Windows Analysis Report
ts.exe_

Overview

General Information

Sample Name:	ts.exe_ (renamed file extension from exe_ to exe)
Analysis ID:	745562
MD5:	ad57d446c107b5abd83b6180456cd0dd
SHA1:	8e277fb9bc97bedc7f7f4ba4390cc36702d87b7c
SHA256:	58d9d7c2d4a4140bbdc16c9b6ab1b56244ebc8b1c3eaa1fc63386bbce7acdb4c
Infos:

Detection

Emotet

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

Malicious sample detected (through community Yara rule)

Antivirus detection for dropped file

Machine Learning detection for sample

PE file does not import any functions

Yara signature match

Drops PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Uses Microsoft's Enhanced Cryptographic Provider

Contains long sleeps (>= 3 min)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ts.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\62366813.dll

Avira: detection malicious, Label: HEUR/AGEN.1251140

Machine Learning detection for sample

Source: ts.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\ts.exe

Code function: 0_2_00007FF7A58828F0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,

0_2_00007FF7A58828F0

Source: ts.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\ts.exe

Code function: 0_2_00007FFA0AEDF51C FindFirstFileW,

0_2_00007FFA0AEDF51C

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: ts.exe, type: SAMPLE
Source: Yara match	File source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Desktop\62366813.dll, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: ts.exe, type: SAMPLE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: C:\Users\user\Desktop\62366813.dll, type: DROPPED	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown

PE file does not import any functions

Source: 62366813.dll.0.dr

Static PE information: No import functions for PE file found

Yara signature match

Source: ts.exe, type: SAMPLE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: C:\Users\user\Desktop\62366813.dll, type: DROPPED	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09

Detected potential crypto function

Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58A46E8	0_2_00007FF7A58A46E8
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5883DF0	0_2_00007FF7A5883DF0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58C6D94	0_2_00007FF7A58C6D94
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5890B06	0_2_00007FF7A5890B06
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58A3A40	0_2_00007FF7A58A3A40
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58DAEB0	0_2_00007FF7A58DAEB0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588EEF4	0_2_00007FF7A588EEF4
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BD668	0_2_00007FF7A58BD668
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BC5A0	0_2_00007FF7A58BC5A0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BCDD0	0_2_00007FF7A58BCDD0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588DDE8	0_2_00007FF7A588DDE8
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58CE614	0_2_00007FF7A58CE614
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5897D18	0_2_00007FF7A5897D18
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58C053C	0_2_00007FF7A58C053C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58CFD5C	0_2_00007FF7A58CFD5C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58C6830	0_2_00007FF7A58C6830
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5890024	0_2_00007FF7A5890024
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58CC854	0_2_00007FF7A58CC854
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58D8848	0_2_00007FF7A58D8848
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588D7CC	0_2_00007FF7A588D7CC
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5885FC0	0_2_00007FF7A5885FC0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BF7F4	0_2_00007FF7A58BF7F4
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BC788	0_2_00007FF7A58BC788
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5882F80	0_2_00007FF7A5882F80
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58CE164	0_2_00007FF7A58CE164
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BD160	0_2_00007FF7A58BD160
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58CEC94	0_2_00007FF7A58CEC94
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BC3B8	0_2_00007FF7A58BC3B8
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5894400	0_2_00007FF7A5894400
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED61F4	0_2_00007FFA0AED61F4
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE5F68	0_2_00007FFA0AEE5F68
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED3750	0_2_00007FFA0AED3750
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDF51C	0_2_00007FFA0AEDF51C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED3518	0_2_00007FFA0AED3518
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED66AC	0_2_00007FFA0AED66AC
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED765C	0_2_00007FFA0AED765C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE5B54	0_2_00007FFA0AEE5B54
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED7AF0	0_2_00007FFA0AED7AF0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE4AE4	0_2_00007FFA0AEE4AE4
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDC480	0_2_00007FFA0AEDC480
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE443C	0_2_00007FFA0AEE443C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED6428	0_2_00007FFA0AED6428
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED8BDC	0_2_00007FFA0AED8BDC
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE03D8	0_2_00007FFA0AEE03D8
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE1960	0_2_00007FFA0AEE1960
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE415C	0_2_00007FFA0AEE415C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDB134	0_2_00007FFA0AEDB134
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED1924	0_2_00007FFA0AED1924
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED7908	0_2_00007FFA0AED7908
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDF28C	0_2_00007FFA0AEDF28C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED525C	0_2_00007FFA0AED525C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDCA5C	0_2_00007FFA0AEDCA5C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE5A40	0_2_00007FFA0AEE5A40
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDE234	0_2_00007FFA0AEDE234
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDD1E8	0_2_00007FFA0AEDD1E8
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED49E4	0_2_00007FFA0AED49E4
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED89D0	0_2_00007FFA0AED89D0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED17A0	0_2_00007FFA0AED17A0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDBF78	0_2_00007FFA0AEDBF78
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDD710	0_2_00007FFA0AEDD710
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDE090	0_2_00007FFA0AEDE090
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE3858	0_2_00007FFA0AEE3858
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE3050	0_2_00007FFA0AEE3050
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDF028	0_2_00007FFA0AEDF028
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED9FD0	0_2_00007FFA0AED9FD0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDDDA0	0_2_00007FFA0AEDDDA0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDCD9C	0_2_00007FFA0AEDCD9C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED9D68	0_2_00007FFA0AED9D68
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED6548	0_2_00007FFA0AED6548
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE0D2C	0_2_00007FFA0AEE0D2C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED250C	0_2_00007FFA0AED250C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED5D08	0_2_00007FFA0AED5D08
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDB4F0	0_2_00007FFA0AEDB4F0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE1E88	0_2_00007FFA0AEE1E88
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED5668	0_2_00007FFA0AED5668
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED8648	0_2_00007FFA0AED8648
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED4604	0_2_00007FFA0AED4604
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE45F0	0_2_00007FFA0AEE45F0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE05C4	0_2_00007FFA0AEE05C4

