Loading ...

Play interactive tourEdit tour

Windows Analysis Report emo.exe

Overview

General Information

Sample Name:emo.exe
Analysis ID:465749
MD5:1d314c60cf2ab83672f258033f1c9fdb
SHA1:a076655c3e4b48b2a074a7d37210adaea0e22f92
SHA256:459f8d96d0c21300199c87ee798b594216732a27da6c3190f36b483df9faaabf
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • emo.exe (PID: 6700 cmdline: 'C:\Users\user\Desktop\emo.exe' MD5: 1D314C60CF2AB83672F258033F1C9FDB)
    • emo.exe (PID: 6728 cmdline: C:\Users\user\Desktop\emo.exe MD5: 1D314C60CF2AB83672F258033F1C9FDB)
  • aspcolorer.exe (PID: 7008 cmdline: C:\Windows\SysWOW64\aspcolorer.exe MD5: 1D314C60CF2AB83672F258033F1C9FDB)
    • aspcolorer.exe (PID: 7032 cmdline: C:\Windows\SysWOW64\aspcolorer.exe MD5: 1D314C60CF2AB83672F258033F1C9FDB)
  • svchost.exe (PID: 7092 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6240 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4864 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6452 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.655519273.00000000041D1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000000.00000002.655519273.00000000041D1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
    • 0x5b80:$snippet4: 33 C0 C7 05 10 72 1E 04 20 2A 1E 04 C7 05 14 72 1E 04 20 2A 1E 04 A3 18 72 1E 04 A3 1C 72 1E 04 ...
    00000001.00000002.670974631.00000000026F1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.670974631.00000000026F1000.00000020.00000001.sdmpEmotetEmotet Payloadkevoreilly
      • 0x5b80:$snippet4: 33 C0 C7 05 10 72 70 02 20 2A 70 02 C7 05 14 72 70 02 20 2A 70 02 A3 18 72 70 02 A3 1C 72 70 02 ...
      00000005.00000002.668324043.0000000002D61000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.emo.exe.41d0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          0.2.emo.exe.41d0000.3.unpackEmotetEmotet Payloadkevoreilly
          • 0x5f80:$snippet4: 33 C0 C7 05 10 72 1E 04 20 2A 1E 04 C7 05 14 72 1E 04 20 2A 1E 04 A3 18 72 1E 04 A3 1C 72 1E 04 ...
          1.2.emo.exe.26f0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            1.2.emo.exe.26f0000.3.unpackEmotetEmotet Payloadkevoreilly
            • 0x5f80:$snippet4: 33 C0 C7 05 10 72 70 02 20 2A 70 02 C7 05 14 72 70 02 20 2A 70 02 A3 18 72 70 02 A3 1C 72 70 02 ...
            5.2.aspcolorer.exe.2d60000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 3 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: emo.exeAvira: detected
              Multi AV Scanner detection for domain / URLShow sources
              Source: http://105.224.170.204/Virustotal: Detection: 6%Perma Link
              Multi AV Scanner detection for submitted fileShow sources
              Source: emo.exeVirustotal: Detection: 91%Perma Link
              Source: emo.exeMetadefender: Detection: 70%Perma Link
              Source: emo.exeReversingLabs: Detection: 96%
              Machine Learning detection for sampleShow sources
              Source: emo.exeJoe Sandbox ML: detected
              Source: 5.0.aspcolorer.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.awz
              Source: 6.1.aspcolorer.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
              Source: 5.1.aspcolorer.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
              Source: 1.1.emo.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
              Source: 1.0.emo.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.awz
              Source: 6.0.aspcolorer.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.awz
              Source: 0.0.emo.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.awz
              Source: 0.1.emo.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
              Source: emo.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
              Source: Binary string: sNQ.pdb source: emo.exe
              Source: global trafficTCP traffic: 192.168.2.4:49739 -> 186.159.186.156:8080
              Source: Joe Sandbox ViewIP Address: 186.159.186.156 186.159.186.156
              Source: global trafficTCP traffic: 192.168.2.4:49742 -> 200.54.111.170:80
              Source: global trafficTCP traffic: 192.168.2.4:49759 -> 104.136.151.73:80
              Source: global trafficTCP traffic: 192.168.2.4:49760 -> 66.112.88.78:80
              Source: global trafficTCP traffic: 192.168.2.4:49763 -> 105.224.170.204:80
              Source: unknownTCP traffic detected without corresponding DNS query: 186.159.186.156
              Source: unknownTCP traffic detected without corresponding DNS query: 186.159.186.156
              Source: unknownTCP traffic detected without corresponding DNS query: 186.159.186.156
              Source: unknownTCP traffic detected without corresponding DNS query: 200.54.111.170
              Source: unknownTCP traffic detected without corresponding DNS query: 200.54.111.170
              Source: unknownTCP traffic detected without corresponding DNS query: 200.54.111.170
              Source: unknownTCP traffic detected without corresponding DNS query: 104.136.151.73
              Source: unknownTCP traffic detected without corresponding DNS query: 104.136.151.73
              Source: unknownTCP traffic detected without corresponding DNS query: 104.136.151.73
              Source: unknownTCP traffic detected without corresponding DNS query: 66.112.88.78
              Source: unknownTCP traffic detected without corresponding DNS query: 66.112.88.78
              Source: unknownTCP traffic detected without corresponding DNS query: 66.112.88.78
              Source: unknownTCP traffic detected without corresponding DNS query: 105.224.170.204
              Source: unknownTCP traffic detected without corresponding DNS query: 105.224.170.204
              Source: unknownTCP traffic detected without corresponding DNS query: 105.224.170.204
              Source: svchost.exe, 0000000C.00000002.769943287.000001C187513000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
              Source: svchost.exe, 0000000C.00000002.769943287.000001C187513000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
              Source: svchost.exe, 0000000C.00000003.758300421.000001C187586000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-08-05T07:15:36.6439098Z||.||4158786a-b0d5-44dc-84ce-29db88174d99||1152921505693736035||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
              Source: svchost.exe, 0000000C.00000003.758300421.000001C187586000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-08-05T07:15:36.6439098Z||.||4158786a-b0d5-44dc-84ce-29db88174d99||1152921505693736035||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
              Source: svchost.exe, 0000000C.00000003.750900152.000001C18756D000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
              Source: svchost.exe, 0000000C.00000003.750900152.000001C18756D000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
              Source: svchost.exe, 0000000C.00000003.750900152.000001C18756D000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
              Source: aspcolorer.exe, 00000006.00000002.916613045.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://105.224.170.204/
              Source: svchost.exe, 0000000C.00000003.750378045.000001C18753A000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: svchost.exe, 0000000C.00000003.750378045.000001C18753A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl
              Source: svchost.exe, 0000000C.00000002.769885562.000001C187390000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: svchost.exe, 0000000C.00000002.769885562.000001C187390000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: svchost.exe, 0000000C.00000003.750378045.000001C18753A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: svchost.exe, 0000000C.00000003.750900152.000001C18756D000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
              Source: svchost.exe, 0000000C.00000003.750900152.000001C18756D000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
              Source: svchost.exe, 0000000C.00000003.757418980.000001C187579000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.757275226.000001C187579000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
              Source: svchost.exe, 0000000C.00000003.757282534.000001C187588000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
              Source: svchost.exe, 0000000C.00000003.757418980.000001C187579000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.757275226.000001C187579000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
              Source: svchost.exe, 0000000C.00000003.750900152.000001C18756D000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
              Source: svchost.exe, 0000000C.00000003.757418980.000001C187579000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.757275226.000001C187579000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
              Source: svchost.exe, 0000000C.00000003.757275226.000001C187579000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
              Source: svchost.exe, 0000000C.00000003.752083104.000001C1875A3000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.751946560.000001C18756F000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.751988650.000001C18758A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.751968399.000001C18757E000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
              Source: emo.exe, 00000000.00000002.655468027.0000000002718000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected EmotetShow sources
              Source: Yara matchFile source: 0.2.emo.exe.41d0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.emo.exe.26f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.aspcolorer.exe.2d60000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.aspcolorer.exe.2520000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.655519273.00000000041D1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.670974631.00000000026F1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.668324043.0000000002D61000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.917142816.0000000002521000.00000020.00000001.sdmp, type: MEMORY

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 0.2.emo.exe.41d0000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 1.2.emo.exe.26f0000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 5.2.aspcolorer.exe.2d60000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 6.2.aspcolorer.exe.2520000.3.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000000.00000002.655519273.00000000041D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000001.00000002.670974631.00000000026F1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000005.00000002.668324043.0000000002D61000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: 00000006.00000002.917142816.0000000002521000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041B2000 memcpy,NtAllocateVirtualMemory,0_2_041B2000
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041B1EF0 memcpy,NtProtectVirtualMemory,0_2_041B1EF0
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041B2E50 NtdllDefWindowProc_A,0_2_041B2E50
              Source: C:\Windows\SysWOW64\aspcolorer.exeCode function: 5_2_02D41EF0 memcpy,NtProtectVirtualMemory,5_2_02D41EF0
              Source: C:\Windows\SysWOW64\aspcolorer.exeCode function: 5_2_02D42000 memcpy,NtAllocateVirtualMemory,5_2_02D42000
              Source: C:\Windows\SysWOW64\aspcolorer.exeCode function: 5_2_02D42E50 NtdllDefWindowProc_A,5_2_02D42E50
              Source: C:\Users\user\Desktop\emo.exeFile deleted: C:\Windows\SysWOW64\aspcolorer.exe:Zone.IdentifierJump to behavior
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041D56EF0_2_041D56EF
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041D56EF0_2_041D56EF
              Source: C:\Windows\SysWOW64\aspcolorer.exeCode function: 5_2_02D656EF5_2_02D656EF
              Source: C:\Windows\SysWOW64\aspcolorer.exeCode function: 5_2_02D656EF5_2_02D656EF
              Source: emo.exe, 00000000.00000002.655115671.0000000000427000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamec_gb18030.< vs emo.exe
              Source: emo.exe, 00000001.00000002.672316266.0000000004920000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs emo.exe
              Source: emo.exe, 00000001.00000002.672473752.0000000004A20000.00000002.00000001.sdmpBinary or memory string: originalfilename vs emo.exe
              Source: emo.exe, 00000001.00000002.672473752.0000000004A20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs emo.exe
              Source: emo.exe, 00000001.00000002.669263129.0000000000427000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamec_gb18030.< vs emo.exe
              Source: emo.exeBinary or memory string: OriginalFilenamec_gb18030.< vs emo.exe
              Source: emo.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
              Source: 0.2.emo.exe.41d0000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 1.2.emo.exe.26f0000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 5.2.aspcolorer.exe.2d60000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 6.2.aspcolorer.exe.2520000.3.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000000.00000002.655519273.00000000041D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000001.00000002.670974631.00000000026F1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000005.00000002.668324043.0000000002D61000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: 00000006.00000002.917142816.0000000002521000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
              Source: classification engineClassification label: mal92.troj.evad.winEXE@10/0@0/6
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041D1C10 CreateToolhelp32Snapshot,0_2_041D1C10
              Source: C:\Windows\SysWOW64\aspcolorer.exeMutant created: \BaseNamedObjects\PEM1B60
              Source: C:\Users\user\Desktop\emo.exeMutant created: \Sessions\1\BaseNamedObjects\PEM1A2C
              Source: C:\Windows\SysWOW64\aspcolorer.exeMutant created: \BaseNamedObjects\PEM238
              Source: C:\Users\user\Desktop\emo.exeMutant created: \Sessions\1\BaseNamedObjects\PEMD60
              Source: emo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\emo.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\emo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: emo.exeVirustotal: Detection: 91%
              Source: emo.exeMetadefender: Detection: 70%
              Source: emo.exeReversingLabs: Detection: 96%
              Source: unknownProcess created: C:\Users\user\Desktop\emo.exe 'C:\Users\user\Desktop\emo.exe'
              Source: C:\Users\user\Desktop\emo.exeProcess created: C:\Users\user\Desktop\emo.exe C:\Users\user\Desktop\emo.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\aspcolorer.exe C:\Windows\SysWOW64\aspcolorer.exe
              Source: C:\Windows\SysWOW64\aspcolorer.exeProcess created: C:\Windows\SysWOW64\aspcolorer.exe C:\Windows\SysWOW64\aspcolorer.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Users\user\Desktop\emo.exeProcess created: C:\Users\user\Desktop\emo.exe C:\Users\user\Desktop\emo.exeJump to behavior
              Source: C:\Windows\SysWOW64\aspcolorer.exeProcess created: C:\Windows\SysWOW64\aspcolorer.exe C:\Windows\SysWOW64\aspcolorer.exeJump to behavior
              Source: C:\Users\user\Desktop\emo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: emo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: sNQ.pdb source: emo.exe
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041D1A36 LoadLibraryA,GetProcAddress,0_2_041D1A36
              Source: emo.exeStatic PE information: section name: CONST
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_00408205 pushfd ; iretd 0_2_00408237
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_00407A3B push ecx; iretd 0_2_00407A3D
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_004080C9 push 224E4EE2h; ret 0_2_004080DF
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_004096D2 push E9197B2Dh; iretd 0_2_004096E0
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_004092A2 push ecx; iretd 0_2_004092B7
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_00407B69 push eax; ret 0_2_00407B6A
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_0040B376 push esp; retf 0_2_0040B39C
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_0040B9D2 push cs; ret 0_2_0040BA3E
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_0040ABEE push 6EC3F474h; ret 0_2_0040AC03
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_0040A582 push ds; ret 0_2_0040A5C9
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_00408F8B push esp; iretd 0_2_00408F99
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_0040B5A6 pushad ; iretd 0_2_0040B5A7
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_0040A5B5 push ds; ret 0_2_0040A5C9

