Windows Analysis Report
os.exe_

Overview

General Information

Sample Name: os.exe_ (renamed file extension from exe_ to exe)
Analysis ID: 745620
MD5: df3118872eafc944ad200ad462023a5d
SHA1: afb8e59f0d39c614e6b7ac3486c7ea016342fb05
SHA256: e81704d02356f7f9a1a54ff857fa3afb2b96680b99c23643e1ccbc16b750239e
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Writes to foreign memory regions
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: os.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\6E8422DB.dll Avira: detection malicious, Label: HEUR/AGEN.1251140
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\6E8422DB.dll Virustotal: Detection: 57% Perma Link
Machine Learning detection for sample
Source: os.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40728F0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext, 0_2_00007FF6D40728F0
Source: os.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: certutil.pdb source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr
Source: Binary string: certutil.pdbGCTL source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr
Source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr String found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr String found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeStringCchPrintfWhttps://login.microsoftonline.c

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: os.exe, type: SAMPLE
Source: Yara match File source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: os.exe, type: SAMPLE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: os.exe, type: SAMPLE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 0.3.os.exe.1acdc970000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 0.3.os.exe.1acdc970000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 0.3.os.exe.1acdcb40000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 00000002.00000000.311642845.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.312156622.000001ACDCA6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000002.00000002.312032417.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.312117777.000001ACDC970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: 00000002.00000000.311475701.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPED Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPED Matched rule: Windows_Trojan_Emotet_d6ac1ea4 Author: unknown
Yara signature match
Source: os.exe, type: SAMPLE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: os.exe, type: SAMPLE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc970000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc970000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 2.2.kbuhkupik.exe.7ff7e47d0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcb40000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 2.0.kbuhkupik.exe.7ff7e47d0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 00000000.00000002.574382395.00007FF88EE12000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: SUSP_Four_Byte_XOR_PE_And_MZ author = Wesley Shields <wxs@atarininja.org>, description = Look for 4 byte xor of a PE starting at offset 0, score = 2021-10-11, reference = https://gist.github.com/wxsBSD/bf7b88b27e9f879016b5ce2c778d3e83
Source: 00000002.00000000.311642845.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000003.312156622.000001ACDCA6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000002.00000002.312032417.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000003.312117777.000001ACDC970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: 00000002.00000000.311475701.00007FF7E47D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPED Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPED Matched rule: Windows_Trojan_Emotet_d6ac1ea4 reference_sample = 2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71, os = windows, severity = x86, creation_date = 2022-05-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 7e6224c58c283765b5e819eb46814c556ae6b7b5931cd1e3e19ca3ec8fa31aa2, id = d6ac1ea4-b0a8-4023-b712-9f4f2c7146a3, last_modified = 2022-06-09
Detected potential crypto function
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40B6D94 0_2_00007FF6D40B6D94
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D4073DF0 0_2_00007FF6D4073DF0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40946E8 0_2_00007FF6D40946E8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D4093A40 0_2_00007FF6D4093A40
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D4080B06 0_2_00007FF6D4080B06
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40B053C 0_2_00007FF6D40B053C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40BFD5C 0_2_00007FF6D40BFD5C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40AC5A0 0_2_00007FF6D40AC5A0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40ACDD0 0_2_00007FF6D40ACDD0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D407DDE8 0_2_00007FF6D407DDE8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40BE614 0_2_00007FF6D40BE614
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40AD668 0_2_00007FF6D40AD668
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40CAEB0 0_2_00007FF6D40CAEB0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D407EEF4 0_2_00007FF6D407EEF4
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40AC788 0_2_00007FF6D40AC788
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D4072F80 0_2_00007FF6D4072F80
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D407D7CC 0_2_00007FF6D407D7CC
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D4075FC0 0_2_00007FF6D4075FC0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40AF7F4 0_2_00007FF6D40AF7F4
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40B6830 0_2_00007FF6D40B6830
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D4080024 0_2_00007FF6D4080024
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40BC854 0_2_00007FF6D40BC854
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40C8848 0_2_00007FF6D40C8848
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40AD160 0_2_00007FF6D40AD160
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40BE164 0_2_00007FF6D40BE164
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40AC3B8 0_2_00007FF6D40AC3B8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D4084400 0_2_00007FF6D4084400
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40BEC94 0_2_00007FF6D40BEC94
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D4087D18 0_2_00007FF6D4087D18
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0E7CC 0_2_00007FF88EE0E7CC
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0F740 0_2_00007FF88EE0F740
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFEF04 0_2_00007FF88EDFEF04
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFD0F0 0_2_00007FF88EDFD0F0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0D888 0_2_00007FF88EE0D888
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE04050 0_2_00007FF88EE04050
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE08DF0 0_2_00007FF88EE08DF0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE085A8 0_2_00007FF88EE085A8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE07568 0_2_00007FF88EE07568
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF8E84 0_2_00007FF88EDF8E84
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFB3B8 0_2_00007FF88EDFB3B8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF33D4 0_2_00007FF88EDF33D4
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF6B30 0_2_00007FF88EDF6B30
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF2CE0 0_2_00007FF88EDF2CE0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFAC98 0_2_00007FF88EDFAC98
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0FC4C 0_2_00007FF88EE0FC4C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE051F4 0_2_00007FF88EE051F4
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE069A4 0_2_00007FF88EE069A4
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF4914 0_2_00007FF88EDF4914
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFC7E0 0_2_00007FF88EDFC7E0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE09FDC 0_2_00007FF88EE09FDC
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFB7BC 0_2_00007FF88EDFB7BC
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFE7B0 0_2_00007FF88EDFE7B0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF3780 0_2_00007FF88EDF3780
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE05764 0_2_00007FF88EE05764
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF873C 0_2_00007FF88EDF873C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE00748 0_2_00007FF88EE00748
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE00F34 0_2_00007FF88EE00F34
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE070C4 0_2_00007FF88EE070C4
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE058C0 0_2_00007FF88EE058C0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF6880 0_2_00007FF88EDF6880
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE02880 0_2_00007FF88EE02880
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE10094 0_2_00007FF88EE10094
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF1068 0_2_00007FF88EDF1068
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFA038 0_2_00007FF88EDFA038
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF4050 0_2_00007FF88EDF4050
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0484C 0_2_00007FF88EE0484C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE09844 0_2_00007FF88EE09844
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFB020 0_2_00007FF88EDFB020
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF5800 0_2_00007FF88EDF5800
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0E014 0_2_00007FF88EE0E014
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE02DE0 0_2_00007FF88EE02DE0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF15EC 0_2_00007FF88EDF15EC
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE025C0 0_2_00007FF88EE025C0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0BDC0 0_2_00007FF88EE0BDC0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFF5C8 0_2_00007FF88EDFF5C8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0DD8C 0_2_00007FF88EE0DD8C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE05D94 0_2_00007FF88EE05D94
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE07D6C 0_2_00007FF88EE07D6C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0C528 0_2_00007FF88EE0C528
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE00D1C 0_2_00007FF88EE00D1C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF3CF8 0_2_00007FF88EDF3CF8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFBD10 0_2_00007FF88EDFBD10
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF26E0 0_2_00007FF88EDF26E0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF3ED8 0_2_00007FF88EDF3ED8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF76D8 0_2_00007FF88EDF76D8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE066D8 0_2_00007FF88EE066D8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE046A0 0_2_00007FF88EE046A0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0D6B0 0_2_00007FF88EE0D6B0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF6EAC 0_2_00007FF88EDF6EAC
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE09E58 0_2_00007FF88EE09E58
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFB64C 0_2_00007FF88EDFB64C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE05610 0_2_00007FF88EE05610
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFFE10 0_2_00007FF88EDFFE10
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0C3D8 0_2_00007FF88EE0C3D8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE03BB0 0_2_00007FF88EE03BB0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE09380 0_2_00007FF88EE09380
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFBB8C 0_2_00007FF88EDFBB8C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE09B6C 0_2_00007FF88EE09B6C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF8358 0_2_00007FF88EDF8358
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF1B74 0_2_00007FF88EDF1B74
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE10350 0_2_00007FF88EE10350
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0AB38 0_2_00007FF88EE0AB38
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE04B50 0_2_00007FF88EE04B50
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0BB40 0_2_00007FF88EE0BB40
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE03B28 0_2_00007FF88EE03B28
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE07B14 0_2_00007FF88EE07B14
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE06B08 0_2_00007FF88EE06B08
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE054D8 0_2_00007FF88EE054D8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE08CD8 0_2_00007FF88EE08CD8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFECC8 0_2_00007FF88EDFECC8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFFC98 0_2_00007FF88EDFFC98
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF7CB0 0_2_00007FF88EDF7CB0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE05C78 0_2_00007FF88EE05C78
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0E478 0_2_00007FF88EE0E478
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFE490 0_2_00007FF88EDFE490
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF8C74 0_2_00007FF88EDF8C74
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFCC24 0_2_00007FF88EDFCC24
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE00C20 0_2_00007FF88EE00C20
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0D41C 0_2_00007FF88EE0D41C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF7428 0_2_00007FF88EDF7428
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF240C 0_2_00007FF88EDF240C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0A9CC 0_2_00007FF88EE0A9CC
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFB1A4 0_2_00007FF88EDFB1A4
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF39A8 0_2_00007FF88EDF39A8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0D990 0_2_00007FF88EE0D990
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF815C 0_2_00007FF88EDF815C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE00140 0_2_00007FF88EE00140
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF214C 0_2_00007FF88EDF214C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0B92C 0_2_00007FF88EE0B92C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0C134 0_2_00007FF88EE0C134
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0E124 0_2_00007FF88EE0E124
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE022E0 0_2_00007FF88EE022E0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF42A4 0_2_00007FF88EDF42A4
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE00A9C 0_2_00007FF88EE00A9C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFFAB0 0_2_00007FF88EDFFAB0
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF7A94 0_2_00007FF88EDF7A94
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF825C 0_2_00007FF88EDF825C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDF2A4C 0_2_00007FF88EDF2A4C
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFDA20 0_2_00007FF88EDFDA20
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE05A30 0_2_00007FF88EE05A30
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFB9FC 0_2_00007FF88EDFB9FC
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D9648 2_2_00007FF7E47D9648
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D67A0 2_2_00007FF7E47D67A0
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D37A0 2_2_00007FF7E47D37A0
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D4FC8 2_2_00007FF7E47D4FC8
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D3CF8 2_2_00007FF7E47D3CF8
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D75AC 2_2_00007FF7E47D75AC
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47DEDA8 2_2_00007FF7E47DEDA8
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D79BC 2_2_00007FF7E47D79BC
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D6DF8 2_2_00007FF7E47D6DF8
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D260C 2_2_00007FF7E47D260C
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D711C 2_2_00007FF7E47D711C
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47E2148 2_2_00007FF7E47E2148
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47E1558 2_2_00007FF7E47E1558
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D12A4 2_2_00007FF7E47D12A4
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D4E98 2_2_00007FF7E47D4E98
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D1EBC 2_2_00007FF7E47D1EBC
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D2ACC 2_2_00007FF7E47D2ACC
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D5310 2_2_00007FF7E47D5310
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D4A48 2_2_00007FF7E47D4A48
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D2E68 2_2_00007FF7E47D2E68
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D47E0 2_2_00007FF7E47D47E0
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D83DC 2_2_00007FF7E47D83DC
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D1000 2_2_00007FF7E47D1000
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D3B28 2_2_00007FF7E47D3B28
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D1B48 2_2_00007FF7E47D1B48
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D1758 2_2_00007FF7E47D1758
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47DA0A0 2_2_00007FF7E47DA0A0
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47E28F4 2_2_00007FF7E47E28F4
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D5D04 2_2_00007FF7E47D5D04
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47E1908 2_2_00007FF7E47E1908
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D601C 2_2_00007FF7E47D601C
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D6434 2_2_00007FF7E47D6434
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D8044 2_2_00007FF7E47D8044
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D5440 2_2_00007FF7E47D5440
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D243C 2_2_00007FF7E47D243C
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47E0C50 2_2_00007FF7E47E0C50
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D7470 2_2_00007FF7E47D7470
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D1C8C 2_2_00007FF7E47D1C8C
Contains functionality to call native functions
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE085A8 NtUnmapViewOfSection,VirtualAllocEx,SetThreadContext, 0_2_00007FF88EE085A8
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EE0A1D8 NtUnmapViewOfSection, 0_2_00007FF88EE0A1D8
PE file does not import any functions
Source: 6E8422DB.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: os.exe, 00000000.00000003.309580078.000001ACDE45E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCertUtil.exej% vs os.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe 88EAE7C94142232FBB961DD8381FAEF23129B9F958BE283AE8393D28FED2092B
Source: C:\Users\user\Desktop\os.exe File read: C:\Users\user\Desktop\os.exe Jump to behavior
Source: os.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\os.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\os.exe C:\Users\user\Desktop\os.exe
Source: C:\Users\user\Desktop\os.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\os.exe Process created: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe C:\Users\user\AppData\Local\Temp\\kbuhkupik.exe" "C:\Users\user\AppData\Local\Temp\DB61.tmp
Source: C:\Users\user\Desktop\os.exe Process created: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe C:\Users\user\AppData\Local\Temp\\kbuhkupik.exe" "C:\Users\user\AppData\Local\Temp\DB61.tmp Jump to behavior
Source: C:\Users\user\Desktop\os.exe File created: C:\Users\user\Desktop\6E8422DB.dll Jump to behavior
Source: C:\Users\user\Desktop\os.exe File created: C:\Users\user\AppData\Local\Temp\DB61.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/4@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_01
Source: os.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: os.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: os.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: os.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: os.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: os.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: os.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: os.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: os.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: certutil.pdb source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr
Source: Binary string: certutil.pdbGCTL source: os.exe, 00000000.00000003.309370759.000001ACDE2EE000.00000004.00000020.00020000.00000000.sdmp, kbuhkupik.exe, 00000002.00000000.310388028.00007FF7E48D9000.00000002.00000001.01000000.00000005.sdmp, kbuhkupik.exe.0.dr
Source: os.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: os.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: os.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: os.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: os.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D4089B8E push rbp; iretd 0_2_00007FF6D4089B8F
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D408ACC4 pushfq ; ret 0_2_00007FF6D408ACC5
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D408AD06 push rbp; iretd 0_2_00007FF6D408AD07
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47ED2F9 push rax; ret 2_2_00007FF7E47ED329
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47E4010 push rax; retf 2_2_00007FF7E47E4011
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47ED378 push rax; ret 2_2_00007FF7E47ED329
PE file contains sections with non-standard names
Source: os.exe Static PE information: section name: _RDATA
Source: 09F81D2E.dll.0.dr Static PE information: section name: _RDATA
Source: kbuhkupik.exe.0.dr Static PE information: section name: .didat
Drops PE files
Source: C:\Users\user\Desktop\os.exe File created: C:\Users\user\Desktop\6E8422DB.dll Jump to dropped file
Source: C:\Users\user\Desktop\os.exe File created: C:\Users\user\Desktop\09F81D2E.dll Jump to dropped file
Source: C:\Users\user\Desktop\os.exe File created: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47D9648 EncodePointer,RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00007FF7E47D9648
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\os.exe TID: 1416 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\os.exe Dropped PE file which has not been started: C:\Users\user\Desktop\09F81D2E.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\os.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\os.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D407B568 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6D407B568
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47DCEBC EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 2_2_00007FF7E47DCEBC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF88EDFCFF4 GetProcessHeap, 0_2_00007FF88EDFCFF4
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D407B110 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 0_2_00007FF6D407B110
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D407B568 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6D407B568
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D407B710 SetUnhandledExceptionFilter, 0_2_00007FF6D407B710
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D407B2BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6D407B2BC
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D40AE50C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6D40AE50C
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47DAB8C SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,IsDebuggerPresent, 2_2_00007FF7E47DAB8C
Source: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Code function: 2_2_00007FF7E47E4108 SetUnhandledExceptionFilter, 2_2_00007FF7E47E4108

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\os.exe Section unmapped: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe base address: 7FF7E47D0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\os.exe Memory written: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe base: 7FF7E47D0000 Jump to behavior
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Source: C:\Users\user\Desktop\os.exe File created: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe Jump to dropped file
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\os.exe Memory allocated: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe base: 7FF7E47D0000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\os.exe Memory written: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe base: 7FF7E47D0000 value starts with: 4D5A Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\os.exe Thread register set: target process: 2040 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\os.exe Process created: C:\Users\user\AppData\Local\Temp\kbuhkupik.exe C:\Users\user\AppData\Local\Temp\\kbuhkupik.exe" "C:\Users\user\AppData\Local\Temp\DB61.tmp Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\os.exe Code function: GetLocaleInfoEx, 0_2_00007FF6D40A4F3C
Source: C:\Users\user\Desktop\os.exe Code function: EnumSystemLocalesW, 0_2_00007FF6D40C26B4
Source: C:\Users\user\Desktop\os.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00007FF6D40C5898
Source: C:\Users\user\Desktop\os.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00007FF6D40C60F0
Source: C:\Users\user\Desktop\os.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF6D40C62CC
Source: C:\Users\user\Desktop\os.exe Code function: EnumSystemLocalesW, 0_2_00007FF6D40C5BE4
Source: C:\Users\user\Desktop\os.exe Code function: GetLocaleInfoW, 0_2_00007FF6D40C2BF8
Source: C:\Users\user\Desktop\os.exe Code function: EnumSystemLocalesW, 0_2_00007FF6D40C5CB4
Source: C:\Users\user\Desktop\os.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\os.exe Code function: 0_2_00007FF6D407B978 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6D407B978

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: os.exe, type: SAMPLE
Source: Yara match File source: 0.2.os.exe.7ff88edf0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdcbdea14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdc960000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdcbdea14.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdc960000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdcbba850.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.os.exe.1acdcb40000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.574333712.00007FF88EDF1000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307924696.000001ACDC960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307776422.000001ACDCB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\Desktop\6E8422DB.dll, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 745620 Sample: os.exe_ Startdate: 14/11/2022 Architecture: WINDOWS Score: 100 20 Malicious sample detected (through community Yara rule) 2->20 22 Antivirus detection for dropped file 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 3 other signatures 2->26 6 os.exe 5 2->6         started        process3 file4 14 C:\Users\user\Desktop\6E8422DB.dll, PE32+ 6->14 dropped 16 C:\Users\user\Desktop\09F81D2E.dll, PE32+ 6->16 dropped 18 C:\Users\user\AppData\Local\...\kbuhkupik.exe, PE32+ 6->18 dropped 28 Writes to foreign memory regions 6->28 30 Allocates memory in foreign processes 6->30 32 Modifies the context of a thread in another process (thread injection) 6->32 34 3 other signatures 6->34 10 kbuhkupik.exe 1 6->10         started        12 conhost.exe 6->12         started        signatures5 process6
No contacted IP infos