Windows Analysis Report KNEa2w7v3a.exe

Overview

General Information

Sample Name: KNEa2w7v3a.exe
Analysis ID: 463770
MD5: f8adcf71a8c4e5c16d11308dff998ece
SHA1: 2246c5925aca1446078a4cacbafeda7076eb050a
SHA256: 5303823581f2696ae62f21e42a8b0c4d446d2fa9f820e0f04a15992d6a59c59b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to several IPs in different countries
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: KNEa2w7v3a.exe Avira: detected
Found malware configuration
Source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.unpack Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB", "C2 list": ["190.202.229.74:80", "118.69.11.81:7080", "70.39.251.94:8080", "87.230.25.43:8080", "94.23.62.116:8080", "37.187.161.206:8080", "45.46.37.97:80", "138.97.60.141:7080", "177.144.130.105:8080", "169.1.39.242:80", "209.236.123.42:8080", "202.134.4.210:7080", "193.251.77.110:80", "2.45.176.233:80", "217.13.106.14:8080", "189.223.16.99:80", "190.101.156.139:80", "77.238.212.227:80", "181.58.181.9:80", "37.183.81.217:80", "74.58.215.226:80", "174.118.202.24:443", "168.197.45.36:80", "81.215.230.173:443", "192.175.111.212:7080", "216.47.196.104:80", "128.92.203.42:80", "94.176.234.118:443", "191.182.6.118:80", "212.71.237.140:8080", "24.232.228.233:80", "177.73.0.98:443", "177.23.7.151:80", "24.135.69.146:80", "83.169.21.32:7080", "189.34.181.88:80", "179.222.115.170:80", "177.144.130.105:443", "213.197.182.158:8080", "5.89.33.136:80", "77.78.196.173:443", "120.72.18.91:80", "50.28.51.143:8080", "190.64.88.186:443", "111.67.12.221:8080", "12.162.84.2:8080", "46.105.114.137:8080", "59.148.253.194:8080", "201.213.177.139:80", "82.76.52.155:80", "172.104.169.32:8080", "188.251.213.180:80", "46.43.2.95:8080", "137.74.106.111:7080", "188.135.15.49:80", "185.94.252.27:443", "197.232.36.108:80", "60.249.78.226:8080", "187.162.248.237:80", "181.129.96.162:8080", "46.101.58.37:8080", "109.242.153.9:80", "178.211.45.66:8080", "200.59.6.174:80", "83.103.179.156:80", "172.86.186.21:8080", "70.32.115.157:8080", "81.214.253.80:443", "201.49.239.200:443", "149.202.72.142:7080", "190.45.24.210:80", "186.189.249.2:80", "219.92.13.25:80", "170.81.48.2:80", "51.75.33.127:80", "192.241.143.52:8080", "45.33.77.42:8080", "152.169.22.67:80", "1.226.84.243:8080", "78.206.229.130:80", "37.179.145.105:80", "68.183.170.114:8080", "192.232.229.54:7080", "103.236.179.162:80", "70.32.84.74:8080", "79.118.74.90:80", "60.93.23.51:80", "181.120.29.49:80", "213.52.74.198:80", "51.255.165.160:8080", "183.176.82.231:80", "186.193.229.123:80", "98.103.204.12:443", "129.232.220.11:8080", "181.61.182.143:80", "68.183.190.199:8080", "190.115.18.139:8080", "200.24.255.23:80", "103.13.224.53:80", "85.214.26.7:8080", "190.24.243.186:80", "87.106.46.107:8080", "177.107.79.214:8080", "12.163.208.58:80", "187.162.250.23:443", "109.101.137.162:8080", "82.76.111.249:443", "181.30.61.163:443", "5.196.35.138:7080", "51.15.7.145:80", "192.198.91.138:443", "188.157.101.114:80", "189.2.177.210:443", "181.123.6.86:80", "109.190.35.249:80", "45.16.226.117:443", "190.190.219.184:80", "104.131.41.185:8080", "101.187.81.254:80", "62.84.75.50:80", "178.250.54.208:8080", "201.71.228.86:80", "190.92.122.226:80", "138.97.60.140:8080"]}
Multi AV Scanner detection for submitted file
Source: KNEa2w7v3a.exe Virustotal: Detection: 88% Perma Link
Source: KNEa2w7v3a.exe Metadefender: Detection: 48% Perma Link
Source: KNEa2w7v3a.exe ReversingLabs: Detection: 96%
Machine Learning detection for sample
Source: KNEa2w7v3a.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 1_2_00401600
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 4_2_00401600
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 5_2_00401600
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02212680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 5_2_02212680
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_022122C0 CryptExportKey,CryptDestroyHash,memcpy,CryptEncrypt,RtlAllocateHeap,CryptDuplicateHash,CryptGetHashParam, 5_2_022122C0
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02211FF0 memcpy,CryptDuplicateHash,CryptDestroyHash,RtlAllocateHeap, 5_2_02211FF0

Compliance:

barindex
Uses 32bit PE files
Source: KNEa2w7v3a.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02643A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 1_2_02643A20
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02183A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 4_2_02183A20
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02213A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 5_2_02213A20

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 190.202.229.74:80
Source: Malware configuration extractor IPs: 118.69.11.81:7080
Source: Malware configuration extractor IPs: 70.39.251.94:8080
Source: Malware configuration extractor IPs: 87.230.25.43:8080
Source: Malware configuration extractor IPs: 94.23.62.116:8080
Source: Malware configuration extractor IPs: 37.187.161.206:8080
Source: Malware configuration extractor IPs: 45.46.37.97:80
Source: Malware configuration extractor IPs: 138.97.60.141:7080
Source: Malware configuration extractor IPs: 177.144.130.105:8080
Source: Malware configuration extractor IPs: 169.1.39.242:80
Source: Malware configuration extractor IPs: 209.236.123.42:8080
Source: Malware configuration extractor IPs: 202.134.4.210:7080
Source: Malware configuration extractor IPs: 193.251.77.110:80
Source: Malware configuration extractor IPs: 2.45.176.233:80
Source: Malware configuration extractor IPs: 217.13.106.14:8080
Source: Malware configuration extractor IPs: 189.223.16.99:80
