ID: 246813 Sample Name: 2020-07-17- Emotet-EXE-update-3-after- initial-infection.bin Cookbook: default.jbs Time: 02:27:08 Date: 19/07/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report 2020-07-17-Emotet-EXE-update-3-after-initial-infection.bin 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 AV Detection: 5 Networking: 5 Persistence and Installation Behavior: 5 Hooking and other Techniques for Hiding and Protection: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 11 ASN 11 JA3 Fingerprints 12 Dropped Files 12 Created / dropped Files 12 Static File Info 12 General 12 File Icon 13 Static PE Info 13 General 13 Entrypoint Preview 13 Rich Headers 14 Data Directories 14 Sections 15 Resources 15 Imports 16 Version Infos 17 Possible Origin 17 Network Behavior 17

Copyright null 2020 Page 2 of 21 Snort IDS Alerts 17 Network Port Distribution 17 TCP Packets 18 HTTP Request Dependency Graph 18 HTTP Packets 18 Code Manipulations 19 Statistics 19 Behavior 19 System Behavior 19 Analysis Process: 2020-07-17-Emotet-EXE-update-3-after-initial-infection.exe PID: 1164 Parent PID: 4944 20 General 20 File Activities 20 File Deleted 20 Analysis Process: winusb.exe PID: 2960 Parent PID: 1164 20 General 20 File Activities 20 File Created 20 Disassembly 21 Code Analysis 21

Copyright null 2020 Page 3 of 21 Analysis Report 2020-07-17-Emotet-EXE-update-3-after-i…nitial-infection.bin

Overview

General Information Detection Signatures Classification

Sample 2020-07-17-Emotet-EXE- Name: update-3-after-initial- Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm…

infection.bin (renamed file Ransomware SMSnnuooltrrrit tt A IIIDDVS SS acalalleenrrrttnt feffoorrr r d nneeettettwwcotoirorrkkn t ttrfrraoafrfff ffisiiccu ((b(eem...… extension from bin to exe) Miner Spreading DSDrnroopprsts I eDexxSee cacuulettaratbb flloeerss n ttoeo t twthhoeer wkw itinrnaddfoofiwcw ss( e dd. Analysis ID: 246813 DDrrrooppss eexxeeccuutttaabbllleess tttoo ttthhee wwiiinnddoowwss dd… mmaallliiiccciiioouusss malicious

Evader Phishing MD5: sssuusssppiiiccciiioouusss f5da292e91d60bf… HDHiiriddoeepss tttehhxaaettt c ttthuhetea sbsalaemsp ptlollee t hhaeas sw bbineedeeonnw ddsoo wdw… suspicious

cccllleeaann SHA1: clean 3895f6f9d97cdc4… CHCoiodnnetttasa iiintnhssa fftfu utnhncectt tiisiooannmaallpliiitttlyye lllohocacasal llebeses e iiinnfff oodrrromw…

Exploiter Banker SHA256: e1379aefb101749… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy ttltoo c ccahhleescc kkin iiifff o aar m dd… Most interesting Screenshot: CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa wdw… Spyware Trojan / Bot

Adware CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyhynenacamk iiifcc aal llllwlyy…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qdquyuenerarryym CCicPPaUUlly …

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hCeeP PPUEE BB Score: 64 Range: 0 - 100 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh riiicechah d m tahayey bPbeeE…B

Whitelisted: false CCrroreenaattatteeinss s fff iiilflleuesns c iiintnisosiiniddaeel i ttthyhe ew sshyyicsshtttee mma ddyiii rrrbeeecc… Confidence: 100% DCDereellleeattteess fffiiillleess iiinnssiiiddee ttthhee Wsyiiinsntddeoomww sds i ffrfoeollcldd…

DDeettlteectcetttesed df i lTTeCsC PPin osoirrrd UeU DDthPPe tttWrrraafiffnfffiiicdc o oownns nn foonnld…

DDeettteeccttteedd pTpoCotttePen notttiiriaa Ulll ccDrrryPypp tttrooa fffufuicnn ccotttniiioo nnon Startup DDrrerootpepscs t PePdEE p fffiioillleetessn ttttooia tttlh hceer y wwpiiitnnodd foouwwnscs t didoiiirrnreeccttt…

