Windows Analysis Report RpcNs4.exe

Overview

General Information

Sample Name: RpcNs4.exe
Analysis ID: 492876
MD5: 1ed37c4a225bbd35716cf241e14541a8
SHA1: 51caf718c3d85847e9f9246b291149a0a7afb698
SHA256: 8b504e796986fbae7d1bea49c95dfad222758cca5cada56472f40a0bde41e485
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.RpcNs4.exe.20b0000.3.unpack Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB", "C2 list": ["190.191.171.72:80", "5.189.168.53:8080", "162.241.41.111:7080", "190.85.46.52:7080", "37.205.9.252:7080", "172.96.190.154:8080", "120.51.34.254:80", "181.95.133.104:80", "139.59.61.215:443", "157.7.164.178:8081", "41.185.29.128:8080", "86.57.216.23:80", "185.80.172.199:80", "54.38.143.245:8080", "41.212.89.128:80", "223.17.215.76:80", "37.187.100.220:7080", "167.71.227.113:8080", "8.4.9.137:8080", "113.160.248.110:80", "220.147.247.145:80", "60.125.114.64:443", "182.227.240.189:443", "45.177.120.37:8080", "103.229.73.17:8080", "117.247.235.44:80", "115.78.11.155:80", "79.133.6.236:8080", "139.59.12.63:8080", "91.83.93.103:443", "186.20.52.237:80", "185.208.226.142:8080", "115.79.195.246:80", "116.202.10.123:8080", "162.144.42.60:8080", "185.142.236.163:443", "172.105.78.244:8080", "37.46.129.215:8080", "157.245.138.101:7080", "182.253.83.234:7080", "143.95.101.72:8080", "187.189.66.200:8080", "103.48.68.173:80", "200.116.93.61:80", "223.135.30.189:80", "36.91.44.183:80", "198.57.203.63:8080", "203.153.216.178:7080", "46.32.229.152:8080", "51.38.201.19:7080", "103.93.220.182:80", "103.133.66.57:443", "202.166.170.43:80", "95.216.205.155:8080", "77.74.78.80:443", "78.114.175.216:80", "189.150.209.206:80", "113.156.82.32:80", "58.27.215.3:8080", "192.241.220.183:8080", "185.86.148.68:443", "74.208.173.91:8080", "126.126.139.26:443", "88.247.58.26:80", "49.243.9.118:80", "2.144.244.204:80", "138.201.45.2:8080", "91.75.75.46:80", "119.92.77.17:80", "202.153.220.157:80", "46.105.131.68:8080", "178.33.167.120:8080", "190.192.39.136:80", "115.176.16.221:80", "179.5.118.12:80", "190.190.15.20:80", "113.161.148.81:80", "14.241.182.160:80", "192.163.221.191:8080", "128.106.187.110:80", "190.194.12.132:80", "75.127.14.170:8080", "195.201.56.70:8080", "118.243.83.70:80", "50.116.78.109:8080", "192.210.217.94:8080", "103.80.51.61:8080"]}
Multi AV Scanner detection for submitted file
Source: RpcNs4.exe Virustotal: Detection: 78% Perma Link
Source: RpcNs4.exe Metadefender: Detection: 73% Perma Link
Source: RpcNs4.exe ReversingLabs: Detection: 89%
Antivirus / Scanner detection for submitted sample
Source: RpcNs4.exe Avira: detected
Machine Learning detection for sample
Source: RpcNs4.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B2240 CryptEncrypt,memcpy,CryptGetHashParam,CryptDuplicateHash,CryptDestroyHash,CryptExportKey, 4_2_020B2240
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B2580 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,GetProcessHeap,RtlAllocateHeap, 4_2_020B2580
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B1F60 memcpy,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash, 4_2_020B1F60

Compliance:

barindex
Uses 32bit PE files
Source: RpcNs4.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B3890 _snwprintf,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose, 2_2_020B3890
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B3890 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose, 4_2_020B3890

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 190.191.171.72:80
Source: Malware configuration extractor IPs: 5.189.168.53:8080
Source: Malware configuration extractor IPs: 162.241.41.111:7080
Source: Malware configuration extractor IPs: 190.85.46.52:7080
Source: Malware configuration extractor IPs: 37.205.9.252:7080
Source: Malware configuration extractor IPs: 172.96.190.154:8080
Source: Malware configuration extractor IPs: 120.51.34.254:80
Source: Malware configuration extractor IPs: 181.95.133.104:80
Source: Malware configuration extractor IPs: 139.59.61.215:443
Source: Malware configuration extractor IPs: 157.7.164.178:8081
Source: Malware configuration extractor IPs: 41.185.29.128:8080
Source: Malware configuration extractor IPs: 86.57.216.23:80
Source: Malware configuration extractor IPs: 185.80.172.199:80
Source: Malware configuration extractor IPs: 54.38.143.245:8080
Source: Malware configuration extractor IPs: 41.212.89.128:80
Source: Malware configuration extractor IPs: 223.17.215.76:80
Source: Malware configuration extractor IPs: 37.187.100.220:7080
Source: Malware configuration extractor IPs: 167.71.227.113:8080
Source: Malware configuration extractor IPs: 8.4.9.137:8080