Source: Malware configuration extractor IPs: 190.101.156.139:80
Source: Malware configuration extractor IPs: 77.238.212.227:80
Source: Malware configuration extractor IPs: 181.58.181.9:80
Source: Malware configuration extractor IPs: 37.183.81.217:80
Source: Malware configuration extractor IPs: 74.58.215.226:80
Source: Malware configuration extractor IPs: 174.118.202.24:443
Source: Malware configuration extractor IPs: 168.197.45.36:80
Source: Malware configuration extractor IPs: 81.215.230.173:443
Source: Malware configuration extractor IPs: 192.175.111.212:7080
Source: Malware configuration extractor IPs: 216.47.196.104:80
Source: Malware configuration extractor IPs: 128.92.203.42:80
Source: Malware configuration extractor IPs: 94.176.234.118:443
Source: Malware configuration extractor IPs: 191.182.6.118:80
Source: Malware configuration extractor IPs: 212.71.237.140:8080
Source: Malware configuration extractor IPs: 24.232.228.233:80
Source: Malware configuration extractor IPs: 177.73.0.98:443
Source: Malware configuration extractor IPs: 177.23.7.151:80
Source: Malware configuration extractor IPs: 24.135.69.146:80
Source: Malware configuration extractor IPs: 83.169.21.32:7080
Source: Malware configuration extractor IPs: 189.34.181.88:80
Source: Malware configuration extractor IPs: 179.222.115.170:80
Source: Malware configuration extractor IPs: 177.144.130.105:443
Source: Malware configuration extractor IPs: 213.197.182.158:8080
Source: Malware configuration extractor IPs: 5.89.33.136:80
Source: Malware configuration extractor IPs: 77.78.196.173:443
Source: Malware configuration extractor IPs: 120.72.18.91:80
Source: Malware configuration extractor IPs: 50.28.51.143:8080
Source: Malware configuration extractor IPs: 190.64.88.186:443
Source: Malware configuration extractor IPs: 111.67.12.221:8080
Source: Malware configuration extractor IPs: 12.162.84.2:8080
Source: Malware configuration extractor IPs: 46.105.114.137:8080
Source: Malware configuration extractor IPs: 59.148.253.194:8080
Source: Malware configuration extractor IPs: 201.213.177.139:80
Source: Malware configuration extractor IPs: 82.76.52.155:80
Source: Malware configuration extractor IPs: 172.104.169.32:8080
Source: Malware configuration extractor IPs: 188.251.213.180:80
Source: Malware configuration extractor IPs: 46.43.2.95:8080
Source: Malware configuration extractor IPs: 137.74.106.111:7080
Source: Malware configuration extractor IPs: 188.135.15.49:80
Source: Malware configuration extractor IPs: 185.94.252.27:443
Source: Malware configuration extractor IPs: 197.232.36.108:80
Source: Malware configuration extractor IPs: 60.249.78.226:8080
Source: Malware configuration extractor IPs: 187.162.248.237:80
Source: Malware configuration extractor IPs: 181.129.96.162:8080
Source: Malware configuration extractor IPs: 46.101.58.37:8080
Source: Malware configuration extractor IPs: 109.242.153.9:80
Source: Malware configuration extractor IPs: 178.211.45.66:8080
Source: Malware configuration extractor IPs: 200.59.6.174:80
Source: Malware configuration extractor IPs: 83.103.179.156:80
Source: Malware configuration extractor IPs: 172.86.186.21:8080
Source: Malware configuration extractor IPs: 70.32.115.157:8080
Source: Malware configuration extractor IPs: 81.214.253.80:443
Source: Malware configuration extractor IPs: 201.49.239.200:443
Source: Malware configuration extractor IPs: 149.202.72.142:7080
Source: Malware configuration extractor IPs: 190.45.24.210:80
Source: Malware configuration extractor IPs: 186.189.249.2:80
Source: Malware configuration extractor IPs: 219.92.13.25:80
Source: Malware configuration extractor IPs: 170.81.48.2:80
Source: Malware configuration extractor IPs: 51.75.33.127:80
Source: Malware configuration extractor IPs: 192.241.143.52:8080
Source: Malware configuration extractor IPs: 45.33.77.42:8080
Source: Malware configuration extractor IPs: 152.169.22.67:80
Source: Malware configuration extractor IPs: 1.226.84.243:8080
Source: Malware configuration extractor IPs: 78.206.229.130:80
Source: Malware configuration extractor IPs: 37.179.145.105:80
Source: Malware configuration extractor IPs: 68.183.170.114:8080
Source: Malware configuration extractor IPs: 192.232.229.54:7080
Source: Malware configuration extractor IPs: 103.236.179.162:80
Source: Malware configuration extractor IPs: 70.32.84.74:8080
Source: Malware configuration extractor IPs: 79.118.74.90:80
Source: Malware configuration extractor IPs: 60.93.23.51:80
Source: Malware configuration extractor IPs: 181.120.29.49:80
Source: Malware configuration extractor IPs: 213.52.74.198:80
Source: Malware configuration extractor IPs: 51.255.165.160:8080
Source: Malware configuration extractor IPs: 183.176.82.231:80
Source: Malware configuration extractor IPs: 186.193.229.123:80
Source: Malware configuration extractor IPs: 98.103.204.12:443
Source: Malware configuration extractor IPs: 129.232.220.11:8080
Source: Malware configuration extractor IPs: 181.61.182.143:80
Source: Malware configuration extractor IPs: 68.183.190.199:8080
Source: Malware configuration extractor IPs: 190.115.18.139:8080
Source: Malware configuration extractor IPs: 200.24.255.23:80
Source: Malware configuration extractor IPs: 103.13.224.53:80
Source: Malware configuration extractor IPs: 85.214.26.7:8080
Source: Malware configuration extractor IPs: 190.24.243.186:80
Source: Malware configuration extractor IPs: 87.106.46.107:8080
Source: Malware configuration extractor IPs: 177.107.79.214:8080
Source: Malware configuration extractor IPs: 12.163.208.58:80