FDFoorouupnnsdd PppoEot tefeinlnettisiaa ltl o ss ttrhriineng gw ddineedccroryywppstti ioodnnir e// caat System is w10x64 FFoouunndd ppoottteenntttiiiaalll sstttrrriiinngg ddeeccrrryypptttiiioonn /// aa…

2020-07-17-Emotet-EXE-update-3-after-initial-infection.exe (PID: 1164 cmdline: 'C:\Users\uIIFIPsPoe auard\ndDdder rrpeseosksstseo snpsete\i2eae0nln 2 s iii0ntnr- i c0nco7gon -nd1nne7eec-ccErttytiimiopontoni o t wewntiii t-tt/hEh a Xoo…E-update-3-after-initial-infection.exe' MD5: F5DA292E91D60BF0549DDB6479033937) winusb.exe (PID: 2960 cmdline: C:\Windows\SysWOW64\msvcr100_clr0400\winusb.exIIInPnettt eeaMrrrdnDndee5rttte : P PsFrsrr5oo sDvveiiiAddee2enr9rr is2nseEe cee9onn1n Diinin6e c0cooBtinonFnn0e e5wcc4ttititi9iohoDn no…DB6479033937) cleanup PIPnEEte ffrfiiinllleee ctc oPonnrotttaaviiinndsse rss ttstrrreaaennngg eein rrr ecesosonounurrerccceetsison

PPoEottt eefinlnettti iiacaloll knkeetayyi nllloosgg sggterearrr n ddgeeettte erccetttseeoddu (((rkkceeyys ss…

QPouuteerrrniiieetissa lttt hhkee y vv oloolllugumgeeer iiidnnefffooterrrmctaeattdtiiioo (nnk e(((nyna asm… Malware Configuration SQSaaumerppielllees ffftiiihllleee i iisvs o ddliuiifffffmfeerreree nintttf ottthhramanna otoiorrriiingg iiin(nnaaalll m … TSTrrariiiemessp tttloeo cfcioloenn ninsee dcctittf fttteoor HeHnTTtT TtPhPa ssnee orrrvvreiegrrrisns,,,a bbl …

No configs have been found UTUrssieess Mtoi iiccrroroonssnooeffftctt'''sts tEEon nHhhTaaTnncPcee sdde CCrvrrreyyrppsttt,oo bgg…

UUsseess aMa kikcnnroowswonnf t w'wse eEbbn bbhrrraoonwwcsseeedrrr Cuusrsyeeprrr t aoaggee…

UUsseess caco okddneeo owobbnfff uuwsseccbaa tttbiiioornon w ttteesccehhrn nuiiiqsqueuere sas g (((…e Yara Overview Uses code obfuscation techniques (

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection • Cryptography • Spreading Copyright null 2020 Page 4 of 21 • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Mitre Att&ck Matrix

Remote Privilege Credential Lateral Command Network Service Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Execution Hidden Files Process Masquerading 1 2 Input System Time Application Input Data Uncommonly Eavesdrop on Remotely Accounts through API 1 and Injection 2 Capture 1 Discovery 1 Deployment Capture 1 Encrypted 1 Used Port 1 Insecure Track Device Directories 1 Software Network Without Communication Authorization Replication Service Port Monitors Accessibility Hidden Files and Network Process Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Execution Features Directories 1 Sniffing Discovery 3 Services Removable Over Other Cryptographic Redirect Phone Wipe Data Removable Media Network Protocol 2 2 Calls/SMS Without Media Medium Authorization External Windows Accessibility Path Process Injection 2 Input Application Windows Data from Automated Standard Exploit SS7 to Obtain Remote Management Features Interception Capture Window Remote Network Exfiltration Non- Track Device Device Services Instrumentation Discovery 1 Management Shared Application Location Cloud Drive Layer Backups Protocol 1 Drive-by Scheduled System DLL Search Deobfuscate/Decode Credentials Security Logon Input Data Standard SIM Card Compromise Task Firmware Order Files or in Files Software Scripts Capture Encrypted Application Swap Hijacking Information 1 Discovery 2 1 Layer Protocol 1 2 Exploit Public- Command-Line Shortcut File System File Deletion 1 Account File and Shared Data Scheduled Standard Manipulate Facing Interface Modification Permissions Manipulation Directory Webroot Staged Transfer Cryptographic Device Application Weakness Discovery 2 Protocol Communication

