Automated Malware Analysis Report for 234125. Exe

Home , DxDiag

ID: 270113 Sample Name: _234125._exe Cookbook: default.jbs Time: 15:01:42 Date: 18/08/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report _234125._exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 5 Malware Configuration 5 Threatname: Emotet 5 Yara Overview 7 Memory Dumps 7 Sigma Overview 7 Signature Overview 7 AV Detection: 7 Networking: 7 E-Banking Fraud: 7 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Stealing of Sensitive Information: 8 Mitre Att&ck Matrix 8 Behavior Graph 8 Screenshots 9 Thumbnails 9 Antivirus, Machine Learning and Genetic Malware Detection 10 Initial Sample 10 Dropped Files 10 Unpacked PE Files 10 Domains 10 URLs 10 Domains and IPs 11 Contacted Domains 11 Contacted URLs 11 URLs from Memory and Binaries 11 Contacted IPs 11 Public 11 General Information 12 Simulations 12 Behavior and APIs 12 Created / dropped Files 12 Static File Info 13 General 13 File Icon 13 Static PE Info 13 General 13 Entrypoint Preview 13 Rich Headers 14 Data Directories 14 Sections 15 Resources 15 Imports 15 Version Infos 16 Possible Origin 16 Network Behavior 17 Snort IDS Alerts 17 TCP Packets 17 HTTP Request Dependency Graph 17 Copyright null 2020 Page 2 of 21 HTTP Packets 17 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 18 Analysis Process: _234125.exe PID: 6848 Parent PID: 5656 18 General 18 File Activities 18 File Deleted 18 Analysis Process: dxdiag.exe PID: 6892 Parent PID: 6848 19 General 19 File Activities 19 File Created 19 File Deleted 20 Analysis Process: svchost.exe PID: 6924 Parent PID: 576 20 General 20 File Activities 20 Registry Activities 20 Analysis Process: svchost.exe PID: 6352 Parent PID: 576 21 General 21 File Activities 21 Analysis Process: svchost.exe PID: 6552 Parent PID: 576 21 General 21 File Activities 21 Disassembly 21 Code Analysis 21

Overview

General Information Detection Signatures Classification

Sample _234125._exe (renamed Name: file extension from _exe to FFoouunndd maalllwwaarrree ccoonnfffiiigguurrraatttiiioonn exe) SFSnonouornrrtttd III DDmSSa laawllleaerrrttet ff focorror nnefeigtttwwuoroarrrktki o tttrnrraaffffffiiicc (((ee...… Analysis ID: 270113 YSYanarroraar t d dIeDetttSeec cattteleeddr t E Efmoro onttteetttwork traffic (e. MD5: d88ad9f7b94aca8… DYDrarroorpaps sd eextxeeeccctueuttdtaa bEblllemesso tttoeo t ttthhee wwiiinnddoowwss dd… SHA1: 4c28e360fe4261b… HDHiiriddoeepss tttehhxaaettt c ttthuhetea sbsalaemsp ptlollee t hhaeas sw bbineedeeonnw ddsoo wdw… SHA256: 964d936fd267b8d… HHiiddeess tthhaatt tthhee ssaamppllee hhaass bbeeeenn ddooww… Most interesting Screenshot: CHCoiodnnetttasa iiintnhssa ctc atahppeaa bsbiiaillliiimtttiiieepssl e ttto oh dadese tttbeeecctett vnvii irrdrtttuouawa…

CCoonntttaaiiinnss ffcfuuannpccatttibiiooinlnitaaiellliiitsttyy t tottoo d aaecctcececests svs i lrllootuaaadd…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cacacallcllll e nnsaasttti iivlvoeea ffdf…

Emotet CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchahelel ccnkka itiiffif v aae w wf… Score: 72 Range: 0 - 100 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyhynenacamk iiifcc aal llllwlyy…

Whitelisted: false CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrdreeyaandda mttthhieec a PPllEEyBB Confidence: 100% CCrroreenaattatteeinss s fff iiilflleuesns c iiintnisosiiniddaeel i ttthyhe et o ss yryessattteedm th ddeiiir rrPeecEc…B

DCDereellleeattteess fffiiillleess iiinnssiiiddee ttthhee Wsyiiinsntddeoomww sds i ffrfoeollcldd…

DDeettlteectcetttesed df i lppeoostt teiennnstttiiiadalell c ctrrhryyepp ttWtoo ifffnuudnnoccwtttiiioosn nfold

DDrrerootpepscs t PePdEE p fffiioillleetessn ttttooia tttlh hceer y wwpiiitnnodd foouwwnscs t didoiiirrnreeccttt…

FDFoorouupnnsdd PppoEott tefeinlnetttisiiaa ltll o ss tttrrhriiineng gw ddineedccrorryywppstttii ioodnnir e/// caat…

PFPEoEu fffniiilllede cpcoontnetttanaiitininassl sstttrrraiannnggg ede e rrrceerssyoopuutirrroccnee ss/ a

PPoEottt eefinlnettti iiacaloll knkeetayyi nllloosgg sggterearrr n ddgeeettte erccetttseeoddu (((rkkceeyys ss…

QPouuteerrrniiieetissa lttt hhkee y vv oloolllugumgeeer iiidnnefffooterrrmctaeattdtiiioo (nnk e(((nyna asm…

SQSaaumerppielllees ffftiiihllleee i iisvs o ddliuiifffffmfeerreree nintttf ottthhramanna otoiorrriiingg iiin(nnaaalll m …

TSTrrariiiemessp tttloeo llflooilaead di s m diiisisfsfseiiinrneggn DDt LtLhLLassn original

UTUrssieess Mtoi iiclcorrroaosdso omfffttt'i''ss s EEinnnghh aaDnnLccLeesdd CCrrryypptttoogg…

UUsseess aMa kikcnnroowswonnf t w'wse eEbbn bbhrrraoonwwcsseeedrrr Cuusrsyeeprrr t aoaggee…

UUsseess caco okddneeo owobbnfff uuwsseccbaa tttbiiioornon w ttteesccehhrn nuiiiqsqueuere sas g (((…e

Uses code obfuscation techniques (

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Startup

System is w10x64 _234125.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\_234125.exe' MD5: D88AD9F7B94ACA8A7B157960496F2733) dxdiag.exe (PID: 6892 cmdline: C:\Windows\SysWOW64\mfvdsp\dxdiag.exe MD5: D88AD9F7B94ACA8A7B157960496F2733) svchost.exe (PID: 6924 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 6352 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 6552 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) cleanup

Malware Configuration

Threatname: Emotet

Copyright null 2020 Page 5 of 21 { "C2 list": [ "68.44.137.144:443", "69.30.203.214:8080", "67.205.85.243:8080", "79.98.24.39:8080", "5.196.74.210:8080", "188.83.220.2:443", "109.116.214.124:443", "203.117.253.142:80", "104.131.11.150:443", "97.82.79.83:80", "121.124.124.40:7080", "83.169.36.251:8080", "89.186.91.200:443", "70.167.215.250:8080", "204.197.146.48:80", "167.86.90.214:8080", "190.160.53.126:80", "95.213.236.64:8080", "47.144.21.12:443", "169.239.182.217:8080", "62.75.141.82:80", "181.211.11.242:80", "37.70.8.161:80", "190.55.181.54:443", "78.24.219.147:8080", "93.51.50.171:8080", "139.59.60.244:8080", "91.211.88.52:7080", "139.130.242.43:80", "24.233.112.152:80", "185.94.252.104:443", "74.208.45.104:8080", "47.146.117.214:80", "137.59.187.107:8080", "174.102.48.180:80", "199.101.86.142:8080", "116.203.32.252:8080", "103.86.49.11:8080", "81.2.235.111:8080", "200.41.121.90:80", "85.105.205.77:8080", "61.19.246.238:443", "110.145.77.103:80", "107.185.211.16:80", "95.179.229.244:8080", "85.152.162.105:80", "142.105.151.124:443", "41.60.200.34:80", "203.153.216.189:7080", "46.105.131.79:8080", "181.230.116.163:80", "168.235.67.138:7080", "24.179.13.119:80", "72.12.127.184:443", "75.139.38.211:80", "109.74.5.95:8080", "24.43.99.75:80", "87.106.136.232:8080", "176.111.60.55:8080", "152.168.248.128:443", "74.120.55.163:80", "183.101.175.193:80", "68.188.112.97:80", "62.138.26.28:8080", "5.39.91.110:7080", "24.137.76.62:80", "37.139.21.175:8080", "2.58.16.85:7080", "209.141.54.221:8080", "37.187.72.193:8080", "104.236.246.93:8080", "157.147.76.151:80", "87.106.139.101:8080", "189.212.199.126:443", "173.62.217.22:443", "180.92.239.110:8080", "104.131.44.150:8080", "157.245.99.39:8080" ], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTx bFFeUEs3AwIDAQAB" }

Memory Dumps

Source Rule Description Author Strings 00000001.00000002.1534712271.0000000002120000.0000 JoeSecurity_Emotet Yara detected Joe Security 0040.00000001.sdmp Emotet 00000001.00000002.1534744502.0000000002141000.0000 JoeSecurity_Emotet Yara detected Joe Security 0020.00000001.sdmp Emotet 00000000.00000002.1270600625.0000000002201000.0000 JoeSecurity_Emotet Yara detected Joe Security 0020.00000001.sdmp Emotet 00000000.00000002.1270589622.00000000021F0000.0000 JoeSecurity_Emotet Yara detected Joe Security 0040.00000001.sdmp Emotet

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection • Cryptography • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Stealing of Sensitive Information

Click to jump to signature section

AV Detection:

Found malware configuration

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

E-Banking Fraud:

Yara detected Emotet

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Hooking and other Techniques for Hiding and Protection:

Stealing of Sensitive Information:

Yara detected Emotet

Mitre Att&ck Matrix

Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Native DLL Side- Process Masquerading 1 2 Input Security Software Remote Input Exfiltration Encrypted Eavesdrop on Remotely Accounts API 1 Loading 1 Injection 2 Capture 1 Discovery 1 1 Services Capture 1 Over Other Channel 2 2 Insecure Track Device Network Network Without Medium Communication Authorization Default Scheduled Boot or DLL Side- Virtualization/Sandbox LSASS Virtualization/Sandbox Remote Archive Exfiltration Non- Exploit SS7 to Remotely Accounts Task/Job Logon Loading 1 Evasion 1 Memory Evasion 1 Desktop Collected Over Application Redirect Phone Wipe Data Initialization Protocol Data 1 Bluetooth Layer Calls/SMS Without Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Process Injection 2 Security Process Discovery 3 SMB/Windows Data from Automated Application Exploit SS7 to Obtain Accounts (Windows) Script Account Admin Shares Network Exfiltration Layer Track Device Device (Windows) Manager Shared Protocol 1 2 Location Cloud Drive Backups Local At Logon Script Logon Deobfuscate/Decode NTDS Application Window Distributed Input Scheduled Protocol SIM Card Accounts (Windows) (Mac) Script Files or Information 1 Discovery 1 Component Capture Transfer Impersonation Swap (Mac) Object Model Cloud Cron Network Network Hidden Files and LSA File and Directory SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Directories 1 Secrets Discovery 2 Transfer Channels Device Script Size Limits Communication

Replication Launchd Rc.common Rc.common Obfuscated Files or Cached System Information VNC GUI Input Exfiltration Multiband Jamming or Through Information 2 Domain Discovery 1 4 Capture Over C2 Communication Denial of Removable Credentials Channel Service Media External Scheduled Startup Startup DLL Side-Loading 1 DCSync Network Sniffing Windows Web Exfiltration Commonly Rogue Wi-Fi Remote Task Items Items Remote Portal Over Used Port Access Points Services Management Capture Alternative Protocol Drive-by Command Scheduled Scheduled File Deletion 1 Proc Network Service Shared Credential Exfiltration Application Downgrade to Compromise and Task/Job Task/Job Filesystem Scanning Webroot API Over Layer Protocol Insecure Scripting Hooking Symmetric Protocols Interpreter Encrypted Non-C2 Protocol

Behavior Graph

Behavior Graph Signature ID: 270113 Created File Sample: _234125._exe Startdate: 18/08/2020 DNS/IP Info Architecture: WINDOWS Is Dropped Score: 72 Is Windows Process

Number of created Registry Values Snort IDS alert for network traffic (e.g. Found malware configuration Yara detected Emotet started started started Number o f sctarretead t e d Files based on Emerging Threat rules) Visual Basic

Delphi

_234125.exe svchost.exe svchost.exe Java svchost.exe

.Net C# or VB.NET 2 1 1 8 C, C++ or other language

Is malicious

Drops executables to Hides that the sample Internet the windows directory has been downloaded started (C:\Windows) and from the Internet (zone.identifier) starts them

dxdiag.exe

68.44.137.144, 443, 49728

COMCAST-7922US United States

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://%s.xboxlive.com 0% URL Reputation safe https://%s.xboxlive.com 0% URL Reputation safe https://%s.dnet.xboxlive.com 0% URL Reputation safe https://%s.dnet.xboxlive.com 0% URL Reputation safe

Contacted Domains

No contacted domains info

Contacted URLs

Name Malicious Antivirus Detection Reputation https://68.44.137.144:443/69AYSftHC/ckb6ciLBhNuzGkcoLev/tvEedbu/Oa6VvUd/ true unknown

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation dxdiag.exe, 00000001.00000002. false unknown 68.44.137.144/69AYSftHC/ckb6ciLBhNuzGkcoLev/tvEedbu/O 1536075837.0000000002AAE000.00 a6VvUd/ 000004.00000001.sdmp https://activity.windows.comr svchost.exe, 00000002.00000002 false unknown .1534560631.00000239D083E000.0 0000004.00000001.sdmp https://%s.xboxlive.com svchost.exe, 00000002.00000002 false URL Reputation: safe low .1534560631.00000239D083E000.0 URL Reputation: safe 0000004.00000001.sdmp https://activity.windows.com svchost.exe, 00000002.00000002 false high .1534560631.00000239D083E000.0 0000004.00000001.sdmp dxdiag.exe, 00000001.00000002. false unknown 68.44.137.144:443/69AYSftHC/ckb6ciLBhNuzGkcoLev/tvEedb 1536075837.0000000002AAE000.00 u/Oa6VvUd/ 000004.00000001.sdmp dxdiag.exe, 00000001.00000002. false unknown 68.44.137.144:443/69AYSftHC/ckb6ciLBhNuzGkcoLev/tvEedb 1536075837.0000000002AAE000.00 u/Oa6VvUd/R 000004.00000001.sdmp https://%s.dnet.xboxlive.com svchost.exe, 00000002.00000002 false URL Reputation: safe low .1534560631.00000239D083E000.0 URL Reputation: safe 0000004.00000001.sdmp

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50%

50% < No. of IPs < 75% 75% < No. of IPs

Public

Copyright null 2020 Page 11 of 21 IP Country Flag ASN ASN Name Malicious 68.44.137.144 United States 7922 COMCAST-7922US true

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 270113 Start date: 18.08.2020 Start time: 15:01:42 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 54s Hypervisor based Inspection enabled: false Report type: light Sample file name: _234125._exe (renamed file extension from _exe to exe) Cookbook file name: default.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal72.troj.evad.winEXE@6/0@0/1 EGA Information: Failed HDC Information: Successful, ratio: 82.9% (good quality ratio 81.4%) Quality average: 87.1% Quality standard deviation: 21.5% HCA Information: Successful, ratio: 81% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Created / dropped Files

No created / dropped files found

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 6.441572954231076 TrID: Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: _234125.exe File size: 241664 MD5: d88ad9f7b94aca8a7b157960496f2733 SHA1: 4c28e360fe4261bd5b7de1119de245c4be2d0769 SHA256: 964d936fd267b8dd5e0e7e777f9c4051f4ba0fc2e0f554a4 dfbb7abd9c9c3d59 SHA512: d94ab100075bb813c4cb1acec54c7200ce89d0b5a69ff7d 7087e06dddd7779ca63ae11ef6b47c37cdda12fb3f304fe d6254b5a75a3f7cd6e086c958666abde85 SSDEEP: 3072:zLdGL9Wt2ltzymHv7BeQj7UnIo9vPU0iGGaaDVU 1RIMvP507:1i9WtytJsU0ZOq1RZvP File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... f...... f...... 6...... Rich...... PE..L. ....:_......

File Icon

Icon Hash: 938e0d4d493d1b0e

Static PE Info

General Entrypoint: 0x40733b Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED DLL Characteristics: Time Stamp: 0x5F3AE9E7 [Mon Aug 17 20:34:47 2020 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 1a497fe608ed29e079b5491e59269d39

Entrypoint Preview

Instruction push ebp mov ebp, esp push FFFFFFFFh push 004200E0h push 0040A1A0h mov eax, dword ptr fs:[00000000h] push eax

Copyright null 2020 Page 13 of 21 Instruction mov dword ptr fs:[00000000h], esp sub esp, 58h push ebx push esi push edi mov dword ptr [ebp-18h], esp call dword ptr [0041E200h] xor edx, edx mov dl, ah mov dword ptr [00428AD4h], edx mov ecx, eax and ecx, 000000FFh mov dword ptr [00428AD0h], ecx shl ecx, 08h add ecx, edx mov dword ptr [00428ACCh], ecx shr eax, 10h mov dword ptr [00428AC8h], eax push 00000001h call 00007FA558848DA6h pop ecx test eax, eax jne 00007FA558845FEAh push 0000001Ch call 00007FA5588460A8h pop ecx call 00007FA558847A86h test eax, eax jne 00007FA558845FEAh push 00000010h call 00007FA558846097h pop ecx xor esi, esi mov dword ptr [ebp-04h], esi call 00007FA558848BC2h call dword ptr [0041E0BCh] mov dword ptr [0042A63Ch], eax call 00007FA558848A80h mov dword ptr [00428AB8h], eax call 00007FA558848829h call 00007FA55884876Bh call 00007FA558846B85h mov dword ptr [ebp-30h], esi lea eax, dword ptr [ebp-5Ch] push eax call dword ptr [0041E104h] call 00007FA5588486FCh mov dword ptr [ebp-64h], eax test byte ptr [ebp-30h], 00000001h je 00007FA558845FE8h movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language: [ C ] VS98 (6.0) build 8168 [RES] VS98 (6.0) cvtres build 1720 [C++] VS98 (6.0) build 8168

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x23660 0xb4 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x2c000 0x13d38 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0

Copyright null 2020 Page 14 of 21 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x1e000 0x448 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x1ce86 0x1d000 False 0.55525154903 data 6.55626784849 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x1e000 0x6cf0 0x7000 False 0.309884207589 data 4.56149591487 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x25000 0x6188 0x2000 False 0.245849609375 data 3.34479733188 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x2c000 0x13d38 0x14000 False 0.653295898438 data 6.49483827794 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_CURSOR 0x3db28 0x134 data English United States RT_CURSOR 0x3dc60 0xb4 data English United States RT_BITMAP 0x3dd40 0x5e4 data English United States RT_BITMAP 0x3e410 0xb8 data English United States RT_BITMAP 0x3e4c8 0x16c data English United States RT_BITMAP 0x3e638 0x144 data English United States RT_ICON 0x2c6c0 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block Chinese China length 16896, next free block index 40, next free block 0, next used block 0 RT_ICON 0x308e8 0x25a8 data Chinese China RT_ICON 0x32e90 0x10a8 data Chinese China RT_ICON 0x33f38 0x988 data Chinese China RT_ICON 0x348c0 0x468 GLS_BINARY_LSB_FIRST Chinese China RT_DIALOG 0x3d4e0 0x146 data Chinese China RT_DIALOG 0x3d628 0x16e data Chinese China RT_DIALOG 0x3d0c0 0x420 data Chinese China RT_DIALOG 0x3e328 0xe8 data English United States RT_STRING 0x3e780 0x50 data English United States RT_STRING 0x3e7d0 0x82 data English United States RT_STRING 0x3e858 0x2a data English United States RT_STRING 0x3e888 0x14a data English United States RT_STRING 0x3e9d8 0x4e2 data English United States RT_STRING 0x3f250 0x2a2 data English United States RT_STRING 0x3ef70 0x2dc data English United States RT_STRING 0x3eec0 0xac data English United States RT_STRING 0x3fc28 0xde data English United States RT_STRING 0x3f4f8 0x4c4 data English United States RT_STRING 0x3f9c0 0x264 data English United States RT_STRING 0x3fd08 0x2c data English United States RT_RCDATA 0x34d78 0x8346 data Chinese China RT_GROUP_CURSOR 0x3dd18 0x22 Lotus unknown worksheet or configuration, revision English United States 0x2 RT_GROUP_ICON 0x34d28 0x4c data Chinese China RT_VERSION 0x3d798 0x38c PGP symmetric key encrypted data - Plaintext or English United States unencrypted data

Imports

Copyright null 2020 Page 15 of 21 DLL Import KERNEL32.dll GetCommandLineA, RaiseException, HeapFree, HeapAlloc, TerminateProcess, HeapSize, HeapReAlloc, GetACP, LCMapStringA, LCMapStringW, Sleep, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, SetUnhandledExceptionFilter, VirtualAlloc, IsBadWritePtr, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, SetStdHandle, RtlUnwind, GetProfileStringA, InterlockedExchange, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GetCurrentProcess, SetErrorMode, WritePrivateProfileStringA, SizeofResource, GetOEMCP, GetCPInfo, GetProcessVersion, GlobalFlags, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalAlloc, GetLastError, GetModuleFileNameA, GlobalAlloc, lstrcmpA, GetCurrentThread, LocalFree, GlobalFree, ExitProcess, CloseHandle, lstrcpynA, GlobalLock, GlobalUnlock, MulDiv, SetLastError, MultiByteToWideChar, WideCharToMultiByte, lstrlenA, InterlockedDecrement, InterlockedIncrement, LoadLibraryA, FreeLibrary, FindResourceA, LoadResource, LockResource, GetVersion, lstrcatA, GetCurrentThreadId, GlobalGetAtomNameA, lstrcmpiA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcpyA, GetModuleHandleA, GetProcAddress, GetFileType USER32.dll GetNextDlgTabItem, EnableMenuItem, CheckMenuItem, SetMenuItemBitmaps, ModifyMenuA, GetMenuState, LoadBitmapA, GetMenuCheckMarkDimensions, WindowFromPoint, ClientToScreen, GetDC, ReleaseDC, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, ValidateRect, GetActiveWindow, TranslateMessage, GetMessageA, CreateDialogIndirectParamA, EndDialog, PostQuitMessage, SetCursor, LoadStringA, DestroyMenu, GetClassNameA, LoadCursorA, GetSysColorBrush, InvalidateRect, UpdateWindow, SendDlgItemMessageA, MapWindowPoints, PeekMessageA, DispatchMessageA, SetActiveWindow, SetFocus, AdjustWindowRectEx, ScreenToClient, CopyRect, IsWindowVisible, IsWindowEnabled, GetTopWindow, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetDlgItem, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, GetKeyState, DefWindowProcA, DestroyWindow, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetLastActivePopup, GetForegroundWindow, SetForegroundWindow, GetWindow, GetWindowLongA, SetWindowLongA, SetWindowPos, RegisterWindowMessageA, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, IsIconic, GetSystemMetrics, DrawIcon, GetSystemMenu, AppendMenuA, LoadIconA, EnableWindow, PostMessageA, GetClientRect, IsRectEmpty, SetWindowTextA, GetCursorPos, RedrawWindow, UnregisterClassA, HideCaret, ShowCaret, ExcludeUpdateRgn, DrawFocusRect, DefDlgProcA, CharNextA, GetFocus, InflateRect, GetCapture, ReleaseCapture, PtInRect, SetCapture, GetParent, KillTimer, SendMessageA, ShowWindow, MoveWindow, IsDialogMessageA, GetSysColor, OffsetRect, SetTimer, IsWindow, IsWindowUnicode, MessageBoxA GDI32.dll SetBkColor, CreateBitmap, DeleteDC, SaveDC, RestoreDC, SelectObject, GetStockObject, SetBkMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, IntersectClipRect, MoveToEx, LineTo, SetTextColor, DeleteObject, GetDeviceCaps, CreateSolidBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, PatBlt, GetClipBox, CreateCompatibleDC, CreateCompatibleBitmap, GetTextExtentPoint32A, SetPixel, CreatePen, GetCurrentObject, GetObjectA, CreateDIBitmap, GetTextExtentPointA, BitBlt comdlg32.dll GetOpenFileNameA, GetSaveFileNameA WINSPOOL.DRV OpenPrinterA, DocumentPropertiesA, ClosePrinter ADVAPI32.dll RegSetValueExA, RegCloseKey, RegOpenKeyExA, RegCreateKeyExA SHELL32.dll SHBrowseForFolderA, SHGetPathFromIDListA, SHGetMalloc COMCTL32.dll

Version Infos

Description Data LegalCopyright Copyright (C) 2004 InternalName BrowseCtrlDemo FileVersion 1, 0, 0, 1 CompanyName PrivateBuild LegalTrademarks Comments ProductName BrowseCtrlDemo Application SpecialBuild ProductVersion 1, 0, 0, 1 FileDescription BrowseCtrlDemo MFC Application OriginalFilename BrowseCtrlDemo.EXE Translation 0x0409 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Chinese China

Network Behavior

Snort IDS Alerts

Source Dest Timestamp Protocol SID Message Port Port Source IP Dest IP 08/18/20- TCP 2404340 ET CNC Feodo Tracker Reported CnC Server TCP group 21 49728 443 192.168.2.5 68.44.137.144 15:02:46.267823

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Aug 18, 2020 15:02:46.267822981 CEST 49728 443 192.168.2.5 68.44.137.144 Aug 18, 2020 15:02:46.503395081 CEST 443 49728 68.44.137.144 192.168.2.5 Aug 18, 2020 15:02:46.503489971 CEST 49728 443 192.168.2.5 68.44.137.144 Aug 18, 2020 15:02:46.504152060 CEST 49728 443 192.168.2.5 68.44.137.144 Aug 18, 2020 15:02:46.504259109 CEST 49728 443 192.168.2.5 68.44.137.144 Aug 18, 2020 15:02:46.716747046 CEST 443 49728 68.44.137.144 192.168.2.5 Aug 18, 2020 15:02:47.246613026 CEST 443 49728 68.44.137.144 192.168.2.5 Aug 18, 2020 15:02:47.246700048 CEST 49728 443 192.168.2.5 68.44.137.144 Aug 18, 2020 15:03:52.240825891 CEST 443 49728 68.44.137.144 192.168.2.5 Aug 18, 2020 15:03:52.241024017 CEST 49728 443 192.168.2.5 68.44.137.144 Aug 18, 2020 15:04:36.187036991 CEST 49728 443 192.168.2.5 68.44.137.144 Aug 18, 2020 15:04:36.396949053 CEST 443 49728 68.44.137.144 192.168.2.5

HTTP Request Dependency Graph

68.44.137.144 68.44.137.144:443

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.5 49728 68.44.137.144 443 C:\Windows\SysWOW64\mfvdsp\dxdiag.exe

kBytes Timestamp transferred Direction Data Aug 18, 2020 4165 OUT POST /69AYSftHC/ckb6ciLBhNuzGkcoLev/tvEedbu/Oa6VvUd/ HTTP/1.1 15:02:46.504152060 CEST Referer: http://68.44.137.144/69AYSftHC/ckb6ciLBhNuzGkcoLev/tvEedbu/Oa6VvUd/ Content-Type: multipart/form-data; boundary=------317722394722261 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 68.44.137.144:443 Content-Length: 4596 Connection: Keep-Alive Cache-Control: no-cache Aug 18, 2020 4170 IN HTTP/1.1 200 OK 15:02:47.246613026 CEST Server: nginx Date: Tue, 18 Aug 2020 13:02:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 132 Connection: keep-alive Data Raw: 86 2d 97 64 dc 2f f8 df 14 38 07 51 47 c3 82 1e 9f a3 ba c8 d0 2b 43 69 bb 3b 52 61 27 3f 2a 29 23 ca ab b4 0c 87 79 27 e5 f8 12 aa 34 a6 67 1b cb d6 18 b7 d9 cd 1f 7e a9 3e d8 f6 74 85 25 34 ef 26 d3 d4 a7 7d dd 72 9d 53 6e ab e6 41 e3 1b 5d 14 0c 65 04 51 c3 9d 16 cd 48 17 e8 f2 17 79 96 33 16 89 ac 54 9d a3 23 36 b4 bc b1 be 1e e3 7b 1d ff ee 89 a7 7d 80 50 44 e8 ac 08 51 47 2b 4f 08 b1 fa Data Ascii: -d/8QG+Ci;Ra'?*)#y'4g~>t%4&}rSnA]eQHy3T#6{}PDQG+O

Statistics

Behavior

• _234125.exe • dxdiag.exe • svchost.exe • svchost.exe • svchost.exe

Click to jump to process

System Behavior

Analysis Process: _234125.exe PID: 6848 Parent PID: 5656

General

Start time: 15:02:31 Start date: 18/08/2020 Path: C:\Users\user\Desktop\_234125.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\_234125.exe' Imagebase: 0x400000 File size: 241664 bytes MD5 hash: D88AD9F7B94ACA8A7B157960496F2733 Has administrator privileges: false Programmed in: C, C++ or other language Yara matches: Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.1270600625.0000000002201000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.1270589622.00000000021F0000.00000040.00000001.sdmp, Author: Joe Security Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Deleted

Source File Path Completion Count Address Symbol C:\Windows\SysWOW64\mfvdsp\dxdiag.exe:Zone.Identifier success or wait 1 22027C8 DeleteFileW

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: dxdiag.exe PID: 6892 Parent PID: 6848

General

Start time: 15:02:32 Start date: 18/08/2020 Path: C:\Windows\SysWOW64\mfvdsp\dxdiag.exe Wow64 process (32bit): true Commandline: C:\Windows\SysWOW64\mfvdsp\dxdiag.exe Imagebase: 0x400000 File size: 241664 bytes MD5 hash: D88AD9F7B94ACA8A7B157960496F2733 Has administrator privileges: false Programmed in: C, C++ or other language Yara matches: Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.1534712271.0000000002120000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.1534744502.0000000002141000.00000020.00000001.sdmp, Author: Joe Security

Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\INetCache read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright null 2020 Page 19 of 21 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\History read data or list device directory file | object name collision 1 214232D HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

File Deleted

Source File Path Completion Count Address Symbol C:\Windows\SysWOW64\mfvdsp\dxdiag.exe cannot delete 1 2145800 DeleteFileW

Analysis Process: svchost.exe PID: 6924 Parent PID: 576

General

Start time: 15:02:36 Start date: 18/08/2020 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc Imagebase: 0x7ff641f90000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Name Type Data Completion Count Address Symbol

General

Start time: 15:02:51 Start date: 18/08/2020 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p Imagebase: 0x7ff641f90000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: svchost.exe PID: 6552 Parent PID: 576

General

Start time: 15:02:59 Start date: 18/08/2020 Path: C:\Windows\System32\svchost.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\svchost.exe -k netsvcs -p Imagebase: 0x7ff641f90000 File size: 51288 bytes MD5 hash: 32569E403279B3FD2EDB7EBD036273FA Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Disassembly

Code Analysis