Source: Malware configuration extractor IPs: 187.162.250.23:443
Source: Malware configuration extractor IPs: 109.101.137.162:8080
Source: Malware configuration extractor IPs: 82.76.111.249:443
Source: Malware configuration extractor IPs: 181.30.61.163:443
Source: Malware configuration extractor IPs: 5.196.35.138:7080
Source: Malware configuration extractor IPs: 51.15.7.145:80
Source: Malware configuration extractor IPs: 192.198.91.138:443
Source: Malware configuration extractor IPs: 188.157.101.114:80
Source: Malware configuration extractor IPs: 189.2.177.210:443
Source: Malware configuration extractor IPs: 181.123.6.86:80
Source: Malware configuration extractor IPs: 109.190.35.249:80
Source: Malware configuration extractor IPs: 45.16.226.117:443
Source: Malware configuration extractor IPs: 190.190.219.184:80
Source: Malware configuration extractor IPs: 104.131.41.185:8080
Source: Malware configuration extractor IPs: 101.187.81.254:80
Source: Malware configuration extractor IPs: 62.84.75.50:80
Source: Malware configuration extractor IPs: 178.250.54.208:8080
Source: Malware configuration extractor IPs: 201.71.228.86:80
Source: Malware configuration extractor IPs: 190.92.122.226:80
Source: Malware configuration extractor IPs: 138.97.60.140:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 38
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49732 -> 118.69.11.81:7080
Source: global traffic TCP traffic: 192.168.2.3:49734 -> 70.39.251.94:8080
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 87.230.25.43:8080
Source: global traffic TCP traffic: 192.168.2.3:49746 -> 94.23.62.116:8080
Source: global traffic TCP traffic: 192.168.2.3:49747 -> 37.187.161.206:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 81.214.253.80 81.214.253.80
Source: Joe Sandbox View IP Address: 94.176.234.118 94.176.234.118
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TTNETTR TTNETTR
Source: Joe Sandbox View ASN Name: RACKRAYUABRakrejusLT RACKRAYUABRakrejusLT
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49723 -> 190.202.229.74:80
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 190.202.229.74
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 118.69.11.81
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 70.39.251.94
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 87.230.25.43
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 94.23.62.116
Source: unknown TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.187.161.206
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/cLGKs29k/
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/cLGKs29k/$
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp String found in binary or memory: http://118.69.11.81:7080/cLGKs29k/0
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000003.295761237.000000000232D000.00000004.00000001.sdmp String found in binary or memory: http://190.202.229.74/u2xUhDP9gvOFSFief0/IRiW/IMV8TOoDabstev/
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000003.295761237.000000000232D000.00000004.00000001.sdmp String found in binary or memory: http://190.202.229.74/u2xUhDP9gvOFSFief0/IRiW/IMV8TOoDabstev/N
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp String found in binary or memory: http://37.187.161.206:8080/AJT6ih/yjZb/vgDNbB0LE6VNEd/
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/blOro9t0iLZ/z7z
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp String found in binary or memory: http://70.39.251.94:8080/blOro9t7
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471741562.0000000002314000.00000004.00000001.sdmp String found in binary or memory: http://94.23.62.116:8080/TkDGGoG/EjmXKjEQOJnYdPvRd/
Source: svchost.exe, 00000008.00000002.473175094.0000025EF6612000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000008.00000002.473175094.0000025EF6612000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000008.00000002.473175094.0000025EF6612000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/
Source: svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: svchost.exe, 00000008.00000002.471064115.0000025EF0EA8000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000008.00000002.472934812.0000025EF6490000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000E.00000002.309780751.000001EB87013000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.309574519.000001EB87050000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.309832163.000001EB8704B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.309483788.000001EB87063000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.309511986.000001EB87049000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.309490703.000001EB87060000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.309815274.000001EB8703D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309780751.000001EB87013000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.309526286.000001EB87040000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000003.287574224.000001EB87030000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000003.309574519.000001EB87050000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: KNEa2w7v3a.exe, 00000001.00000002.205452158.000000000069A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.wiaacmgr.exe.20c052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wiaacmgr.exe.2180000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KNEa2w7v3a.exe.223279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KNEa2w7v3a.exe.223052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KNEa2w7v3a.exe.223052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wiaacmgr.exe.20c052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.2210000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KNEa2w7v3a.