Spearphishing Graphical User Modify New Obfuscated Files or Brute Force System Third-party Screen Data Commonly Jamming or Link Interface Existing Service Information 2 Information Software Capture Transfer Used Port Denial of Service Discovery 3 5 Size Limits Service

Copyright null 2020 Page 5 of 21 Behavior Graph

Hide Legend Behavior Graph Legend: ID: 246813 Process Sample: 2020-07-17-Emotet-EXE-updat... Signature Startdate: 19/07/2020 Architecture: WINDOWS Created File Score: 64 DNS/IP Info Is Dropped

Is Windows Process Snort IDS alert for network traffic (e.g. Multi AV Scanner detection started Number of created Registry Values based on Emerging Threat for submitted file rules) Number of created Files

Visual Basic

Delphi 2020-07-17-Emotet-EXE-update-3-after-initial-infection.exe Java

.Net C# or VB.NET 2 C, C++ or other language

Is malicious

Internet Drops executables to Hides that the sample the windows directory has been downloaded started (C:\Windows) and from the Internet (zone.identifier) starts them

winusb.exe

12

190.160.53.126, 80 186.208.123.210, 443

VTRBANDAANCHASACL VOIPGLOBESERVICOSDECOMMULTIMIDIAVIAINTERNETBR 5 other IPs or domains Chile Brazil

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 6 of 21 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link 2020-07-17-Emotet-EXE-update-3-after-initial-infection.exe 52% Virustotal Browse 2020-07-17-Emotet-EXE-update-3-after-initial-infection.exe 55% ReversingLabs Win32.Trojan.Emotet

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Copyright null 2020 Page 7 of 21 Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name Malicious Antivirus Detection Reputation 212.51.142.238:8080/NZgRIGPtdewKckvDoM/3tquCs7N/3821c4lTeIxWa/ true unknown

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation 190.108.228.62:443/RcWh/e5iqBL2V/0Xa7DWD/z winusb.exe, 00000001.00000002. false unknown 897386816.0000000002B90000.000 00004.00000001.sdmp 91.211.88.52:7080/EhsWP9GtCn/ winusb.exe, 00000001.00000002. false unknown 897386816.0000000002B90000.000 00004.00000001.sdmp winusb.exe, 00000001.00000002. false unknown 109.117.53.230:443/Ghv8Am81AXS/lo4Hq4J/PnLm6i8YQZMx 897386816.0000000002B90000.000 8Q/2ZthbPMukyvOjRJCX3/PvBWCJX/BHQD/ 00004.00000001.sdmp 186.208.123.210:443/ewfZ7tDtMHoL/03m winusb.exe, 00000001.00000002. false unknown 895070875.000000000074A000.000 00004.00000020.sdmp 190.108.228.62:443/RcWh/e5iqBL2V/0Xa7DWD/0 winusb.exe, 00000001.00000002. false unknown 897386816.0000000002B90000.000 00004.00000001.sdmp 190.108.228.62:443/RcWh/e5iqBL2V/0Xa7DWD/ winusb.exe, 00000001.00000002. false unknown 897386816.0000000002B90000.000 00004.00000001.sdmp winusb.exe, 00000001.00000002. false unknown 139.59.60.244:8080/4vOALpjayW4jtU/UIxf4F/iHYqikrEZ7S6G 895103567.0000000000762000.000 ezT/wcIRbjaf/fIwonXfylS34/ 00004.00000020.sdmp 186.208.123.210:443/ewfZ7tDtMHoL/lS34/E winusb.exe, 00000001.00000002. false unknown 895070875.000000000074A000.000 00004.00000020.sdmp 91.211.88.52:7080/EhsWP9GtCn/00 winusb.exe, 00000001.00000002. false unknown 895103567.0000000000762000.000 00004.00000020.sdmp winusb.exe, 00000001.00000002. false unknown 212.51.142.238/NZgRIGPtdewKckvDoM/3tquCs7N/3821c4lTe 895103567.0000000000762000.000 IxWa/ 00004.00000020.sdmp 186.208.123.210:443/ewfZ7tDtMHoL/3u winusb.exe, 00000001.00000002. false unknown 895070875.000000000074A000.000 00004.00000020.sdmp 186.208.123.210/ewfZ7tDtMHoL/ winusb.exe, 00000001.00000002. false unknown 897386816.0000000002B90000.000 00004.00000001.sdmp, winusb.exe, 00000001.00000002.894435493 .000000000018D000.00000004.000 00001.sdmp winusb.exe, 00000001.00000002. false unknown 186.208.123.210:443/ewfZ7tDtMHoL/vDoM/3tquCs7N/3821c4l 897386816.0000000002B90000.000 TeIxWas 00004.00000001.sdmp 190.160.53.126/oSoj5b/ winusb.exe, 00000001.00000002. false unknown 897386816.0000000002B90000.000 00004.00000001.sdmp 186.208.123.210:443/ewfZ7tDtMHoL/ winusb.exe, 00000001.00000002. false unknown 897536694.0000000002BF9000.000 00004.00000001.sdmp, winusb.exe, 00000001.00000002.895103567 .0000000000762000.00000004.000 00020.sdmp 190.108.228.62:443/RcWh/e5iqBL2V/0Xa7DWD/E winusb.exe, 00000001.00000002. false unknown 896214948.0000000002494000.000 00004.00000001.sdmp 186.208.123.210:443/ewfZ7tDtMHoL/l winusb.exe, 00000001.00000002. false unknown 897386816.0000000002B90000.000 00004.00000001.sdmp 186.208.123.210:443/ewfZ7tDtMHoL/lS34/Y winusb.exe, 00000001.00000002. false unknown 895070875.000000000074A000.000 00004.00000020.sdmp