Source: Malware configuration extractor IPs: 113.160.248.110:80
Source: Malware configuration extractor IPs: 220.147.247.145:80
Source: Malware configuration extractor IPs: 60.125.114.64:443
Source: Malware configuration extractor IPs: 182.227.240.189:443
Source: Malware configuration extractor IPs: 45.177.120.37:8080
Source: Malware configuration extractor IPs: 103.229.73.17:8080
Source: Malware configuration extractor IPs: 117.247.235.44:80
Source: Malware configuration extractor IPs: 115.78.11.155:80
Source: Malware configuration extractor IPs: 79.133.6.236:8080
Source: Malware configuration extractor IPs: 139.59.12.63:8080
Source: Malware configuration extractor IPs: 91.83.93.103:443
Source: Malware configuration extractor IPs: 186.20.52.237:80
Source: Malware configuration extractor IPs: 185.208.226.142:8080
Source: Malware configuration extractor IPs: 115.79.195.246:80
Source: Malware configuration extractor IPs: 116.202.10.123:8080
Source: Malware configuration extractor IPs: 162.144.42.60:8080
Source: Malware configuration extractor IPs: 185.142.236.163:443
Source: Malware configuration extractor IPs: 172.105.78.244:8080
Source: Malware configuration extractor IPs: 37.46.129.215:8080
Source: Malware configuration extractor IPs: 157.245.138.101:7080
Source: Malware configuration extractor IPs: 182.253.83.234:7080
Source: Malware configuration extractor IPs: 143.95.101.72:8080
Source: Malware configuration extractor IPs: 187.189.66.200:8080
Source: Malware configuration extractor IPs: 103.48.68.173:80
Source: Malware configuration extractor IPs: 200.116.93.61:80
Source: Malware configuration extractor IPs: 223.135.30.189:80
Source: Malware configuration extractor IPs: 36.91.44.183:80
Source: Malware configuration extractor IPs: 198.57.203.63:8080
Source: Malware configuration extractor IPs: 203.153.216.178:7080
Source: Malware configuration extractor IPs: 46.32.229.152:8080
Source: Malware configuration extractor IPs: 51.38.201.19:7080
Source: Malware configuration extractor IPs: 103.93.220.182:80
Source: Malware configuration extractor IPs: 103.133.66.57:443
Source: Malware configuration extractor IPs: 202.166.170.43:80
Source: Malware configuration extractor IPs: 95.216.205.155:8080
Source: Malware configuration extractor IPs: 77.74.78.80:443
Source: Malware configuration extractor IPs: 78.114.175.216:80
Source: Malware configuration extractor IPs: 189.150.209.206:80
Source: Malware configuration extractor IPs: 113.156.82.32:80
Source: Malware configuration extractor IPs: 58.27.215.3:8080
Source: Malware configuration extractor IPs: 192.241.220.183:8080
Source: Malware configuration extractor IPs: 185.86.148.68:443
Source: Malware configuration extractor IPs: 74.208.173.91:8080
Source: Malware configuration extractor IPs: 126.126.139.26:443
Source: Malware configuration extractor IPs: 88.247.58.26:80
Source: Malware configuration extractor IPs: 49.243.9.118:80
Source: Malware configuration extractor IPs: 2.144.244.204:80
Source: Malware configuration extractor IPs: 138.201.45.2:8080
Source: Malware configuration extractor IPs: 91.75.75.46:80
Source: Malware configuration extractor IPs: 119.92.77.17:80
Source: Malware configuration extractor IPs: 202.153.220.157:80
Source: Malware configuration extractor IPs: 46.105.131.68:8080
Source: Malware configuration extractor IPs: 178.33.167.120:8080
Source: Malware configuration extractor IPs: 190.192.39.136:80
Source: Malware configuration extractor IPs: 115.176.16.221:80
Source: Malware configuration extractor IPs: 179.5.118.12:80
Source: Malware configuration extractor IPs: 190.190.15.20:80
Source: Malware configuration extractor IPs: 113.161.148.81:80
Source: Malware configuration extractor IPs: 14.241.182.160:80
Source: Malware configuration extractor IPs: 192.163.221.191:8080
Source: Malware configuration extractor IPs: 128.106.187.110:80
Source: Malware configuration extractor IPs: 190.194.12.132:80
Source: Malware configuration extractor IPs: 75.127.14.170:8080
Source: Malware configuration extractor IPs: 195.201.56.70:8080
Source: Malware configuration extractor IPs: 118.243.83.70:80
Source: Malware configuration extractor IPs: 50.116.78.109:8080
Source: Malware configuration extractor IPs: 192.210.217.94:8080
Source: Malware configuration extractor IPs: 103.80.51.61:8080
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.5:49736 -> 190.191.171.72:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49745 -> 5.189.168.53:8080
Source: global traffic TCP traffic: 192.168.2.5:49751 -> 162.241.41.111:7080
Source: global traffic TCP traffic: 192.168.2.5:49785 -> 190.85.46.52:7080
