Edit tour

Windows Analysis Report
pmfoxWgt1q

Overview

General Information

Sample Name:	pmfoxWgt1q (renamed file extension from none to dll)
Analysis ID:	677709
MD5:	6300568039c3d35aaa0fc0f59a6089df
SHA1:	bef385861ab3ad1bf5c1c76384ccf45a75c80ed5
SHA256:	55d87fda07c8550c926974930480cf4899fed628ef544164519984efa447014a
Infos:

Detection

Emotet

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

Multi AV Scanner detection for submitted file

Tries to load missing DLLs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Registers a DLL

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 5168 cmdline: loaddll64.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 5176 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 5196 cmdline: rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

regsvr32.exe (PID: 5184 cmdline: regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll MD5: D78B75FC68247E8A63ACBA846182740E)

rundll32.exe (PID: 5212 cmdline: rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5316 cmdline: rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,YAeJyEAYL7F4eDck6YUaf MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5332 cmdline: rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,fmFkmnQYB5TC2Sq5NGFkK MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
pmfoxWgt1q.dll	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.882940563.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
00000005.00000002.882553231.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
00000006.00000002.889058366.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
00000002.00000002.881462250.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
00000003.00000002.882940823.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
00000000.00000002.880853299.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
5.2.rundll32.exe.7ffc739f0000.0.unpack	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.7ffc739f0000.0.unpack	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
4.2.rundll32.exe.7ffc739f0000.0.unpack	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
3.2.rundll32.exe.7ffc739f0000.0.unpack	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
0.2.loaddll64.exe.7ffc739f0000.0.unpack	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
6.2.rundll32.exe.7ffc739f0000.0.unpack	JoeSecurity_Emotet_2	Yara detected Emotet	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: pmfoxWgt1q.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: pmfoxWgt1q.dll	Metadefender: Detection: 34%			Perma Link
Source: pmfoxWgt1q.dll	ReversingLabs: Detection: 72%

Source: pmfoxWgt1q.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A78D1C FindFirstFileExW,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A78D1C FindFirstFileExW,

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: pmfoxWgt1q.dll, type: SAMPLE
Source: Yara match	File source: 5.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.882940563.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.882553231.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.889058366.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881462250.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.882940823.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880853299.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Windows\System32\regsvr32.exe

Section loaded: sfc.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A77C5C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A6CBA9
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A75BD4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A6C1FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A77198
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A7B9CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A70124
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A7A728
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A71DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A78D1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A6BD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A77C5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A6CBA9
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A75BD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A6C1FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A77198
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A7B9CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A70124
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A7A728
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A71DB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A78D1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A6BD28

Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 00007FFC73A60620 appears 2834 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFC73A60620 appears 2834 times

Source: pmfoxWgt1q.dll	Metadefender: Detection: 34%
Source: pmfoxWgt1q.dll	ReversingLabs: Detection: 72%

Source: pmfoxWgt1q.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,YAeJyEAYL7F4eDck6YUaf
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,fmFkmnQYB5TC2Sq5NGFkK
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,YAeJyEAYL7F4eDck6YUaf
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,fmFkmnQYB5TC2Sq5NGFkK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1

Source: classification engine

Classification label: mal64.troj.winDLL@13/0@0/0

Source: pmfoxWgt1q.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pmfoxWgt1q.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: pmfoxWgt1q.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: pmfoxWgt1q.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pmfoxWgt1q.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pmfoxWgt1q.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pmfoxWgt1q.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pmfoxWgt1q.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A6DB15 push 830F0001h; retn 0000h
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A6DB15 push 830F0001h; retn 0000h

Source: pmfoxWgt1q.dll

Static PE information: section name: _RDATA

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A78D1C FindFirstFileExW,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A78D1C FindFirstFileExW,

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC73A7A0AC GetProcessHeap,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A64140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A64500 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A64140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A64500 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1

Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\System32\loaddll64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\System32\regsvr32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC73A78300 cpuid

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC73A64404 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: pmfoxWgt1q.dll, type: SAMPLE
Source: Yara match	File source: 5.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.882940563.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.882553231.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.889058366.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881462250.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.882940823.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880853299.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Regsvr32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
pmfoxWgt1q.dll	34%	Metadefender		Browse
pmfoxWgt1q.dll	72%	ReversingLabs	Win64.Trojan.Emotet
pmfoxWgt1q.dll	100%	Avira	TR/Kryptik.assob

Domains and IPs

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	677709
Start date and time: 02/08/202222:11:31	2022-08-02 22:11:31 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 15s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	pmfoxWgt1q (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.winDLL@13/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
VT rate limit hit for: pmfoxWgt1q.dll

Joe Sandbox View / Context

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.627867897691371
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	pmfoxWgt1q.dll
File size:	866816
MD5:	6300568039c3d35aaa0fc0f59a6089df
SHA1:	bef385861ab3ad1bf5c1c76384ccf45a75c80ed5
SHA256:	55d87fda07c8550c926974930480cf4899fed628ef544164519984efa447014a
SHA512:	2150699d801fe40d2fb7675799b85220ead4dde32b8fcd3e073b2765657a15259156f4d35b2b3b8386ebe3167e484452162fdb5246230343d7d3096753d0fbc3
SSDEEP:	24576:sPMTg9U3G0ISDKvSeqfZaePWAy7ympE3:BTg9UXRD2SeqfZZi2m
TLSH:	FD05283FD6590A62FC1F1235C642894BF591FA0223145D9EB3AE0A58DF3BE48F9A5F10
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K._]..1...1...1...2...1...4...1...5...1.m.5...1.m.2...1.m.4.I.1...0...1...0.l.1...8...1...1...1.......1.......1...3...1.Rich..1