Contacted IPs

Copyright null 2020 Page 8 of 21 No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 139.59.60.244 Singapore 14061 DIGITALOCEAN-ASNUS false 91.211.88.52 Ukraine 206638 HOSTFORYUA false 190.108.228.62 Argentina 27751 NeunetSAAR false 212.51.142.238 Switzerland 13030 INIT7CH true 186.208.123.210 Brazil 53162 VOIPGLOBESERVICOSDECOM true MULTIMIDIAVIAINTERNETBR 109.117.53.230 Italy 30722 VODAFONE-IT-ASNIT true 190.160.53.126 Chile 22047 VTRBANDAANCHASACL true

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 246813 Start date: 19.07.2020 Start time: 02:27:08 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 46s Hypervisor based Inspection enabled: false Report type: light Sample file name: 2020-07-17-Emotet-EXE-update-3-after-initial- infection.bin (renamed file extension from bin to exe) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0

Copyright null 2020 Page 9 of 21 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal64.evad.winEXE@3/0@0/7 EGA Information: Failed HDC Information: Successful, ratio: 85.9% (good quality ratio 82.7%) Quality average: 78.7% Quality standard deviation: 27.6% HCA Information: Successful, ratio: 80% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 212.51.142.238 KofpdSgB7D.doc Get hash malicious Browse 212.51.14 2.238:8080 /Vfun/ sample.tri-comma.com/wp-admin/FILE/ Get hash malicious Browse 212.51.14 2.238:8080 /zaZTBzxvy dsrIg7n/c1 Y6anAwT4mC EPAV6J/Cf7 Ir/SBHa9IA kAMgoT/wsJ cqufZzdvrS UsuA/

Payroll Report.doc Get hash malicious Browse 212.51.14 2.238:8080 /Y1DMrsDeb YGQbBT/ESr bHeva/8izF Wg3lej2N8G /suCVcGuS9 sX/jJGHYWl Fb7K6k14qw qL/YRRcX/ Form.doc Get hash malicious Browse 212.51.14 2.238:8080 /Kh15gr5Vn vifST5/h2F faw5Bx5nA8 pK9/ 109.117.53.230 KofpdSgB7D.doc Get hash malicious Browse

Copyright null 2020 Page 10 of 21 Match Associated Sample Name / URL SHA 256 Detection Link Context sample.tri-comma.com/wp-admin/FILE/ Get hash malicious Browse Payroll Report.doc Get hash malicious Browse atcsagacity.com/wp- Get hash malicious Browse admin/MYWZIKG/eigyho/s9w0816332646203713g44z0n2u/ Form.doc Get hash malicious Browse