Source: C:\Users\user\Desktop\ts.exe

File read: C:\Users\user\Desktop\ts.exe

Jump to behavior

Source: ts.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ts.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ts.exe C:\Users\user\Desktop\ts.exe
Source: C:\Users\user\Desktop\ts.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_01

Source: C:\Users\user\Desktop\ts.exe

File created: C:\Users\user\Desktop\62366813.dll

Jump to behavior

Source: C:\Users\user\Desktop\ts.exe

File created: C:\Users\user\AppData\Local\Temp\1B9F.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.winEXE@2/3@0/0

Source: ts.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ts.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ts.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: ts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A589ACC4 pushfq ; ret	0_2_00007FF7A589ACC5
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A589AD06 push rbp; iretd	0_2_00007FF7A589AD07
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5899B8E push rbp; iretd	0_2_00007FF7A5899B8F

PE file contains sections with non-standard names

Source: ts.exe	Static PE information: section name: _RDATA
Source: 06B049A8.dll.0.dr	Static PE information: section name: _RDATA

Drops PE files

Source: C:\Users\user\Desktop\ts.exe	File created: C:\Users\user\Desktop\62366813.dll			Jump to dropped file
Source: C:\Users\user\Desktop\ts.exe	File created: C:\Users\user\Desktop\06B049A8.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\ts.exe TID: 5720

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ts.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\06B049A8.dll

Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\ts.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ts.exe

Code function: 0_2_00007FFA0AEDF51C FindFirstFileW,

0_2_00007FFA0AEDF51C

Source: C:\Users\user\Desktop\ts.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\ts.exe

Code function: 0_2_00007FF7A588B568 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7A588B568

Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588B110 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	0_2_00007FF7A588B110
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588B710 SetUnhandledExceptionFilter,	0_2_00007FF7A588B710
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588B568 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7A588B568
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588B2BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7A588B2BC
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BE50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7A58BE50C

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\ts.exe	Code function: GetLocaleInfoEx,	0_2_00007FF7A58B4F3C
Source: C:\Users\user\Desktop\ts.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7A58D26B4
Source: C:\Users\user\Desktop\ts.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF7A58D5898
Source: C:\Users\user\Desktop\ts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF7A58D60F0
Source: C:\Users\user\Desktop\ts.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7A58D62CC
Source: C:\Users\user\Desktop\ts.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7A58D5CB4
Source: C:\Users\user\Desktop\ts.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7A58D5BE4
Source: C:\Users\user\Desktop\ts.exe	Code function: GetLocaleInfoW,	0_2_00007FF7A58D2BF8

Source: C:\Users\user\Desktop\ts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\ts.exe

Code function: 0_2_00007FF7A588B978 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7A588B978

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: ts.exe, type: SAMPLE
Source: Yara match	File source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Desktop\62366813.dll, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ts.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\62366813.dll

Avira: detection malicious, Label: HEUR/AGEN.1251140

Machine Learning detection for sample

Source: ts.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\ts.exe

Code function: 0_2_00007FF7A58828F0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,

0_2_00007FF7A58828F0

Source: ts.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\ts.exe

Code function: 0_2_00007FFA0AEDF51C FindFirstFileW,

0_2_00007FFA0AEDF51C

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: ts.exe, type: SAMPLE
Source: Yara match	File source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Desktop\62366813.dll, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: ts.exe, type: SAMPLE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: C:\Users\user\Desktop\62366813.dll, type: DROPPED	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown

PE file does not import any functions

Source: 62366813.dll.0.dr

Static PE information: No import functions for PE file found

Yara signature match

Source: ts.exe, type: SAMPLE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: C:\Users\user\Desktop\62366813.dll, type: DROPPED	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09

Detected potential crypto function

Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58A46E8	0_2_00007FF7A58A46E8
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5883DF0	0_2_00007FF7A5883DF0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58C6D94	0_2_00007FF7A58C6D94
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5890B06	0_2_00007FF7A5890B06
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58A3A40	0_2_00007FF7A58A3A40
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58DAEB0	0_2_00007FF7A58DAEB0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588EEF4	0_2_00007FF7A588EEF4
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BD668	0_2_00007FF7A58BD668
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BC5A0	0_2_00007FF7A58BC5A0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BCDD0	0_2_00007FF7A58BCDD0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588DDE8	0_2_00007FF7A588DDE8
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58CE614	0_2_00007FF7A58CE614
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5897D18	0_2_00007FF7A5897D18
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58C053C	0_2_00007FF7A58C053C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58CFD5C	0_2_00007FF7A58CFD5C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58C6830	0_2_00007FF7A58C6830
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5890024	0_2_00007FF7A5890024
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58CC854	0_2_00007FF7A58CC854
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58D8848	0_2_00007FF7A58D8848
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588D7CC	0_2_00007FF7A588D7CC
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5885FC0	0_2_00007FF7A5885FC0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BF7F4	0_2_00007FF7A58BF7F4
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BC788	0_2_00007FF7A58BC788
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5882F80	0_2_00007FF7A5882F80
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58CE164	0_2_00007FF7A58CE164
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BD160	0_2_00007FF7A58BD160
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58CEC94	0_2_00007FF7A58CEC94
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BC3B8	0_2_00007FF7A58BC3B8
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5894400	0_2_00007FF7A5894400
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED61F4	0_2_00007FFA0AED61F4
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE5F68	0_2_00007FFA0AEE5F68
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED3750	0_2_00007FFA0AED3750
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDF51C	0_2_00007FFA0AEDF51C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED3518	0_2_00007FFA0AED3518
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED66AC	0_2_00007FFA0AED66AC
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED765C	0_2_00007FFA0AED765C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE5B54	0_2_00007FFA0AEE5B54
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED7AF0	0_2_00007FFA0AED7AF0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE4AE4	0_2_00007FFA0AEE4AE4
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDC480	0_2_00007FFA0AEDC480
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE443C	0_2_00007FFA0AEE443C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED6428	0_2_00007FFA0AED6428
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED8BDC	0_2_00007FFA0AED8BDC
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE03D8	0_2_00007FFA0AEE03D8
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE1960	0_2_00007FFA0AEE1960
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE415C	0_2_00007FFA0AEE415C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDB134	0_2_00007FFA0AEDB134
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED1924	0_2_00007FFA0AED1924
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED7908	0_2_00007FFA0AED7908
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDF28C	0_2_00007FFA0AEDF28C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED525C	0_2_00007FFA0AED525C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDCA5C	0_2_00007FFA0AEDCA5C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE5A40	0_2_00007FFA0AEE5A40
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDE234	0_2_00007FFA0AEDE234
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDD1E8	0_2_00007FFA0AEDD1E8
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED49E4	0_2_00007FFA0AED49E4
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED89D0	0_2_00007FFA0AED89D0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED17A0	0_2_00007FFA0AED17A0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDBF78	0_2_00007FFA0AEDBF78
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDD710	0_2_00007FFA0AEDD710
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDE090	0_2_00007FFA0AEDE090
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE3858	0_2_00007FFA0AEE3858
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE3050	0_2_00007FFA0AEE3050
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDF028	0_2_00007FFA0AEDF028
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED9FD0	0_2_00007FFA0AED9FD0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDDDA0	0_2_00007FFA0AEDDDA0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDCD9C	0_2_00007FFA0AEDCD9C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED9D68	0_2_00007FFA0AED9D68
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED6548	0_2_00007FFA0AED6548
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE0D2C	0_2_00007FFA0AEE0D2C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED250C	0_2_00007FFA0AED250C
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED5D08	0_2_00007FFA0AED5D08
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEDB4F0	0_2_00007FFA0AEDB4F0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE1E88	0_2_00007FFA0AEE1E88
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED5668	0_2_00007FFA0AED5668
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED8648	0_2_00007FFA0AED8648
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AED4604	0_2_00007FFA0AED4604
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE45F0	0_2_00007FFA0AEE45F0
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FFA0AEE05C4	0_2_00007FFA0AEE05C4