              Persistence and Installation Behavior:

              barindex
              Drops executables to the windows directory (C:\Windows) and starts themShow sources
              Source: C:\Windows\SysWOW64\aspcolorer.exeExecutable created and started: C:\Windows\SysWOW64\aspcolorer.exeJump to behavior
              Source: C:\Users\user\Desktop\emo.exePE file moved: C:\Windows\SysWOW64\aspcolorer.exeJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\emo.exeFile opened: C:\Windows\SysWOW64\aspcolorer.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\emo.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Windows\SysWOW64\aspcolorer.exeAPI coverage: 8.7 %
              Source: C:\Windows\System32\svchost.exe TID: 6724Thread sleep time: -180000s >= -30000sJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\emo.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_004015E7 GetSystemInfo,GetSystemInfo,GetConsoleProcessList,GetConsoleProcessList,GetSysColor,GetMenuState,GetThreadPriority,GetThreadPriority,IsDlgButtonChecked,0_2_004015E7
              Source: svchost.exe, 00000007.00000002.685718519.0000021F24340000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.728069382.000001D457940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.744126595.0000026507D40000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.770516884.000001C187C00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: svchost.exe, 0000000C.00000002.769713427.000001C186CE7000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 00000007.00000002.685718519.0000021F24340000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.728069382.000001D457940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.744126595.0000026507D40000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.770516884.000001C187C00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: svchost.exe, 00000007.00000002.685718519.0000021F24340000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.728069382.000001D457940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.744126595.0000026507D40000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.770516884.000001C187C00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: svchost.exe, 00000007.00000002.685718519.0000021F24340000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.728069382.000001D457940000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.744126595.0000026507D40000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.770516884.000001C187C00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\emo.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041D1A36 LoadLibraryA,GetProcAddress,0_2_041D1A36
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041D1530 mov eax, dword ptr fs:[00000030h]0_2_041D1530
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041D21B0 mov eax, dword ptr fs:[00000030h]0_2_041D21B0
              Source: C:\Windows\SysWOW64\aspcolorer.exeCode function: 5_2_02D621B0 mov eax, dword ptr fs:[00000030h]5_2_02D621B0
              Source: C:\Windows\SysWOW64\aspcolorer.exeCode function: 5_2_02D61530 mov eax, dword ptr fs:[00000030h]5_2_02D61530
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041B22DA GetProcessHeap,GetProcessHeap,RtlAllocateHeap,lstrcmp,GetProcessHeap,HeapFree,0_2_041B22DA
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\emo.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\aspcolorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_041D277F RtlGetVersion,GetNativeSystemInfo,0_2_041D277F
              Source: C:\Windows\SysWOW64\aspcolorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected EmotetShow sources
              Source: Yara matchFile source: 0.2.emo.exe.41d0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.emo.exe.26f0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.aspcolorer.exe.2d60000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.aspcolorer.exe.2520000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.655519273.00000000041D1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.670974631.00000000026F1000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.668324043.0000000002D61000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.917142816.0000000002521000.00000020.00000001.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\emo.exeCode function: 0_2_004013DB OffsetRgn,AddClipboardFormatListener,DrawEdge,DrawEdge,DdeGetLastError,AnimateWindow,AllocConsole,NotifyUILanguageChange,SetMetaRgn,0_2_004013DB

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsNative API1Path InterceptionProcess Injection1Masquerading11Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback Channels