Domains

No context

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context VODAFONE-IT-ASNIT KofpdSgB7D.doc Get hash malicious Browse 109.117.53.230 sample.tri-comma.com/wp-admin/FILE/ Get hash malicious Browse 109.117.53.230 Payroll Report.doc Get hash malicious Browse 109.117.53.230 atcsagacity.com/wp- Get hash malicious Browse 109.117.53.230 admin/MYWZIKG/eigyho/s9w0816332646203713g44z0n2u/ Form.doc Get hash malicious Browse 109.117.53.230 KqwIJuLhAp.dll Get hash malicious Browse 93.144.149.210

rbot.x86 Get hash malicious Browse 2.43.111.205 3.4.2 build 37754.exe Get hash malicious Browse 37.116.53.123 Phot.exe Get hash malicious Browse 188.153.188.1 trezarcoin-qt.exe Get hash malicious Browse 93.144.149.125 29lette.exe Get hash malicious Browse 37.176.204.243 DIGITALOCEAN-ASNUS coffee.apk Get hash malicious Browse 157.245.24.246 64.227.48.198/chrome-8july-2020/index.html Get hash malicious Browse 64.227.48.198 Remittance_Advice_Batch_SRAL.jar Get hash malicious Browse 198.199.11 9.212 Remittance_Advice_Batch_SRAL.jar Get hash malicious Browse 198.199.11 9.212 StolenImages_Evidence.doc (2).js Get hash malicious Browse 159.203.76.109 https://xeferas.co.uk/ Get hash malicious Browse 198.199.11 9.212 https://perthafrica.com Get hash malicious Browse 198.199.11 9.212 455d1bf.xlsx Get hash malicious Browse 165.22.238.171 raw command.ps1 Get hash malicious Browse 167.99.79.221 raw command.ps1 Get hash malicious Browse 167.99.79.221 remittance.jar Get hash malicious Browse 198.199.11 9.212 remittance.jar Get hash malicious Browse 198.199.11 9.212 Remittance_Advice_PARK_Batch.jar Get hash malicious Browse 198.199.11 9.212 Remittance_Advice_PARK_Batch.jar Get hash malicious Browse 198.199.11 9.212 Remittance_Advice_PARK_Batch.jar Get hash malicious Browse 198.199.11 9.212 Remittance_Advice_PARK_Batch.jar Get hash malicious Browse 198.199.11 9.212 https://parkingandsecurity.co.uk/ Get hash malicious Browse 198.199.11 9.212 StolenImages_Evidence.doc.js Get hash malicious Browse 159.203.76.109 https://clck.ru/PYnLc Get hash malicious Browse 64.227.11.37 https://thebestweightloss.world/us/blood_balance? Get hash malicious Browse 161.35.53.195 bhu=bHDYKR7BTANx1TQZ3jNWQQ1y8rnPpoZ4CC INIT7CH KofpdSgB7D.doc Get hash malicious Browse 212.51.142.238 sample.tri-comma.com/wp-admin/FILE/ Get hash malicious Browse 212.51.142.238 Payroll Report.doc Get hash malicious Browse 212.51.142.238 Form.doc Get hash malicious Browse 212.51.142.238 1.12.2018.js Get hash malicious Browse 212.51.134.123 430#U0437.js Get hash malicious Browse 212.51.159.248 1.12.2018.js Get hash malicious Browse 81.6.37.253 1.12.2018.js Get hash malicious Browse 212.51.156.89 1.12.2018.js Get hash malicious Browse 81.6.37.253 430#U0437.js Get hash malicious Browse 212.51.134.123 430#U0437.js Get hash malicious Browse 85.195.235.173 Copyright null 2020 Page 11 of 21 Match Associated Sample Name / URL SHA 256 Detection Link Context 430#U0437.js Get hash malicious Browse 85.195.235.173 430#U0437.js Get hash malicious Browse 212.51.134.123 430#U0437.js Get hash malicious Browse 85.195.230.129 #U041e#U0442#U043a#U0440#U044b#U0442#U04 Get hash malicious Browse 82.197.160.25 38#U0435 #U0437#U0430#U043a#U0430#U0437.js 430#U0437.js Get hash malicious Browse 82.197.160.25 430#U0437.js Get hash malicious Browse 212.51.134.123 430#U0437.js Get hash malicious Browse 212.51.156.89 430#U0437.js Get hash malicious Browse 212.51.156.224 droppe.exe Get hash malicious Browse 212.51.134.123 VTRBANDAANCHASACL gaXkNcWnO3.dll Get hash malicious Browse 200.86.98.23 SWIFT_19WPNSAO_12_17_18.doc Get hash malicious Browse 190.100.239.58 uTorrent Stable(3.4.2 build 37754).exe Get hash malicious Browse 190.163.36.129 prisma.fp.ub.ac.id/wp-content/xerox/MidY-2g_fTBtdf- Get hash malicious Browse 190.47.64.245 2yO/ 3RLTYBn9.exe Get hash malicious Browse 190.47.153.46 Get hash malicious Browse 190.47.64.245 signalcomtwo.studiosigel.com.br/LATXMC7473245/gescannte s-Dokument/Rechnungsanschrift fSgoMGCuC.exe Get hash malicious Browse 190.47.64.245 figuig.net/company/Copy_Invoice/nOqER-LiEun_FqR- Get hash malicious Browse 190.47.64.245 tM6 conservsystems.co.uk/download/Invoice/Arnvu- Get hash malicious Browse 190.47.64.245 WZ_FtvTFxO-3fs kultgorodlensk.ru/lVYY_Tam-h/Gn/Messages/2019-02 Get hash malicious Browse 190.47.153.46 teatrul-de-poveste.ro/wp-content/themes/jabYI_pAGD- Get hash malicious Browse 190.47.153.46 TzgcXq/Mt/Attachments/2019-02 winkpayment.com.ng/WRqtH_4e- Get hash malicious Browse 190.47.153.46 LoAGRD/Uo/Clients_information/02_19 webcamvriendinnen.nl/uuDp_e1uw- Get hash malicious Browse 190.47.153.46 VH/0pG/Transaction_details/022019 codebrasileiro.com/rdRyf_hmt0- Get hash malicious Browse 190.47.153.46 aPEVRe/YjX/Clients_information/02_19 jitkeyand.exe Get hash malicious Browse 201.214.14 7.166