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wiaacmgr.exe.20c279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wiaacmgr.exe.20c279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KNEa2w7v3a.exe.223279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.471191876.00000000020F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.206004453.0000000002641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.210049440.0000000002181000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.205611516.0000000002294000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.471538485.0000000002211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.209938070.0000000002124000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.471462272.00000000021B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.205562844.0000000002230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.209835926.00000000020C0000.00000040.00000001.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02212680 CryptCreateHash,CryptAcquireContextW,RtlAllocateHeap,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptGenKey, 5_2_02212680

System Summary:

barindex
Contains functionality to delete services
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_021891E0 OpenSCManagerW,CloseServiceHandle,DeleteService,CloseServiceHandle, 4_2_021891E0
Creates files inside the system directory
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe File created: C:\Windows\SysWOW64\rdvgogl32\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe File deleted: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02648330 1_2_02648330
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_026486F0 1_2_026486F0
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02646860 1_2_02646860
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02647B30 1_2_02647B30
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02643CE0 1_2_02643CE0
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02643EE0 1_2_02643EE0
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_026442C9 1_2_026442C9
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_026441B7 1_2_026441B7
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02644190 1_2_02644190
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02235E67 1_2_02235E67
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02235A7E 1_2_02235A7E
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_0223A28E 1_2_0223A28E
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_022396CE 1_2_022396CE
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02239ECE 1_2_02239ECE
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_022383FE 1_2_022383FE
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_0223587E 1_2_0223587E
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02235D2E 1_2_02235D2E
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02235D55 1_2_02235D55
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02188330 4_2_02188330
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_021886F0 4_2_021886F0
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02187B30 4_2_02187B30
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02186860 4_2_02186860
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02184190 4_2_02184190
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_021841B7 4_2_021841B7
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_021842C9 4_2_021842C9
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02183CE0 4_2_02183CE0
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02183EE0 4_2_02183EE0
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C5E67 4_2_020C5E67
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C5A7E 4_2_020C5A7E
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020CA28E 4_2_020CA28E
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C96CE 4_2_020C96CE
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C9ECE 4_2_020C9ECE
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C83FE 4_2_020C83FE
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C587E 4_2_020C587E
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C5D2E 4_2_020C5D2E
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C5D55 4_2_020C5D55
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_022186F0 5_2_022186F0
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02218330 5_2_02218330
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02217B30 5_2_02217B30
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02216860 5_2_02216860
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_022141B7 5_2_022141B7
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02214190 5_2_02214190
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02213CE0 5_2_02213CE0
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02213EE0 5_2_02213EE0
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_022142C9 5_2_022142C9
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F5E67 5_2_020F5E67
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F5A7E 5_2_020F5A7E
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020FA28E 5_2_020FA28E
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F96CE 5_2_020F96CE
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F9ECE 5_2_020F9ECE
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F83FE 5_2_020F83FE
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F587E 5_2_020F587E
