	United States
RT_STRING	0x12ddc	0x4c	data	English	United States
RT_ACCELERATOR	0x12e28	0x10	data	English	United States
RT_RCDATA	0x12e38	0x8344	data	English	United States
RT_GROUP_ICON	0x1b17c	0x76	data	English	United States
RT_GROUP_ICON	0x1b1f4	0x76	data	English	United States
RT_MANIFEST	0x1b26c	0x256	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	Sleep, InterlockedCompareExchange, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, LoadLibraryExA, GetTickCount64, InterlockedExchange
USER32.dll	LoadIconW, LoadCursorW, RegisterClassExW, CreateWindowExW, ShowWindow, UpdateWindow, SetTimer, PostQuitMessage, DialogBoxParamW, DestroyWindow, DefWindowProcW, SetCapture, PtInRect, ReleaseCapture, BeginPaint, DispatchMessageW, TranslateMessage, TranslateAcceleratorW, GetMessageW, LoadAcceleratorsW, LoadStringW, OffsetRect, DrawTextA, FillRect, InvalidateRect, ReleaseDC, GetDC, GetClientRect, EndPaint, EndDialog
GDI32.dll	CreateSolidBrush, DeleteObject, DeleteDC, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, GetStockObject, SaveDC, RestoreDC, SetBkMode, BitBlt, CreateRectRgnIndirect, CreatePolygonRgn, CombineRgn, SelectClipRgn, Ellipse, Rectangle, CreatePen
MSVCP90.dll	??_D?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z, ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?uncaught_exception@std@@YA_NXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHPBDH@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEXXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?str@?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ, ??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
MSIMG32.dll	AlphaBlend, GradientFill
MSVCR90.dll	_amsg_exit, _CxxThrowException, __CxxFrameHandler3, _controlfp_s, _invoke_watson, _except_handler4_common, ?_type_info_dtor_internal_method@type_info@@QAEXXZ, ?terminate@@YAXXZ, _crt_debugger_hook, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _configthreadlocale, _initterm_e, _initterm, ??1exception@std@@UAE@XZ, ??3@YAXPAX@Z, ??0exception@std@@QAE@XZ, ??0exception@std@@QAE@ABV01@@Z, ??2@YAPAXI@Z, _invalid_parameter_noinfo, srand, rand, _time64, _wcslwr, atoi, _unlock, __dllonexit, _encode_pointer, _lock, _onexit, _decode_pointer, memcpy, __wgetmainargs, _cexit, _exit, _XcptFilter, exit, _wcmdln

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
07/16/21-17:07:12.259592	ICMP	486	ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited	104.131.103.37	192.168.2.3
07/16/21-17:07:15.256691	ICMP	486	ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited	104.131.103.37	192.168.2.3
07/16/21-17:07:21.273124	ICMP	486	ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited	104.131.103.37	192.168.2.3
07/16/21-17:07:42.618824	ICMP	399	ICMP Destination Unreachable Host Unreachable	72.10.63.118	192.168.2.3
07/16/21-17:07:45.806111	ICMP	399	ICMP Destination Unreachable Host Unreachable	72.10.63.118	192.168.2.3
07/16/21-17:07:51.997887	ICMP	399	ICMP Destination Unreachable Host Unreachable	72.10.63.118	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 16, 2021 17:06:20.542170048 CEST	49718	80	192.168.2.3	58.171.153.81
Jul 16, 2021 17:06:23.548013926 CEST	49718	80	192.168.2.3	58.171.153.81
Jul 16, 2021 17:06:29.548536062 CEST	49718	80	192.168.2.3	58.171.153.81
Jul 16, 2021 17:06:44.281224966 CEST	49727	443	192.168.2.3	104.131.103.128
Jul 16, 2021 17:06:44.403786898 CEST	443	49727	104.131.103.128	192.168.2.3
Jul 16, 2021 17:06:44.908982992 CEST	49727	443	192.168.2.3	104.131.103.128
Jul 16, 2021 17:06:45.031189919 CEST	443	49727	104.131.103.128	192.168.2.3
Jul 16, 2021 17:06:45.534087896 CEST	49727	443	192.168.2.3	104.131.103.128
Jul 16, 2021 17:06:45.657490969 CEST	443	49727	104.131.103.128	192.168.2.3
Jul 16, 2021 17:06:48.471726894 CEST	49728	8080	192.168.2.3	66.228.49.173
Jul 16, 2021 17:06:51.472075939 CEST	49728	8080	192.168.2.3	66.228.49.173
Jul 16, 2021 17:06:57.472614050 CEST	49728	8080	192.168.2.3	66.228.49.173
Jul 16, 2021 17:07:12.132922888 CEST	49734	8080	192.168.2.3	104.131.103.37
Jul 16, 2021 17:07:15.130383968 CEST	49734	8080	192.168.2.3	104.131.103.37
Jul 16, 2021 17:07:21.146560907 CEST	49734	8080	192.168.2.3	104.131.103.37
Jul 16, 2021 17:07:35.370628119 CEST	49740	8080	192.168.2.3	149.62.173.247
Jul 16, 2021 17:07:35.438725948 CEST	8080	49740	149.62.173.247	192.168.2.3
Jul 16, 2021 17:07:35.944820881 CEST	49740	8080	192.168.2.3	149.62.173.247
Jul 16, 2021 17:07:36.012451887 CEST	8080	49740	149.62.173.247	192.168.2.3
Jul 16, 2021 17:07:36.523617983 CEST	49740	8080	192.168.2.3	149.62.173.247
Jul 16, 2021 17:07:36.594460011 CEST	8080	49740	149.62.173.247	192.168.2.3
Jul 16, 2021 17:07:40.373577118 CEST	49741	7080	192.168.2.3	72.47.248.48
Jul 16, 2021 17:07:43.382858038 CEST	49741	7080	192.168.2.3	72.47.248.48
Jul 16, 2021 17:07:49.398936987 CEST	49741	7080	192.168.2.3	72.47.248.48
Jul 16, 2021 17:08:04.116400003 CEST	49744	8080	192.168.2.3	68.183.170.114
Jul 16, 2021 17:08:07.103610039 CEST	49744	8080	192.168.2.3	68.183.170.114
Jul 16, 2021 17:08:13.103981018 CEST	49744	8080	192.168.2.3	68.183.170.114