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 6.555125265157923 TrID: Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: 2020-07-17-Emotet-EXE-update-3-after-initial- infection.exe File size: 282624 MD5: f5da292e91d60bf0549ddb6479033937 SHA1: 3895f6f9d97cdc4e107b66f3e0b98135723cdb86 Copyright null 2020 Page 12 of 21 General SHA256: e1379aefb101749ff9e1f3f763e87587fe710bcf4342c06cd ab433969f167f89 SHA512: 7a499d9935cebd9b073f8f9c3837fc838355aa3c3b0032f aee16692c5c4cfe223535bdb2c3917b45f41dc9267ba7d6 182c1d5144aa830b9a09c106544f77f671 SSDEEP: 6144:Q9AZ0jbH3bYJfhShfyWkwh9kDZdIL8bP2NuQjwU yYjDzFoS:cA+YJENyWejIL8bPxUyZS File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... \1.4.P.g. P.g.P.g._.g.P.g._.g.P.g.P.g.R.g?..g8P.g?..g.P.g?..g.P.g ?..g.P.g?..g.P.gRich.P.g...... PE..L...-.._......

File Icon

Icon Hash: 71b018ccc6577131

Static PE Info

General Entrypoint: 0x415b01 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED DLL Characteristics: Time Stamp: 0x5F11C62D [Fri Jul 17 15:39:25 2020 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: fc5819a0898713ca7bcc5c005c85bc2e

Entrypoint Preview

Instruction call 00007F7760E34532h jmp 00007F7760E2BCFBh int3 int3 int3 int3 int3 mov ecx, dword ptr [esp+04h] test ecx, 00000003h je 00007F7760E2BF06h mov al, byte ptr [ecx] add ecx, 01h test al, al je 00007F7760E2BF30h test ecx, 00000003h jne 00007F7760E2BED1h add eax, 00000000h lea esp, dword ptr [esp+00000000h] lea esp, dword ptr [esp+00000000h] mov eax, dword ptr [ecx] mov edx, 7EFEFEFFh add edx, eax xor eax, FFFFFFFFh