Source: global traffic TCP traffic: 192.168.2.5:49790 -> 37.205.9.252:7080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 36
Source: unknown TCP traffic detected without corresponding DNS query: 190.191.171.72
Source: unknown TCP traffic detected without corresponding DNS query: 190.191.171.72
Source: unknown TCP traffic detected without corresponding DNS query: 190.191.171.72
Source: unknown TCP traffic detected without corresponding DNS query: 5.189.168.53
Source: unknown TCP traffic detected without corresponding DNS query: 5.189.168.53
Source: unknown TCP traffic detected without corresponding DNS query: 5.189.168.53
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.41.111
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.41.111
Source: unknown TCP traffic detected without corresponding DNS query: 162.241.41.111
Source: unknown TCP traffic detected without corresponding DNS query: 190.85.46.52
Source: unknown TCP traffic detected without corresponding DNS query: 190.85.46.52
Source: unknown TCP traffic detected without corresponding DNS query: 190.85.46.52
Source: unknown TCP traffic detected without corresponding DNS query: 37.205.9.252
Source: unknown TCP traffic detected without corresponding DNS query: 37.205.9.252
Source: unknown TCP traffic detected without corresponding DNS query: 37.205.9.252
Source: unknown TCP traffic detected without corresponding DNS query: 172.96.190.154
Source: unknown TCP traffic detected without corresponding DNS query: 172.96.190.154
Source: unknown TCP traffic detected without corresponding DNS query: 172.96.190.154
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://162.241.41.111:7080/LYQRy6c93vecgvHJfH5/EZsl1rJ8QXw/bisGJm2RzFKv/0FbacJYj1q62Xn/
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://162.241.41.111:7080/LYQRy6c93vecgvHJfH5/EZsl1rJ8QXw/bisGJm2RzFKv/0FbacJYj1q62Xn/2
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/5
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/c/IfhZZOLYmyGUpB2z7/y67uuC8o/
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/p
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://190.191.171.72/e7oyvJu0ryVUBL/0INT0lnzMU2/MpBFVePNcAJo4Omc/IfhZZOLYmyGUpB2z7/y67uuC8o/
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://190.85.46.52:7080/1CMBtWf1oEz5/
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://190.85.46.52:7080/1CMBtWf1oEz5/f
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://190.85.46.52:7080/1CMBtWf1oEz5/m32
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://37.205.9.252:7080/RFYvVKd2K/sy7dp7xsNv9/Rrh3Sh9wg/SwbGDOylYnDUpHudO/ri7bprIvQeGD/Bd2yo6ti2p6c
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/#
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/3
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/i
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp String found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/m
Source: svchost.exe, 00000005.00000002.519834016.000001A00E260000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000005.00000002.519834016.000001A00E260000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000002.310130711.000001BD7A842000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000002.310130711.000001BD7A842000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.309396699.000001BD7A862000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.309474542.000001BD7A845000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.309474542.000001BD7A845000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000002.310115050.000001BD7A839000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 2.2.RpcNs4.exe.5e279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RpcNs4.exe.20b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.networkitemfactory.exe.51279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RpcNs4.exe.5e052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.networkitemfactory.exe.20b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.networkitemfactory.exe.51279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RpcNs4.exe.5e052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.networkitemfactory.exe.51052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.networkitemfactory.exe.51052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RpcNs4.exe.5e279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.517659433.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.256801219.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.519092750.00000000020B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.256746048.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.519022380.0000000002094000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.257541494.00000000020B1000.00000020.00000001.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B2580 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,GetProcessHeap,RtlAllocateHeap, 4_2_020B2580