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x180073c20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6284F4EB [Wed May 18 13:30:19 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5c49ce3660f3f487a221bd7888983b24

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F0EE09B8387h
call 00007F0EE09B8B48h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F0EE09B8214h
int3
int3
int3
dec eax
sub esp, 28h
call 00007F0EE09B8F8Ch
test eax, eax
je 00007F0EE09B83A3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F0EE09B8387h
dec eax
cmp ecx, eax
je 00007F0EE09B8396h
xor eax, eax
dec eax
cmpxchg dword ptr [000309E4h], ecx
jne 00007F0EE09B8370h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F0EE09B8379h
int3
int3
int3
dec eax
sub esp, 28h
call 00007F0EE09B8F50h
test eax, eax
je 00007F0EE09B8389h
call 00007F0EE09B8D9Bh
jmp 00007F0EE09B839Bh
call 00007F0EE09B65DCh
mov ecx, eax
call 00007F0EE09C43A1h
test eax, eax
je 00007F0EE09B8386h
xor al, al
jmp 00007F0EE09B8389h
call 00007F0EE09C4760h
mov al, 01h
dec eax
add esp, 28h
ret
dec eax
sub esp, 28h
xor ecx, ecx
call 00007F0EE09B84C2h
test al, al
setne al
dec eax
add esp, 28h
ret
int3
int3

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xa1de0	0xb0	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1e90	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa9000	0x2ea20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa6000	0x1fe0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd8000	0x914	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9e6e0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9e5a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x91000	0x2c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8f260	0x8f400	False	0.3861392888307155	data	6.011164043310419	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x91000	0x117ce	0x11800	False	0.4552734375	data	5.141486524366641	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa3000	0x2940	0x1200	False	0.17078993055555555	DOS executable (block device driver)	2.811233564125507	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xa6000	0x1fe0	0x2000	False	0.48046875	data	5.507319499503956	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0xa8000	0x15c	0x200	False	0.40625	data	3.363296824709797	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xa9000	0x2ea20	0x2ec00	False	0.8596361129679144	data	7.814152582292596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd8000	0x914	0xa00	False	0.4828125	data	5.246908112940421	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_FONTDIR	0xa90a0	0x2e800	data	English	United States
RT_MANIFEST	0xd78a0	0x17d	XML 1.0 document text	English	United States

Imports

DLL

Import

ole32.dll

CoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc

KERNEL32.dll

ExitProcess, WriteConsoleW, CreateFileW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, RtlPcToFileHeader, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RtlUnwind, GetModuleHandleExW, GetModuleFileNameW, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapAlloc, GetStdHandle, GetFileType, CloseHandle, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetStdHandle, HeapSize

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x180070020
YAeJyEAYL7F4eDck6YUaf	2	0x1800702c0
fmFkmnQYB5TC2Sq5NGFkK	3	0x1800701e0
nrDjhnkd9nedaQwcCY	4	0x180070100

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	22:12:36
Start date:	02/08/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll"
Imagebase:	0x7ff66a740000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_2, Description: Yara detected Emotet, Source: 00000000.00000002.880853299.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exePID: 5176, Parent PID: 5168

General

Target ID:	1
Start time:	22:12:36
Start date:	02/08/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1
Imagebase:	0x7ff6499e0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exePID: 5184, Parent PID: 5168

General

Target ID:	2
Start time:	22:12:37
Start date:	02/08/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll
Imagebase:	0x7ff619650000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_2, Description: Yara detected Emotet, Source: 00000002.00000002.881462250.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 5196, Parent PID: 5176

General

Target ID:	3
Start time:	22:12:37
Start date:	02/08/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1
Imagebase:	0x7ff6dbdb0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_2, Description: Yara detected Emotet, Source: 00000003.00000002.882940823.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 5212, Parent PID: 5168

General

Target ID:	4
Start time:	22:12:37
Start date:	02/08/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,DllRegisterServer
Imagebase:	0x7ff6dbdb0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_2, Description: Yara detected Emotet, Source: 00000004.00000002.882940563.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 5316, Parent PID: 5168

General

Target ID:	5
Start time:	22:12:41
Start date:	02/08/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,YAeJyEAYL7F4eDck6YUaf
Imagebase:	0x7ff6dbdb0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_2, Description: Yara detected Emotet, Source: 00000005.00000002.882553231.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 5332, Parent PID: 5168

General

Target ID:	6
Start time:	22:12:45
Start date:	02/08/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,fmFkmnQYB5TC2Sq5NGFkK
Imagebase:	0x7ff6dbdb0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_2, Description: Yara detected Emotet, Source: 00000006.00000002.889058366.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pmfoxWgt1q

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 5168, Parent PID: 616

General

Analysis Process: cmd.exePID: 5176, Parent PID: 5168

General

Analysis Process: regsvr32.exePID: 5184, Parent PID: 5168

General

Windows Analysis Report
pmfoxWgt1q