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F5D2E 5_2_020F5D2E
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F5D55 5_2_020F5D55
PE file contains strange resources
Source: KNEa2w7v3a.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: KNEa2w7v3a.exe, 00000001.00000002.206292457.0000000002A10000.00000002.00000001.sdmp Binary or memory string: originalfilename vs KNEa2w7v3a.exe
Source: KNEa2w7v3a.exe, 00000001.00000002.206292457.0000000002A10000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs KNEa2w7v3a.exe
Source: KNEa2w7v3a.exe, 00000001.00000002.206154268.0000000002920000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs KNEa2w7v3a.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: KNEa2w7v3a.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: classification engine Classification label: mal96.troj.evad.winEXE@21/11@0/100
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle, 1_2_02648CA0
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: CreateServiceW,CloseServiceHandle,_snwprintf,HeapFree,OpenSCManagerW,CloseServiceHandle, 4_2_02188CA0
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02214FD0 Process32NextW,Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,FindCloseChangeNotification, 5_2_02214FD0
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02645390 ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 1_2_02645390
Source: C:\Windows\System32\svchost.exe File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1396:120:WilError_01
Source: KNEa2w7v3a.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: KNEa2w7v3a.exe Virustotal: Detection: 88%
Source: KNEa2w7v3a.exe Metadefender: Detection: 48%
Source: KNEa2w7v3a.exe ReversingLabs: Detection: 96%
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\Desktop\KNEa2w7v3a.exe 'C:\Users\user\Desktop\KNEa2w7v3a.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Process created: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Process created: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Process created: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Process created: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 1_2_00401600
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02646240 push ecx; mov dword ptr [esp], 00008F23h 1_2_02646241
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02646140 push ecx; mov dword ptr [esp], 00004AF2h 1_2_02646141
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02646320 push ecx; mov dword ptr [esp], 00009128h 1_2_02646321
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02646220 push ecx; mov dword ptr [esp], 00004B50h 1_2_02646221
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_026460F0 push ecx; mov dword ptr [esp], 0000A172h 1_2_026460F1
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_026462D0 push ecx; mov dword ptr [esp], 00001969h 1_2_026462D1
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_026461D0 push ecx; mov dword ptr [esp], 00004B56h 1_2_026461D1
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_026462A0 push ecx; mov dword ptr [esp], 0000BFAAh 1_2_026462A1
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_026461B0 push ecx; mov dword ptr [esp], 000003A6h 1_2_026461B1
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02646180 push ecx; mov dword ptr [esp], 0000D106h 1_2_02646181
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02646090 push ecx; mov dword ptr [esp], 0000BAD9h 1_2_02646091
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02237E3E push ecx; mov dword ptr [esp], 0000BFAAh 1_2_02237E3F
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02237E6E push ecx; mov dword ptr [esp], 00001969h 1_2_02237E6F
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02237EBE push ecx; mov dword ptr [esp], 00009128h 1_2_02237EBF
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_0223FF7E push esp; retf 1_2_0223FF7F
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_0224C7B2 push edi; iretd 1_2_0224C7B3
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_0224ABBE push edi; iretd 1_2_0224ABBF
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_022457F0 push eax; ret 1_2_022457F3
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_022493C6 push ecx; retf 1_2_022493C7
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02248FCA push ecx; retf 1_2_02248FCB
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02237C2E push ecx; mov dword ptr [esp], 0000BAD9h 1_2_02237C2F
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02240404 push C9686868h; iretd 1_2_02240409
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02237C8E push ecx; mov dword ptr [esp], 0000A172h 1_2_02237C8F
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02237CDE push ecx; mov dword ptr [esp], 00004AF2h 1_2_02237CDF
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02237D1E push ecx; mov dword ptr [esp], 0000D106h 1_2_02237D1F
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02237D6E push ecx; mov dword ptr [esp], 00004B56h 1_2_02237D6F
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02237D4E push ecx; mov dword ptr [esp], 000003A6h 1_2_02237D4F
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02237DBE push ecx; mov dword ptr [esp], 00004B50h 1_2_02237DBF
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02237DDE push ecx; mov dword ptr [esp], 00008F23h 1_2_02237DDF
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02186320 push ecx; mov dword ptr [esp], 00009128h 4_2_02186321
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02186220 push ecx; mov dword ptr [esp], 00004B50h 4_2_02186221

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Executable created and started: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Executable created and started: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe PE file moved: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe File opened: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe File opened: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 1_2_02645390
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: ChangeServiceConfig2W,RtlAllocateHeap,QueryServiceConfig2W,CloseServiceHandle,EnumServicesStatusExW,GetTickCount,RtlAllocateHeap,RtlAllocateHeap,HeapFree,RtlFreeHeap, 4_2_02185390
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5324 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02643A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 1_2_02643A20
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02183A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 4_2_02183A20
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02213A20 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,HeapFree,FindClose, 5_2_02213A20
Source: svchost.exe, 00000000.00000002.213106663.0000020957140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.267287663.000002BEE2540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.281179657.000001B9D22C0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.471621326.0000011E04D40000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000008.00000002.473254655.0000025EF6662000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.470791785.0000014583002000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471772635.0000000002334000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.473241462.0000025EF6655000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000000.00000002.213106663.0000020957140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.267287663.000002BEE2540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.281179657.000001B9D22C0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.471621326.0000011E04D40000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000000.00000002.213106663.0000020957140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.267287663.000002BEE2540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.281179657.000001B9D22C0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.471621326.0000011E04D40000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.471741562.0000000002314000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.470876694.0000014583029000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.470415860.0000011E0423E000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.470969487.0000023C4462A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000000.00000002.213106663.0000020957140000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.267287663.000002BEE2540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.281179657.000001B9D22C0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.471621326.0000011E04D40000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 1_2_00401600
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_00401600 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,EncryptFileA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,LoadIconA,LoadCursorA,GetStockObject,RegisterClassA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,CreateWindowExA,ShowWindow,UpdateWindow,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,TranslateMessage,DispatchMessageA,GetMessageA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 1_2_00401600
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02645140 mov eax, dword ptr fs:[00000030h] 1_2_02645140
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02644190 mov eax, dword ptr fs:[00000030h] 1_2_02644190
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02230456 mov eax, dword ptr fs:[00000030h] 1_2_02230456
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02236CDE mov eax, dword ptr fs:[00000030h] 1_2_02236CDE
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02235D2E mov eax, dword ptr fs:[00000030h] 1_2_02235D2E
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_0223095E mov eax, dword ptr fs:[00000030h] 1_2_0223095E
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02291030 mov eax, dword ptr fs:[00000030h] 1_2_02291030
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02185140 mov eax, dword ptr fs:[00000030h] 4_2_02185140
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02184190 mov eax, dword ptr fs:[00000030h] 4_2_02184190
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C0456 mov eax, dword ptr fs:[00000030h] 4_2_020C0456
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C6CDE mov eax, dword ptr fs:[00000030h] 4_2_020C6CDE
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C5D2E mov eax, dword ptr fs:[00000030h] 4_2_020C5D2E
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_020C095E mov eax, dword ptr fs:[00000030h] 4_2_020C095E
Source: C:\Windows\SysWOW64\rdvgogl32\wiaacmgr.exe Code function: 4_2_02121030 mov eax, dword ptr fs:[00000030h] 4_2_02121030
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02215140 mov eax, dword ptr fs:[00000030h] 5_2_02215140
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02214190 mov eax, dword ptr fs:[00000030h] 5_2_02214190
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F0456 mov eax, dword ptr fs:[00000030h] 5_2_020F0456
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F6CDE mov eax, dword ptr fs:[00000030h] 5_2_020F6CDE