System Summary:

barindex
Uses 32bit PE files
Source: RpcNs4.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\RpcNs4.exe File deleted: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\RpcNs4.exe File created: C:\Windows\SysWOW64\rasphone\ Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00403B79 2_2_00403B79
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_004160CC 2_2_004160CC
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00409163 2_2_00409163
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00416919 2_2_00416919
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_0041B92F 2_2_0041B92F
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_0041A136 2_2_0041A136
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_004079A1 2_2_004079A1
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_0041EAA3 2_2_0041EAA3
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00412B63 2_2_00412B63
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00420B08 2_2_00420B08
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00415BD8 2_2_00415BD8
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_0041AC13 2_2_0041AC13
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_0041D439 2_2_0041D439
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_004164E4 2_2_004164E4
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00416D4E 2_2_00416D4E
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_0041A6A1 2_2_0041A6A1
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B3B50 2_2_020B3B50
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B7830 2_2_020B7830
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B3E70 2_2_020B3E70
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B1C10 2_2_020B1C10
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B3C90 2_2_020B3C90
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B64F0 2_2_020B64F0
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_00403B79 4_2_00403B79
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_004160CC 4_2_004160CC
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_00409163 4_2_00409163
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_00416919 4_2_00416919
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_0041B92F 4_2_0041B92F
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_0041A136 4_2_0041A136
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_004079A1 4_2_004079A1
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_0041EAA3 4_2_0041EAA3
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_00412B63 4_2_00412B63
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_00420B08 4_2_00420B08
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_00415BD8 4_2_00415BD8
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_0041AC13 4_2_0041AC13
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_0041D439 4_2_0041D439
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_004164E4 4_2_004164E4
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_00416D4E 4_2_00416D4E
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_0041A6A1 4_2_0041A6A1
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B3B50 4_2_020B3B50
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B7830 4_2_020B7830
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B3E70 4_2_020B3E70
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B1C10 4_2_020B1C10
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B3C90 4_2_020B3C90
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B64F0 4_2_020B64F0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: String function: 00406830 appears 42 times
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: String function: 00406EE5 appears 34 times
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: String function: 00406830 appears 42 times
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: String function: 00406EE5 appears 34 times
PE file contains strange resources
Source: RpcNs4.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: RpcNs4.exe Virustotal: Detection: 78%
Source: RpcNs4.exe Metadefender: Detection: 73%
Source: RpcNs4.exe ReversingLabs: Detection: 89%
Source: RpcNs4.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RpcNs4.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RpcNs4.exe 'C:\Users\user\Desktop\RpcNs4.exe'