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 16, 2021 17:06:02.333093882 CEST	50200	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:02.398982048 CEST	53	50200	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:02.403018951 CEST	51281	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:02.455171108 CEST	53	51281	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:03.199887991 CEST	49199	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:03.251107931 CEST	53	49199	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:04.301538944 CEST	50620	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:04.360388994 CEST	53	50620	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:05.009922981 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:05.080878973 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:05.522526026 CEST	60152	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:05.575153112 CEST	53	60152	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:06.713778019 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:06.763395071 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:07.789093018 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:07.841680050 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:08.611358881 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:08.670780897 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:10.446573019 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:10.504580975 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:11.560636997 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:11.613158941 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:12.701705933 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:12.751097918 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:13.865761995 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:13.920089960 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:16.677190065 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:16.726804018 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:17.607249975 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:17.669481039 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:18.412681103 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:18.466411114 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:19.185880899 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:19.238326073 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:20.020277023 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:20.072833061 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:20.871370077 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:20.925894976 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:22.051337957 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:22.109612942 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:22.853486061 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:22.902765989 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:37.889744043 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:37.957566977 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:39.148256063 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:39.210594893 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:53.667342901 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:53.735356092 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 16, 2021 17:06:57.148108959 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:06:57.205549002 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 16, 2021 17:07:11.947230101 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:07:12.015654087 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 16, 2021 17:07:15.400922060 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:07:15.462726116 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 16, 2021 17:07:46.678647041 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:07:46.753209114 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 16, 2021 17:07:51.150878906 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 16, 2021 17:07:51.219223976 CEST	53	50713	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 16, 2021 17:07:12.259592056 CEST	104.131.103.37	192.168.2.3	8f70	(Unknown)	Destination Unreachable
Jul 16, 2021 17:07:15.256690979 CEST	104.131.103.37	192.168.2.3	8f70	(Unknown)	Destination Unreachable
Jul 16, 2021 17:07:21.273123980 CEST	104.131.103.37	192.168.2.3	8f70	(Unknown)	Destination Unreachable

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: mormanti.exe PID: 3412 Parent PID: 5572

General

Start time:	17:06:08
Start date:	16/07/2021
Path:	C:\Users\user\Desktop\mormanti.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\mormanti.exe'
Imagebase:	0xc10000
File size:	102912 bytes
MD5 hash:	6C94EDFEA6E5EE001B00122C9D01BD8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.203541228.0000000002DC1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.203533038.0000000002DB0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: eventvwr.exe PID: 2416 Parent PID: 3412

General

Start time:	17:06:09
Start date:	16/07/2021
Path:	C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\msmpeg2vdec\eventvwr.exe
Imagebase:	0xc10000
File size:	102912 bytes
MD5 hash:	6C94EDFEA6E5EE001B00122C9D01BD8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.465228013.0000000001140000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.465253689.0000000001151000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: svchost.exe PID: 3148 Parent PID: 568

General

Start time:	17:06:15
Start date:	16/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 384 Parent PID: 568

General

Start time:	17:06:35
Start date:	16/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 2168 Parent PID: 568

General

Start time:	17:06:37
Start date:	16/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5924 Parent PID: 568

General

Start time:	17:06:45
Start date:	16/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 4744 Parent PID: 568

General

Start time:	17:06:46
Start date:	16/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 4880 Parent PID: 568

General

Start time:	17:06:47
Start date:	16/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 1276 Parent PID: 568

General

Start time:	17:06:47
Start date:	16/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 4936 Parent PID: 568

General

Start time:	17:06:47
Start date:	16/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 5588 Parent PID: 568

General

Start time:	17:06:48
Start date:	16/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: SgrmBroker.exe PID: 3468 Parent PID: 568

General

Start time:	17:06:49
Start date:	16/07/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff641450000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 2648 Parent PID: 568

General

Start time:	17:06:49
Start date:	16/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: MpCmdRun.exe PID: 4820 Parent PID: 2648

General

Start time:	17:07:50
Start date:	16/07/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff6922b0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5024 Parent PID: 4820

General

Start time:	17:07:50
Start date:	16/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report mormanti.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets