Windows Analysis Report methodsnetsh.exe

Overview

General Information

Sample Name: methodsnetsh.exe
Analysis ID: 450352
MD5: 8e22080fe62e462723d231fe5c8ba98a
SHA1: 8b58fd7bcd7083e5a326e7a04e10c0e0626ac4ca
SHA256: d082395ca1ce0c118edbff1e5bf1b1d4ad2db5aefa5691cc4c15bd94208a3cc0
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Emotet e-Banking trojan
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: methodsnetsh.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: methodsnetsh.exe Virustotal: Detection: 65% Perma Link
Source: methodsnetsh.exe Metadefender: Detection: 56% Perma Link
Source: methodsnetsh.exe ReversingLabs: Detection: 86%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash, 1_2_009D207B
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 1_2_009D1FFC
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D1F11 CryptExportKey, 1_2_009D1F11
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash, 1_2_009D215A
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D1F56 CryptGetHashParam, 1_2_009D1F56
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext, 1_2_009D1F75
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash, 7_2_00EC207B
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC1FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 7_2_00EC1FFC
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext, 7_2_00EC1F75
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC1F11 CryptExportKey, 7_2_00EC1F11
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash, 7_2_00EC215A
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC1F56 CryptGetHashParam, 7_2_00EC1F56

Compliance:

barindex
Uses 32bit PE files
Source: methodsnetsh.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0042A049 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_0042A049
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0042A18A lstrlenA,FindFirstFileA,FindClose, 0_2_0042A18A
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0042A049 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 1_2_0042A049
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0042A18A lstrlenA,FindFirstFileA,FindClose, 1_2_0042A18A

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49744 -> 91.250.96.22:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 100.6.23.40 100.6.23.40
Source: Joe Sandbox View IP Address: 100.6.23.40 100.6.23.40
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49728 -> 100.6.23.40:80
Source: global traffic TCP traffic: 192.168.2.3:49736 -> 200.71.200.4:443
Source: global traffic TCP traffic: 192.168.2.3:49742 -> 190.114.244.182:443
Source: unknown TCP traffic detected without corresponding DNS query: 100.6.23.40
Source: unknown TCP traffic detected without corresponding DNS query: 100.6.23.40
Source: unknown TCP traffic detected without corresponding DNS query: 100.6.23.40
Source: unknown TCP traffic detected without corresponding DNS query: 200.71.200.4
Source: unknown TCP traffic detected without corresponding DNS query: 200.71.200.4
Source: unknown TCP traffic detected without corresponding DNS query: 200.71.200.4
Source: unknown TCP traffic detected without corresponding DNS query: 190.114.244.182
Source: unknown TCP traffic detected without corresponding DNS query: 190.114.244.182
Source: unknown TCP traffic detected without corresponding DNS query: 190.114.244.182
Source: unknown TCP traffic detected without corresponding DNS query: 91.250.96.22
Source: unknown TCP traffic detected without corresponding DNS query: 91.250.96.22
Source: unknown TCP traffic detected without corresponding DNS query: 91.250.96.22
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC1383 InternetReadFile, 7_2_00EC1383
Source: sensorias.exe, 00000007.00000002.468140623.000000000019A000.00000004.00000001.sdmp String found in binary or memory: http://91.250.96.22/LhqjdNLOiM5Uy7n
Source: svchost.exe, 00000008.00000002.470899207.000001A9A7815000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000008.00000002.470899207.000001A9A7815000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000008.00000002.470899207.000001A9A7815000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000008.00000002.470502690.000001A9A7770000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000D.00000002.308922083.000001DEADC13000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000D.00000003.307808919.000001DEADC5A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000D.00000002.308975544.000001DEADC42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000D.00000002.308975544.000001DEADC42000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.307826390.000001DEADC40000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000D.00000003.307808919.000001DEADC5A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000002.309009360.000001DEADC5C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000D.00000003.307792864.000001DEADC61000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.286040373.000001DEADC32000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.471027858.000001A9A7843000.00000004.00000001.sdmp String found in binary or memory: https://fs.microsoft.cH
Source: svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.308922083.000001DEADC13000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.308957499.000001DEADC3D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000003.307841187.000001DEADC56000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000003.307841187.000001DEADC56000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.307826390.000001DEADC40000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000D.00000003.307847685.000001DEADC41000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000D.00000003.307770894.000001DEADC49000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: methodsnetsh.exe, 00000000.00000002.205022042.000000000084A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0042CB9E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_0042CB9E
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0042CB9E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_0042CB9E

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojan
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009DDE9C 1_2_009DDE9C
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00ECDE9C 7_2_00ECDE9C
Yara detected Emotet
Source: Yara match File source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D1F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext, 1_2_009D1F75
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC1F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext, 7_2_00EC1F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet Payload Author: kevoreilly
Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet Payload Author: kevoreilly
Contains functionality to delete services
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009DE068 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle, 1_2_009DE068
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D1D2B CreateProcessAsUserW,CreateProcessW, 1_2_009D1D2B
Creates files inside the system directory
Source: C:\Windows\SysWOW64\sensorias.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\methodsnetsh.exe File deleted: C:\Windows\SysWOW64\sensorias.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0041D2A4 0_2_0041D2A4
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0042DBF6 0_2_0042DBF6
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_00420CE2 0_2_00420CE2
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0041D2A4 1_2_0041D2A4
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0042DBF6 1_2_0042DBF6
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_00420CE2 1_2_00420CE2
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006F30E8 1_2_006F30E8
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006F30E4 1_2_006F30E4
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006F28C1 1_2_006F28C1
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D2F82 1_2_009D2F82
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D37A9 1_2_009D37A9
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D37A5 1_2_009D37A5
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00AB30E8 6_2_00AB30E8
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00AB30E4 6_2_00AB30E4
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00AB28C1 6_2_00AB28C1
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00F637A5 6_2_00F637A5
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00F637A9 6_2_00F637A9
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00F62F82 6_2_00F62F82
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EA30E8 7_2_00EA30E8
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EA30E4 7_2_00EA30E4
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EA28C1 7_2_00EA28C1
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC37A9 7_2_00EC37A9
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC37A5 7_2_00EC37A5
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC2F82 7_2_00EC2F82
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: String function: 0041F843 appears 36 times
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: String function: 00420649 appears 43 times
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: String function: 00431FE2 appears 40 times
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: String function: 0041DC48 appears 90 times
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: String function: 0041D6AC appears 111 times
PE file contains strange resources
Source: methodsnetsh.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: methodsnetsh.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: methodsnetsh.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: methodsnetsh.exe, 00000000.00000002.204812573.0000000000442000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDShowEncoder.EXER vs methodsnetsh.exe
Source: methodsnetsh.exe, 00000001.00000002.224720605.0000000000442000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDShowEncoder.EXER vs methodsnetsh.exe
Source: methodsnetsh.exe, 00000001.00000002.225734467.00000000029E0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs methodsnetsh.exe
Source: methodsnetsh.exe, 00000001.00000002.225734467.00000000029E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs methodsnetsh.exe
Source: methodsnetsh.exe, 00000001.00000002.225577349.00000000028E0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs methodsnetsh.exe
Source: methodsnetsh.exe Binary or memory string: OriginalFilenameDShowEncoder.EXER vs methodsnetsh.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: methodsnetsh.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Emotet_Jan20_1 date = 2020-01-29, hash1 = e7c22ccdb1103ee6bd15c528270f56913bb2f47345b360802b74084563f1b73d, author = Florian Roth, description = Detects Emotet malware, reference = https://app.any.run/tasks/5e81638e-df2e-4a5b-9e45-b07c38d53929/
Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPE Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, type: MEMORY Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: classification engine Classification label: mal96.bank.troj.evad.winEXE@18/7@0/5
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 1_2_009DE138
Source: C:\Windows\SysWOW64\sensorias.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 7_2_00ECE138
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D1943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 1_2_009D1943
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_00402170 CoCreateInstance,VariantInit,VariantClear, 0_2_00402170
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_00407190 CoInitialize,FindResourceA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessa 0_2_00407190
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009DE138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 1_2_009DE138
Source: C:\Users\user\Desktop\methodsnetsh.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Windows\SysWOW64\sensorias.exe Mutant created: \BaseNamedObjects\Global\I5ADD31F0
Source: C:\Users\user\Desktop\methodsnetsh.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\I5ADD31F0
Source: C:\Users\user\Desktop\methodsnetsh.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\M5ADD31F0
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3596:120:WilError_01
Source: methodsnetsh.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\methodsnetsh.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: methodsnetsh.exe Virustotal: Detection: 65%
Source: methodsnetsh.exe Metadefender: Detection: 56%
Source: methodsnetsh.exe ReversingLabs: Detection: 86%
Source: C:\Windows\SysWOW64\sensorias.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Users\user\Desktop\methodsnetsh.exe 'C:\Users\user\Desktop\methodsnetsh.exe'
Source: C:\Users\user\Desktop\methodsnetsh.exe Process created: C:\Users\user\Desktop\methodsnetsh.exe --4a9ea48a
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\SysWOW64\sensorias.exe C:\Windows\SysWOW64\sensorias.exe
Source: C:\Windows\SysWOW64\sensorias.exe Process created: C:\Windows\SysWOW64\sensorias.exe --606904f7
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\methodsnetsh.exe Process created: C:\Users\user\Desktop\methodsnetsh.exe --4a9ea48a Jump to behavior
Source: C:\Windows\SysWOW64\sensorias.exe Process created: C:\Windows\SysWOW64\sensorias.exe --606904f7 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0042D282 LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_0042D282
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0041D3B0 push eax; ret 0_2_0041D3C4
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0041D3B0 push eax; ret 0_2_0041D3EC
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0041DC83 push ecx; ret 0_2_0041DC93
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0041D6AC push eax; ret 0_2_0041D6CA
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0041D3B0 push eax; ret 1_2_0041D3C4
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0041D3B0 push eax; ret 1_2_0041D3EC
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0041DC83 push ecx; ret 1_2_0041DC93
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0041D6AC push eax; ret 1_2_0041D6CA
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006FFD71 push edx; retf 1_2_006FFD80
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006FFD52 push edx; iretd 1_2_006FFD70
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006FFAF1 push edx; retf 1_2_006FFAF8
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006FFAD3 push edx; iretd 1_2_006FFAD4
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006FFB77 push edx; iretd 1_2_006FFB84
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006FFB0F push edx; retf 1_2_006FFB10
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006FFB1A push edx; retf 1_2_006FFB48
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00ABFAF1 push edx; retf 6_2_00ABFAF8
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00ABFAD3 push edx; iretd 6_2_00ABFAD4
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00ABFB0F push edx; retf 6_2_00ABFB10
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00ABFB1A push edx; retf 6_2_00ABFB48
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00ABFD71 push edx; retf 6_2_00ABFD80
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00ABFB77 push edx; iretd 6_2_00ABFB84
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00ABFD52 push edx; iretd 6_2_00ABFD70
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EAFAF1 push edx; retf 7_2_00EAFAF8
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EAFAD3 push edx; iretd 7_2_00EAFAD4
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EAFD71 push edx; retf 7_2_00EAFD80
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EAFB77 push edx; iretd 7_2_00EAFB84
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EAFD52 push edx; iretd 7_2_00EAFD70
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EAFB0F push edx; retf 7_2_00EAFB10
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EAFB1A push edx; retf 7_2_00EAFB48

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\sensorias.exe Executable created and started: C:\Windows\SysWOW64\sensorias.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\methodsnetsh.exe PE file moved: C:\Windows\SysWOW64\sensorias.exe Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009DE138 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle, 1_2_009DE138

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\methodsnetsh.exe File opened: C:\Windows\SysWOW64\sensorias.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0041BA20 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_0041BA20
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0041ABB0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 0_2_0041ABB0
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0041BA20 IsIconic,GetWindowPlacement,GetWindowRect, 1_2_0041BA20
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0041ABB0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 1_2_0041ABB0
Source: C:\Users\user\Desktop\methodsnetsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sensorias.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sensorias.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sensorias.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sensorias.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sensorias.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\sensorias.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Windows\SysWOW64\sensorias.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\methodsnetsh.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle, 1_2_009DDE9C
Source: C:\Windows\SysWOW64\sensorias.exe Code function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle, 7_2_00ECDE9C
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\methodsnetsh.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 1708 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\methodsnetsh.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0042A049 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 0_2_0042A049
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0042A18A lstrlenA,FindFirstFileA,FindClose, 0_2_0042A18A
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0042A049 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 1_2_0042A049
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0042A18A lstrlenA,FindFirstFileA,FindClose, 1_2_0042A18A
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0041D1C0 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_0041D1C0
Source: svchost.exe, 00000008.00000002.471152337.000001A9A7862000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.233084974.0000022060E60000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.282824452.0000028D46D40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.469860522.0000020F48390000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.301200201.0000021FEB340000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000008.00000002.468520785.000001A9A2029000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.233084974.0000022060E60000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.282824452.0000028D46D40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.469860522.0000020F48390000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.301200201.0000021FEB340000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.233084974.0000022060E60000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.282824452.0000028D46D40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.469860522.0000020F48390000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.301200201.0000021FEB340000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000B.00000002.468716637.0000020F47840000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.468505526.00000219B1E2A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.233084974.0000022060E60000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.282824452.0000028D46D40000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.469860522.0000020F48390000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.301200201.0000021FEB340000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\methodsnetsh.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\methodsnetsh.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\methodsnetsh.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\sensorias.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\sensorias.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\sensorias.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\sensorias.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0042D282 LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_0042D282
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_004029B0 mov eax, dword ptr fs:[00000030h] 0_2_004029B0
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_004029B0 mov eax, dword ptr fs:[00000030h] 1_2_004029B0
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006E0350 mov eax, dword ptr fs:[00000030h] 1_2_006E0350
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006F0467 mov eax, dword ptr fs:[00000030h] 1_2_006F0467
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006F0C0C mov eax, dword ptr fs:[00000030h] 1_2_006F0C0C
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006F1743 mov eax, dword ptr fs:[00000030h] 1_2_006F1743
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D12CD mov eax, dword ptr fs:[00000030h] 1_2_009D12CD
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D1E04 mov eax, dword ptr fs:[00000030h] 1_2_009D1E04
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00AA0350 mov eax, dword ptr fs:[00000030h] 6_2_00AA0350
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00AB0C0C mov eax, dword ptr fs:[00000030h] 6_2_00AB0C0C
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00AB0467 mov eax, dword ptr fs:[00000030h] 6_2_00AB0467
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00AB1743 mov eax, dword ptr fs:[00000030h] 6_2_00AB1743
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00F612CD mov eax, dword ptr fs:[00000030h] 6_2_00F612CD
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 6_2_00F61E04 mov eax, dword ptr fs:[00000030h] 6_2_00F61E04
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00BB0350 mov eax, dword ptr fs:[00000030h] 7_2_00BB0350
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EA0467 mov eax, dword ptr fs:[00000030h] 7_2_00EA0467
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EA0C0C mov eax, dword ptr fs:[00000030h] 7_2_00EA0C0C
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EA1743 mov eax, dword ptr fs:[00000030h] 7_2_00EA1743
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC12CD mov eax, dword ptr fs:[00000030h] 7_2_00EC12CD
Source: C:\Windows\SysWOW64\sensorias.exe Code function: 7_2_00EC1E04 mov eax, dword ptr fs:[00000030h] 7_2_00EC1E04
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_009D14F2 GetProcessHeap,RtlAllocateHeap, 1_2_009D14F2
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0042058B SetUnhandledExceptionFilter, 0_2_0042058B
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0042059F SetUnhandledExceptionFilter, 0_2_0042059F
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0042058B SetUnhandledExceptionFilter, 1_2_0042058B
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_0042059F SetUnhandledExceptionFilter, 1_2_0042059F

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 1_2_006FE1F7 cpuid 1_2_006FE1F7
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 0_2_00430B63
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: GetLocaleInfoA, 0_2_00425C27
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 0_2_004016C0
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 1_2_00430B63
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: GetLocaleInfoA, 1_2_00425C27
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 1_2_004016C0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\methodsnetsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\sensorias.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_00421EEF GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00421EEF
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_00422423 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy, 0_2_00422423
Source: C:\Users\user\Desktop\methodsnetsh.exe Code function: 0_2_0041B88D GetVersionExA, 0_2_0041B88D
Source: C:\Users\user\Desktop\methodsnetsh.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000F.00000002.468702298.000001FDA3A3D000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000F.00000002.468733692.000001FDA3B02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 1.2.methodsnetsh.exe.6f053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.methodsnetsh.exe.62053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.methodsnetsh.exe.62053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.sensorias.exe.ea053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.sensorias.exe.ea053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.sensorias.exe.ab053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.methodsnetsh.exe.6f053f.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.sensorias.exe.ab053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.204962255.0000000000620000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.204989867.00000000007D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.224058115.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.224911448.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.224082773.0000000000F61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.469150686.0000000000EC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.469102796.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.225065332.00000000009D1000.00000020.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450352 Sample: methodsnetsh.exe Startdate: 18/07/2021 Architecture: WINDOWS Score: 96 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected Emotet 2->41 7 sensorias.exe 13 2->7         started        10 methodsnetsh.exe 13 2->10         started        12 svchost.exe 2->12         started        14 8 other processes 2->14 process3 dnsIp4 45 Detected Emotet e-Banking trojan 7->45 47 Found evasive API chain (may stop execution after checking mutex) 7->47 49 Drops executables to the windows directory (C:\Windows) and starts them 7->49 17 sensorias.exe 19 7->17         started        20 methodsnetsh.exe 8 10->20         started        51 Changes security center settings (notifications, updates, antivirus, firewall) 12->51 23 MpCmdRun.exe 1 12->23         started        33 127.0.0.1 unknown unknown 14->33 signatures5 process6 dnsIp7 27 100.6.23.40, 80 UUNETUS United States 17->27 29 190.114.244.182, 443 GoldDataCAVE Venezuela 17->29 31 2 other IPs or domains 17->31 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->43 25 conhost.exe 23->25         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.250.96.22
 unknown Germany
8972 GD-EMEA-DC-SXB1DE false
100.6.23.40
 unknown United States
701 UUNETUS false
190.114.244.182
 unknown Venezuela
28007 GoldDataCAVE false
200.71.200.4
 unknown Chile
20015 FullComSACL false

Private
IP
127.0.0.1