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F5D2E mov eax, dword ptr fs:[00000030h] 5_2_020F5D2E
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_020F095E mov eax, dword ptr fs:[00000030h] 5_2_020F095E
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_021B1030 mov eax, dword ptr fs:[00000030h] 5_2_021B1030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\KNEa2w7v3a.exe Code function: 1_2_02291030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, 1_2_02291030
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.470961494.0000000000CE0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471126263.0000027F89190000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.470961494.0000000000CE0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471126263.0000027F89190000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.470961494.0000000000CE0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471126263.0000027F89190000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Windows.Media.Playback.MediaPlayer.exe, 00000005.00000002.470961494.0000000000CE0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471126263.0000027F89190000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Code function: 5_2_02215720 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo, 5_2_02215720
Source: C:\Windows\SysWOW64\CompPkgSup\Windows.Media.Playback.MediaPlayer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000010.00000002.470365857.000001F9AEA3D000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.470546623.000001F9AEB02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 4.2.wiaacmgr.exe.20c052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wiaacmgr.exe.2180000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KNEa2w7v3a.exe.223279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KNEa2w7v3a.exe.223052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KNEa2w7v3a.exe.223052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wiaacmgr.exe.20c052e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.2210000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KNEa2w7v3a.exe.2640000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wiaacmgr.exe.20c279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.wiaacmgr.exe.20c279e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Windows.Media.Playback.MediaPlayer.exe.20f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.KNEa2w7v3a.exe.223279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.471191876.00000000020F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.206004453.0000000002641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.210049440.0000000002181000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.205611516.0000000002294000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.471538485.0000000002211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.209938070.0000000002124000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.471462272.00000000021B4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.205562844.0000000002230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.209835926.00000000020C0000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 463770 Sample: KNEa2w7v3a.exe Startdate: 12/08/2021 Architecture: WINDOWS Score: 96 28 216.47.196.104 WOW-INTERNETUS United States 2->28 30 109.242.153.9 WIND-ASGR Greece 2->30 32 94 other IPs or domains 2->32 48 Found malware configuration 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 3 other signatures 2->54 8 KNEa2w7v3a.exe 2 2->8         started        11 svchost.exe 2->11         started        13 svchost.exe 9 1 2->13         started        16 11 other processes 2->16 signatures3 process4 dnsIp5 56 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->56 58 Drops executables to the windows directory (C:\Windows) and starts them 8->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->60 18 wiaacmgr.exe 2 8->18         started        62 Changes security center settings (notifications, updates, antivirus, firewall) 11->62 21 MpCmdRun.exe 1 11->21         started        40 127.0.0.1 unknown unknown 13->40 signatures6 process7 signatures8 42 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 18->42 44 Drops executables to the windows directory (C:\Windows) and starts them 18->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->46 23 Windows.Media.Playback.MediaPlayer.exe 12 18->23         started        26 conhost.exe 21->26         started        process9 dnsIp10 34 37.187.161.206, 8080 OVHFR France 23->34 36 118.69.11.81, 49732, 7080 FPT-AS-APTheCorporationforFinancingPromotingTechnolo Viet Nam 23->36 38 190.202.229.74, 80 CANTVServiciosVenezuelaVE Venezuela 23->38
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
81.214.253.80
 unknown Turkey
9121 TTNETTR true
94.176.234.118
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
78.206.229.130
 unknown France
12322 PROXADFR true
181.58.181.9
 unknown Colombia
10620 TelmexColombiaSACO true
213.197.182.158
 unknown Lithuania
15440 BALTNETACustomersASLT true
103.13.224.53
 unknown Bangladesh
58672 MAXNETONLINE-BDMaxnetOnlineBD true
209.236.123.42
 unknown United States
393398 ASN-DISUS true
79.118.74.90
 unknown Romania
8708 RCS-RDS73-75DrStaicoviciRO true
51.15.7.145
 unknown France
12876 OnlineSASFR true
190.45.24.210
 unknown Chile
22047 VTRBANDAANCHASACL true
5.196.35.138
 unknown France
16276 OVHFR true
190.190.219.184
 unknown Argentina
10481 TelecomArgentinaSAAR true
200.59.6.174
 unknown Argentina
12150 COTELCAMAR true
181.129.96.162