Copyright null 2020 Page 13 of 21 Instruction xor eax, edx add ecx, 04h test eax, 81010100h je 00007F7760E2BECAh mov eax, dword ptr [ecx-04h] test al, al je 00007F7760E2BF14h test ah, ah je 00007F7760E2BF06h test eax, 00FF0000h je 00007F7760E2BEF5h test eax, FF000000h je 00007F7760E2BEE4h jmp 00007F7760E2BEAFh lea eax, dword ptr [ecx-01h] mov ecx, dword ptr [esp+04h] sub eax, ecx ret lea eax, dword ptr [ecx-02h] mov ecx, dword ptr [esp+04h] sub eax, ecx ret lea eax, dword ptr [ecx-03h] mov ecx, dword ptr [esp+04h] sub eax, ecx ret lea eax, dword ptr [ecx-04h] mov ecx, dword ptr [esp+04h] sub eax, ecx ret push 00000000h push dword ptr [esp+14h] push dword ptr [esp+14h] push dword ptr [esp+14h] push dword ptr [esp+14h] call 00007F7760E3451Ah add esp, 14h ret mov eax, dword ptr [esp+04h] mov cx, word ptr [eax] inc eax inc eax test cx, cx jne 00007F7760E2BED8h sub eax, dword ptr [esp+04h]

Rich Headers

Programming Language: [RES] VS2005 build 50727 [ C ] VS2005 build 50727 [LNK] VS2005 build 50727 [C++] VS2005 build 50727 [ASM] VS2005 build 50727

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x33324 0xa0 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x3b000 0xcf10 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0

Copyright null 2020 Page 14 of 21 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x2eec0 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x29000 0x480 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x3329c 0x40 .rdata IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x275f7 0x28000 False 0.57919921875 COM executable for DOS 6.70908070693 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x29000 0xbaec 0xc000 False 0.312825520833 data 5.01483659702 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_READ .data 0x35000 0x5f7c 0x3000 False 0.251220703125 data 3.30954207743 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x3b000 0xcf10 0xd000 False 0.768291766827 data 7.09585212222 IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_CURSOR 0x3bbb0 0x134 data English United States RT_CURSOR 0x3bce4 0xb4 data English United States RT_CURSOR 0x3bd98 0x134 AmigaOS bitmap font English United States RT_CURSOR 0x3becc 0x134 data English United States RT_CURSOR 0x3c000 0x134 data English United States RT_CURSOR 0x3c134 0x134 data English United States RT_CURSOR 0x3c268 0x134 data English United States RT_CURSOR 0x3c39c 0x134 data English United States RT_CURSOR 0x3c4d0 0x134 data English United States RT_CURSOR 0x3c604 0x134 data English United States RT_CURSOR 0x3c738 0x134 data English United States RT_CURSOR 0x3c86c 0x134 data English United States RT_CURSOR 0x3c9a0 0x134 AmigaOS bitmap font English United States RT_CURSOR 0x3cad4 0x134 data English United States RT_CURSOR 0x3cc08 0x134 data English United States RT_CURSOR 0x3cd3c 0x134 data English United States RT_BITMAP 0x3ce70 0xb8 data English United States RT_BITMAP 0x3cf28 0x144 data English United States RT_ICON 0x3d06c 0x2e8 dBase IV DBT of @.DBF, block length 512, next English United States free block index 40, next free block 67108992, next used block 3293332676 RT_ICON 0x3d354 0x128 GLS_BINARY_LSB_FIRST English United States RT_DIALOG 0x3d47c 0x126 data English United States RT_DIALOG 0x3d5a4 0x34c data English United States RT_DIALOG 0x3d8f0 0xe8 data English United States RT_DIALOG 0x3d9d8 0x34 data English United States RT_STRING 0x3da0c 0x42 data English United States RT_STRING 0x3da50 0x82 data English United States RT_STRING 0x3dad4 0x2a data English United States RT_STRING 0x3db00 0x192 data English United States RT_STRING 0x3dc94 0x4e2 data English United States RT_STRING 0x3e178 0x31a data English United States RT_STRING 0x3e494 0x2dc data English United States RT_STRING 0x3e770 0x8a data English United States RT_STRING 0x3e7fc 0xac data English United States RT_STRING 0x3e8a8 0xde data English United States RT_STRING 0x3e988 0x4c4 data English United States RT_STRING 0x3ee4c 0x264 data English United States RT_STRING 0x3f0b0 0x2c data English United States RT_STRING 0x3f0dc 0x42 data English United States