Source: C:\Users\user\Desktop\ts.exe

File read: C:\Users\user\Desktop\ts.exe

Jump to behavior

Source: ts.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ts.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ts.exe C:\Users\user\Desktop\ts.exe
Source: C:\Users\user\Desktop\ts.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_01

Source: C:\Users\user\Desktop\ts.exe

File created: C:\Users\user\Desktop\62366813.dll

Jump to behavior

Source: C:\Users\user\Desktop\ts.exe

File created: C:\Users\user\AppData\Local\Temp\1B9F.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.winEXE@2/3@0/0

Source: ts.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ts.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ts.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ts.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: ts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ts.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A589ACC4 pushfq ; ret	0_2_00007FF7A589ACC5
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A589AD06 push rbp; iretd	0_2_00007FF7A589AD07
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A5899B8E push rbp; iretd	0_2_00007FF7A5899B8F

PE file contains sections with non-standard names

Source: ts.exe	Static PE information: section name: _RDATA
Source: 06B049A8.dll.0.dr	Static PE information: section name: _RDATA

Drops PE files

Source: C:\Users\user\Desktop\ts.exe	File created: C:\Users\user\Desktop\62366813.dll			Jump to dropped file
Source: C:\Users\user\Desktop\ts.exe	File created: C:\Users\user\Desktop\06B049A8.dll			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\ts.exe TID: 5720

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ts.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\06B049A8.dll

Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\ts.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\ts.exe

Code function: 0_2_00007FFA0AEDF51C FindFirstFileW,

0_2_00007FFA0AEDF51C

Source: C:\Users\user\Desktop\ts.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\ts.exe

Code function: 0_2_00007FF7A588B568 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7A588B568

Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588B110 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	0_2_00007FF7A588B110
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588B710 SetUnhandledExceptionFilter,	0_2_00007FF7A588B710
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588B568 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7A588B568
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A588B2BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7A588B2BC
Source: C:\Users\user\Desktop\ts.exe	Code function: 0_2_00007FF7A58BE50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7A58BE50C

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\ts.exe	Code function: GetLocaleInfoEx,	0_2_00007FF7A58B4F3C
Source: C:\Users\user\Desktop\ts.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7A58D26B4
Source: C:\Users\user\Desktop\ts.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF7A58D5898
Source: C:\Users\user\Desktop\ts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF7A58D60F0
Source: C:\Users\user\Desktop\ts.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7A58D62CC
Source: C:\Users\user\Desktop\ts.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7A58D5CB4
Source: C:\Users\user\Desktop\ts.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7A58D5BE4
Source: C:\Users\user\Desktop\ts.exe	Code function: GetLocaleInfoW,	0_2_00007FF7A58D2BF8

Source: C:\Users\user\Desktop\ts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\ts.exe

Code function: 0_2_00007FF7A588B978 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7A588B978

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: ts.exe, type: SAMPLE
Source: Yara match	File source: 0.3.ts.exe.228231c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233eea14.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228231c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ts.exe.7ffa0aed0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233ca850.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.228233eea14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ts.exe.22823350000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.562441647.00007FFA0AED1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.299862162.00000228231C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.299383409.0000022823350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Desktop\62366813.dll, type: DROPPED

ID:	745562
Product:	CloudBasic
Start time:	14:05:50
Start date:	14.11.2022
Sample:	ts.exe_
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ad57d446c107b5abd83b6180456cd0dd
SHA1:	8e277fb9bc97bedc7f7f4ba4390cc36702d87b7c
SHA256:	58d9d7c2d4a4140bbdc16c9b6ab1b56244ebc8b1c3eaa1fc63386bbce7acdb4c
Filetype:	Win64 Executable Console (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Desktop\06B049A8.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	726E5AA7D5929BDC85333E966770FF1A	B43E1A8CF31AD480EC2AE01420E2017488993A8F	89BE65452EA9DC74134F60311D57B84956D149C600C89801FB152BB04420B16B
C:\Users\user\Desktop\62366813.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	5D182B467B4894159F9A4E956A381B67	0A610C6DE3419CE165D05D770637C8084D584FFD	ED2239E28A20674D772109DB4F302F7240491FBBC1FB3AD8F30071A6A66736BA
\Device\ConDrv	ASCII text, with CRLF line terminators	DD2DA9843BF632309924DC6CC54B6DDC	471B4075C9C6D86B94CA1DC43413222F925854FD	B114B49E322D0D6425F9A555C21BF4C0DEC2E423EE4009BB4B4A099901EAC96C

Windows Analysis Report
ts.exe_

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report ts.exe_

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
ts.exe_