 unknown Colombia
13489 EPMTelecomunicacionesSAESPCO true
50.28.51.143
 unknown United States
32244 LIQUIDWEBUS true
189.34.181.88
 unknown Brazil
28573 CLAROSABR true
149.202.72.142
 unknown France
16276 OVHFR true
82.76.52.155
 unknown Romania
8708 RCS-RDS73-75DrStaicoviciRO true
5.89.33.136
 unknown Italy
30722 VODAFONE-IT-ASNIT true
45.16.226.117
 unknown United States
7018 ATT-INTERNET4US true
120.72.18.91
 unknown Philippines
38553 DCTECHDVO-AS-APInternetServiceProviderandDataCenterP true
187.162.250.23
 unknown Mexico
6503 AxtelSABdeCVMX true
12.163.208.58
 unknown United States
7018 ATT-INTERNET4US true
101.187.81.254
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU true
177.107.79.214
 unknown Brazil
52862 RedenilfServicosdeTelecomunicacoesLtdaBR true
202.134.4.210
 unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
190.64.88.186
 unknown Uruguay
6057 AdministracionNacionaldeTelecomunicacionesUY true
68.183.170.114
 unknown United States
14061 DIGITALOCEAN-ASNUS true
168.197.45.36
 unknown Argentina
264781 VIDEOTELSRLAR true
1.226.84.243
 unknown Korea Republic of
9277 SKB-T-AS-KRSKBroadbandCoLtdKR true
24.135.69.146
 unknown Serbia
31042 SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze true
137.74.106.111
 unknown France
16276 OVHFR true
172.104.169.32
 unknown United States
63949 LINODE-APLinodeLLCUS true
178.250.54.208
 unknown United Kingdom
20860 IOMART-ASGB true
45.33.77.42
 unknown United States
63949 LINODE-APLinodeLLCUS true
46.101.58.37
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
177.23.7.151
 unknown Brazil
262886 LansofNetLTDAMEBR true
216.47.196.104
 unknown United States
12083 WOW-INTERNETUS true
83.169.21.32
 unknown Germany
8972 GD-EMEA-DC-SXB1DE true
109.190.35.249
 unknown France
35540 OVH-TELECOMFR true
172.86.186.21
 unknown Canada
32489 AMANAHA-NEWCA true
70.32.115.157
 unknown United States
31815 MEDIATEMPLEUS true
186.189.249.2
 unknown Argentina
16814 NSSSAAR true
109.101.137.162
 unknown Romania
9050 RTDBucharestRomaniaRO true
190.115.18.139
 unknown Belize
262254 DDOS-GUARDCORPBZ true
189.223.16.99
 unknown Mexico
8151 UninetSAdeCVMX true
201.49.239.200
 unknown Brazil
52532 SpeednetTelecomunicacoesLtdaMEBR true
185.94.252.27
 unknown Germany
197890 MEGASERVERS-DE true
178.211.45.66
 unknown Turkey
197328 INETLTDTR true
169.1.39.242
 unknown South Africa
37611 AfrihostZA true
188.135.15.49
 unknown Oman
50010 NAWRAS-ASSultanateofOmanOM true
60.249.78.226
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW true
181.123.6.86
 unknown Paraguay
23201 TelecelSAPY true
193.251.77.110
 unknown France
3215 FranceTelecom-OrangeFR true
192.241.143.52
 unknown United States
14061 DIGITALOCEAN-ASNUS true
128.92.203.42
 unknown United States
20115 CHARTER-20115US true
81.215.230.173
 unknown Turkey
9121 TTNETTR true
111.67.12.221
 unknown Australia
55803 DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU true
46.105.114.137
 unknown France
16276 OVHFR true
192.232.229.54
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
191.182.6.118
 unknown Brazil
28573 CLAROSABR true
200.24.255.23
 unknown Argentina
52381 SociedadCooperativaPopularLimitadadeComodoroAR true
177.73.0.98
 unknown Brazil
53184 INBTelecomEIRELIBR true
70.32.84.74
 unknown United States
398110 GO-DADDY-COM-LLCUS true
12.162.84.2
 unknown United States
7018 ATT-INTERNET4US true
181.61.182.143
 unknown Colombia
10620 TelmexColombiaSACO true
170.81.48.2
 unknown Brazil
263634 TACNETTELECOMBR true
181.120.29.49
 unknown Paraguay
23201 TelecelSAPY true
219.92.13.25
 unknown Malaysia
4788 TMNET-AS-APTMNetInternetServiceProviderMY true
98.103.204.12
 unknown United States
10796 TWC-10796-MIDWESTUS true
190.101.156.139
 unknown Chile
22047 VTRBANDAANCHASACL true
2.45.176.233
 unknown Italy
30722 VODAFONE-IT-ASNIT true
187.162.248.237
 unknown Mexico
6503 AxtelSABdeCVMX true
186.193.229.123
 unknown Brazil
262731 CTINETSOLUCOESEMCONECTIVIDADEEINFORMATICALTDBR true
189.2.177.210
 unknown Brazil
4230 CLAROSABR true
37.183.81.217
 unknown Italy
30722 VODAFONE-IT-ASNIT true
179.222.115.170
 unknown Brazil
28573 CLAROSABR true
37.179.145.105
 unknown Italy
30722 VODAFONE-IT-ASNIT true
118.69.11.81
 unknown Viet Nam
18403 FPT-AS-APTheCorporationforFinancingPromotingTechnolo true
68.183.190.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
183.176.82.231
 unknown Japan 7522 STCNSTNetIncorporatedJP true
177.144.130.105
 unknown Brazil
27699 TELEFONICABRASILSABR true
181.30.61.163
 unknown Argentina
10318 TelecomArgentinaSAAR true
190.202.229.74
 unknown Venezuela
8048 CANTVServiciosVenezuelaVE true
82.76.111.249
 unknown Romania
8708 RCS-RDS73-75DrStaicoviciRO true
77.238.212.227
 unknown Bosnia and Herzegowina
42560 BA-TELEMACH-ASTelemachdooSarajevoBA true
217.13.106.14
 unknown Hungary
12301 INVITECHHU true
77.78.196.173
 unknown Bosnia and Herzegowina
42560 BA-TELEMACH-ASTelemachdooSarajevoBA true
62.84.75.50
 unknown Lebanon
42334 BBP-ASLB true
37.187.161.206
 unknown France
16276 OVHFR true
201.213.177.139
 unknown Argentina
10481 TelecomArgentinaSAAR true
188.251.213.180
 unknown Portugal
3243 MEO-RESIDENCIALPT true
109.242.153.9
 unknown Greece
25472 WIND-ASGR true
85.214.26.7
 unknown Germany
6724 STRATOSTRATOAGDE true
51.75.33.127
 unknown France
16276 OVHFR true
188.157.101.114
 unknown Hungary
5483 MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU true
46.43.2.95
 unknown United Kingdom
35425 BYTEMARK-ASGB true
59.148.253.194
 unknown Hong Kong
9269 HKBN-AS-APHongKongBroadbandNetworkLtdHK true
74.58.215.226
 unknown Canada
5769 VIDEOTRONCA true

Private
IP
127.0.0.1