Source: C:\Users\user\Desktop\RpcNs4.exe Process created: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe C:\Windows\SysWOW64\rasphone\networkitemfactory.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RpcNs4.exe Process created: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\RpcNs4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\RpcNs4.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winEXE@16/5@0/88
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: CloseServiceHandle,OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle, 2_2_020B8830
Source: C:\Users\user\Desktop\RpcNs4.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B4BF0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32NextW,Process32FirstW,CloseHandle,FindCloseChangeNotification, 4_2_020B4BF0
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4636:120:WilError_01
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00406875 push ecx; ret 2_2_00406888
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_0040F141 push ecx; ret 2_2_0040F154
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B5E10 push ecx; mov dword ptr [esp], 00004C6Fh 2_2_020B5E11
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B5EC0 push ecx; mov dword ptr [esp], 000098C7h 2_2_020B5EC1
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B5F00 push ecx; mov dword ptr [esp], 0000B789h 2_2_020B5F01
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B5F50 push ecx; mov dword ptr [esp], 0000285Dh 2_2_020B5F51
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B5C40 push ecx; mov dword ptr [esp], 00008691h 2_2_020B5C41
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B5C70 push ecx; mov dword ptr [esp], 0000B66Ah 2_2_020B5C71
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B5CB0 push ecx; mov dword ptr [esp], 000001F6h 2_2_020B5CB1
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B5CF0 push ecx; mov dword ptr [esp], 00003EEDh 2_2_020B5CF1
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B5D30 push ecx; mov dword ptr [esp], 0000E6FEh 2_2_020B5D31
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B5D80 push ecx; mov dword ptr [esp], 00001B06h 2_2_020B5D81
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B5DA0 push ecx; mov dword ptr [esp], 000086AAh 2_2_020B5DA1
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_00406875 push ecx; ret 4_2_00406888
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_0040F141 push ecx; ret 4_2_0040F154
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5E10 push ecx; mov dword ptr [esp], 00004C6Fh 4_2_020B5E11
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5EC0 push ecx; mov dword ptr [esp], 000098C7h 4_2_020B5EC1
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5F00 push ecx; mov dword ptr [esp], 0000B789h 4_2_020B5F01
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5F50 push ecx; mov dword ptr [esp], 0000285Dh 4_2_020B5F51
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5C40 push ecx; mov dword ptr [esp], 00008691h 4_2_020B5C41
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5C70 push ecx; mov dword ptr [esp], 0000B66Ah 4_2_020B5C71
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5CB0 push ecx; mov dword ptr [esp], 000001F6h 4_2_020B5CB1
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5CF0 push ecx; mov dword ptr [esp], 00003EEDh 4_2_020B5CF1
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5D30 push ecx; mov dword ptr [esp], 0000E6FEh 4_2_020B5D31
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5D80 push ecx; mov dword ptr [esp], 00001B06h 4_2_020B5D81
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5DA0 push ecx; mov dword ptr [esp], 000086AAh 4_2_020B5DA1
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00401880 _malloc,LoadLibraryA,GetProcAddress, 2_2_00401880

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\RpcNs4.exe Executable created and started: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\RpcNs4.exe PE file moved: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\RpcNs4.exe File opened: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00403B79 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00403B79

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\RpcNs4.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 3132 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\RpcNs4.exe API coverage: 8.5 %
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B3890 _snwprintf,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose, 2_2_020B3890
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B3890 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose, 4_2_020B3890
Source: C:\Users\user\Desktop\RpcNs4.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\RpcNs4.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000005.00000002.519834016.000001A00E260000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.517847536.000001A008A29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.517367438.0000021F46802000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000007.00000002.517433093.0000021F46828000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.517881294.0000023333664000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.517673418.0000024160029000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00406A89 _memset,IsDebuggerPresent, 2_2_00406A89
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_0040E3C3 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 2_2_0040E3C3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00401880 _malloc,LoadLibraryA,GetProcAddress, 2_2_00401880
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_0040408A GetProcessHeap, 2_2_0040408A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B3E70 mov eax, dword ptr fs:[00000030h] 2_2_020B3E70
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_020B4D60 mov eax, dword ptr fs:[00000030h] 2_2_020B4D60
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B3E70 mov eax, dword ptr fs:[00000030h] 4_2_020B3E70
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B4D60 mov eax, dword ptr fs:[00000030h] 4_2_020B4D60
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_02091030 mov eax, dword ptr fs:[00000030h] 4_2_02091030
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00406769 SetUnhandledExceptionFilter, 2_2_00406769
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_0040679A SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040679A
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_00406769 SetUnhandledExceptionFilter, 4_2_00406769
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_0040679A SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0040679A
Source: networkitemfactory.exe, 00000004.00000002.518757751.0000000000C80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: networkitemfactory.exe, 00000004.00000002.518757751.0000000000C80000.00000002.00020000.sdmp Binary or memory string: Progman
Source: networkitemfactory.exe, 00000004.00000002.518757751.0000000000C80000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: networkitemfactory.exe, 00000004.00000002.518757751.0000000000C80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: networkitemfactory.exe, 00000004.00000002.518757751.0000000000C80000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0041989E
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 2_2_0041994B
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free, 2_2_0040D16E
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 2_2_0041119A
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW, 2_2_004191AF
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 2_2_00419A1F
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 2_2_0041947F
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: EnumSystemLocalesW, 2_2_00419423
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_0040FC2A
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 2_2_004194FC
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 2_2_00410D5A
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 2_2_0041957F
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: EnumSystemLocalesW, 2_2_0040FE0B
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: GetLocaleInfoW, 2_2_0040FE91
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 2_2_00419774
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 2_2_00415723
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_004117D4
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_0041989E
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 4_2_0041994B
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free, 4_2_0040D16E
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 4_2_0041119A
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW, 4_2_004191AF
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 4_2_00419A1F
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 4_2_0041947F
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: EnumSystemLocalesW, 4_2_00419423
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_0040FC2A
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 4_2_004194FC
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 4_2_00410D5A
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 4_2_0041957F
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: EnumSystemLocalesW, 4_2_0040FE0B
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: GetLocaleInfoW, 4_2_0040FE91
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 4_2_00419774
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 4_2_00415723
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 4_2_004117D4
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_0041201C cpuid 2_2_0041201C
Source: C:\Users\user\Desktop\RpcNs4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\RpcNs4.exe Code function: 2_2_00406001 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_00406001
Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe Code function: 4_2_020B5300 GetNativeSystemInfo,GetNativeSystemInfo,RtlGetVersion, 4_2_020B5300

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000C.00000002.517735542.0000018992E3D000.00000004.00000001.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000C.00000002.517898237.0000018992F02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 2.2.RpcNs4.exe.5e279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RpcNs4.exe.20b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.networkitemfactory.exe.51279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RpcNs4.exe.5e052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.networkitemfactory.exe.20b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.networkitemfactory.exe.51279e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RpcNs4.exe.5e052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.networkitemfactory.exe.51052e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.networkitemfactory.exe.51052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RpcNs4.exe.5e279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.517659433.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.256801219.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.519092750.00000000020B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.256746048.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.519022380.0000000002094000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.257541494.00000000020B1000.00000020.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492876 Sample: RpcNs4.exe Startdate: 29/09/2021 Architecture: WINDOWS Score: 96 25 202.153.220.157 WIDEBAND-AS-APAussieBroadbandAU Australia 2->25 27 58.27.215.3 WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK Pakistan 2->27 29 79 other IPs or domains 2->29 39 Found malware configuration 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 3 other signatures 2->45 8 RpcNs4.exe 6 2->8         started        11 svchost.exe 2->11         started        13 svchost.exe 9 1 2->13         started        16 8 other processes 2->16 signatures3 process4 dnsIp5 47 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->47 49 Drops executables to the windows directory (C:\Windows) and starts them 8->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->51 18 networkitemfactory.exe 16 8->18         started        53 Changes security center settings (notifications, updates, antivirus, firewall) 11->53 21 MpCmdRun.exe 1 11->21         started        37 127.0.0.1 unknown unknown 13->37 signatures6 process7 dnsIp8 31 162.241.41.111, 7080 UNIFIEDLAYER-AS-1US United States 18->31 33 190.85.46.52, 7080 TelmexColombiaSACO Colombia 18->33 35 4 other IPs or domains 18->35 23 conhost.exe 21->23         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
126.126.139.26
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP true
192.210.217.94
 unknown United States
36352 AS-COLOCROSSINGUS true
223.17.215.76
 unknown Hong Kong
18116 HGC-AS-APHGCGlobalCommunicationsLimitedHK true
185.208.226.142
 unknown Hungary
43359 TARHELYHU true
14.241.182.160
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN true
75.127.14.170
 unknown United States
36352 AS-COLOCROSSINGUS true
172.96.190.154
 unknown Canada
59253 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG true
78.114.175.216
 unknown France
8228 CEGETEL-ASFR true
51.38.201.19
 unknown France
16276 OVHFR true
200.116.93.61
 unknown Colombia
13489 EPMTelecomunicacionesSAESPCO true
115.78.11.155
 unknown Viet Nam
7552 VIETEL-AS-APViettelGroupVN true
203.153.216.178
 unknown Indonesia
45291 SURF-IDPTSurfindoNetworkID true
190.191.171.72
 unknown Argentina
10481 TelecomArgentinaSAAR true
220.147.247.145
 unknown Japan 2510 INFOWEBFUJITSULIMITEDJP true
143.95.101.72
 unknown United States
62729 ASMALLORANGE1US true
5.189.168.53
 unknown Germany
51167 CONTABODE true
113.156.82.32
 unknown Japan 2516 KDDIKDDICORPORATIONJP true
103.229.73.17
 unknown Indonesia
55660 MWN-AS-IDPTMasterWebNetworkID true
182.227.240.189
 unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR true
178.33.167.120
 unknown France
16276 OVHFR true
162.144.42.60
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
190.190.15.20
 unknown Argentina
10481 TelecomArgentinaSAAR true
95.216.205.155
 unknown Germany
24940 HETZNER-ASDE true
37.187.100.220
 unknown France
16276 OVHFR true
41.212.89.128
 unknown Kenya
15399 WANANCHI-KE true
190.85.46.52
 unknown Colombia
14080 TelmexColombiaSACO true
120.51.34.254
 unknown Japan 2519 VECTANTARTERIANetworksCorporationJP true
187.189.66.200
 unknown Mexico
22884 TOTALPLAYTELECOMUNICACIONESSADECVMX true
88.247.58.26
 unknown Turkey
9121 TTNETTR true
103.93.220.182
 unknown Philippines
17639 CONVERGE-ASConvergeICTSolutionsIncPH true
181.95.133.104
 unknown Argentina
7303 TelecomArgentinaSAAR true
117.247.235.44
 unknown India
9829 BSNL-NIBNationalInternetBackboneIN true
138.201.45.2
 unknown Germany
24940 HETZNER-ASDE true
37.205.9.252
 unknown Czech Republic
24971 MASTER-ASCzechRepublicwwwmasterczCZ true
190.194.12.132
 unknown Argentina
10481 TelecomArgentinaSAAR true
186.20.52.237
 unknown Chile
6535 TelmexServiciosEmpresarialesSACL true
118.243.83.70
 unknown Japan 4685 ASAHI-NETAsahiNetJP true
103.80.51.61
 unknown Thailand
136023 PTE-AS-APPTEGroupCoLtdTH true
103.48.68.173
 unknown India
17754 EXCELL-ASExcellmediaIN true
185.86.148.68
 unknown Latvia
52173 MAKONIXLV true
103.133.66.57
 unknown India
138520 LNSPL-AS-APLaluNetworkSolutionsPrivateLimitedIN true
157.245.138.101
 unknown United States
14061 DIGITALOCEAN-ASNUS true
119.92.77.17
 unknown Philippines
9299 IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH true
46.105.131.68
 unknown France
16276 OVHFR true
172.105.78.244
 unknown United States
63949 LINODE-APLinodeLLCUS true
37.46.129.215
 unknown Russian Federation
29182 THEFIRST-ASRU true
192.163.221.191
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
162.241.41.111
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
190.192.39.136
 unknown Argentina
10481 TelecomArgentinaSAAR true
45.177.120.37
 unknown Brazil
268987 NETLIMITTELECOMBR true
202.166.170.43
 unknown Pakistan
55501 CONNECTEL-PK141-143MaulanaShaukatAliRoadPK true
86.57.216.23
 unknown Belarus
6697 BELPAK-ASBELPAKBY true
113.161.148.81
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN true
157.7.164.178
 unknown Japan 7506 INTERQGMOInternetIncJP true
116.202.10.123
 unknown Germany
24940 HETZNER-ASDE true
192.241.220.183
 unknown United States
14061 DIGITALOCEAN-ASNUS true
115.176.16.221
 unknown Japan 2510 INFOWEBFUJITSULIMITEDJP true
198.57.203.63
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
46.32.229.152
 unknown United Kingdom
20738 GD-EMEA-DC-LD5GB true
167.71.227.113
 unknown United States
14061 DIGITALOCEAN-ASNUS true
54.38.143.245
 unknown France
16276 OVHFR true
77.74.78.80
 unknown Russian Federation
31261 GARS-ASMoscowRussiaRU true
49.243.9.118
 unknown Japan 10013 FBDCFreeBitCoLtdJP true
8.4.9.137
 unknown United States
3356 LEVEL3US true
60.125.114.64
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP true
113.160.248.110
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN true
79.133.6.236
 unknown Finland
3238 ALCOMFI true
189.150.209.206
 unknown Mexico
8151 UninetSAdeCVMX true
58.27.215.3
 unknown Pakistan
38264 WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK true
185.80.172.199
 unknown Azerbaijan
39232 UNINETAZ true
74.208.173.91
 unknown United States
8560 ONEANDONE-ASBrauerstrasse48DE true
41.185.29.128
 unknown South Africa
36943 GridhostZA true
223.135.30.189
 unknown Japan 2527 SO-NETSo-netEntertainmentCorporationJP true
139.59.61.215
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
91.75.75.46
 unknown United Arab Emirates
15802 DU-AS1AE true
50.116.78.109
 unknown United States
46606 UNIFIEDLAYER-AS-1US true
128.106.187.110
 unknown Singapore
9506 SINGTEL-FIBRESingtelFibreBroadbandSG true
202.153.220.157
 unknown Australia
4764 WIDEBAND-AS-APAussieBroadbandAU true
139.59.12.63
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
115.79.195.246
 unknown Viet Nam
7552 VIETEL-AS-APViettelGroupVN true
185.142.236.163
 unknown Netherlands
174 COGENT-174US true
2.144.244.204
 unknown Iran (ISLAMIC Republic Of)
44244 IRANCELL-ASIR true
182.253.83.234
 unknown Indonesia
17451 BIZNET-AS-APBIZNETNETWORKSID true
179.5.118.12
 unknown El Salvador
14754 TelguaGT true
91.83.93.103
 unknown Hungary
12301 INVITECHHU true
195.201.56.70
 unknown Germany
24940 HETZNER-ASDE true
36.91.44.183
 unknown Indonesia
17974 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID true

Private
IP
127.0.0.1