Copyright null 2020 Page 15 of 21 Name RVA Size Type Language Country RT_RCDATA 0x3f120 0x8944 data English United States RT_GROUP_CURSOR 0x47a64 0x22 Lotus unknown worksheet or configuration, revision English United States 0x2 RT_GROUP_CURSOR 0x47a88 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47a9c 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47ab0 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47ac4 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47ad8 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47aec 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47b00 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47b14 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47b28 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47b3c 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47b50 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47b64 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47b78 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_CURSOR 0x47b8c 0x14 Lotus unknown worksheet or configuration, revision English United States 0x1 RT_GROUP_ICON 0x47ba0 0x22 data English United States RT_VERSION 0x47bc4 0x2f4 data English United States RT_MANIFEST 0x47eb8 0x56 ASCII text, with CRLF line terminators English United States

Imports

DLL Import KERNEL32.dll RtlUnwind, RaiseException, HeapAlloc, HeapFree, HeapReAlloc, VirtualAlloc, GetCommandLineA, GetProcessHeap, GetStartupInfoA, ExitProcess, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, Sleep, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetACP, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetErrorMode, CreateFileA, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, WritePrivateProfileStringA, GetThreadLocale, GetOEMCP, GetCPInfo, GlobalFlags, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, InterlockedIncrement, GetCurrentProcessId, CloseHandle, GetCurrentThread, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, lstrcmpA, InterlockedDecrement, GetModuleFileNameW, FreeResource, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, FreeLibrary, LoadLibraryA, lstrcmpW, GetVersionExA, GetModuleHandleA, SetLastError, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, MulDiv, lstrlenA, CompareStringA, GetVersion, GetLastError, MultiByteToWideChar, InterlockedExchange, LoadLibraryExA, GetProcAddress, GetCurrentProcess, WideCharToMultiByte, FindResourceA, LoadResource, LockResource, FreeEnvironmentStringsW, SizeofResource USER32.dll GetMessageA, TranslateMessage, ValidateRect, PostQuitMessage, GetCursorPos, WindowFromPoint, GetDesktopWindow, GetActiveWindow, CreateDialogIndirectParamA, GetNextDlgTabItem, EndDialog, IsWindowEnabled, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, ModifyMenuA, EnableMenuItem, CheckMenuItem, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, SetWindowsHookExA, CallNextHookEx, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetFocus, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetLastActivePopup, SetActiveWindow, GetDlgItem, GetTopWindow, DestroyWindow, UnhookWindowsHookEx, GetMessageTime, PeekMessageA, MapWindowPoints, GetKeyState, SetForegroundWindow, IsWindowVisible, UpdateWindow, GetMenu, PostMessageA, MessageBoxA, CreateWindowExA, GetClassInfoExA, GetClassInfoA, AdjustWindowRectEx, GetDlgCtrlID, CallWindowProcA, GetWindowLongA, SetWindowLongA, SetWindowPos, GetWindowPlacement, GetWindow, EndPaint, BeginPaint, ReleaseDC, CopyRect, SetRect, InflateRect, OffsetRect, DrawEdge, DrawFrameControl, GetDC, ClientToScreen, ScreenToClient, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, GetMenuState, GetMenuItemID, GetMenuItemCount, UnregisterClassA, GetSysColorBrush, DestroyMenu, GetWindowThreadProcessId, GetForegroundWindow, SetCursor, DrawFocusRect, SendMessageA, GetWindowRect, RedrawWindow, GetParent, EnableWindow, IsWindow, GetSystemMetrics, GetSysColor, PtInRect, GetClientRect, InvalidateRect, SetCapture, SystemParametersInfoA, ReleaseCapture, GetMessagePos, RegisterClassA, LoadCursorA, GetSubMenu, LoadIconA, IsIconic, GetSystemMenu, AppendMenuA, DrawIcon, IsRectEmpty, DefWindowProcA, DispatchMessageA

Copyright null 2020 Page 16 of 21 DLL Import GDI32.dll PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, DeleteDC, CreateBitmap, SelectPalette, GetObjectA, DeleteObject, Rectangle, MoveToEx, LineTo, GetClipBox, SetMapMode, SetTextColor, SetBkMode, SetBkColor, RestoreDC, SaveDC, BitBlt, Pie, Ellipse, SelectObject, CreateCompatibleDC, CreateCompatibleBitmap, CreateFontA, CreateSolidBrush, GetStockObject, GetTextExtentPoint32A, RealizePalette, GetDeviceCaps, CreatePalette, CreateFontIndirectA, CreatePen WINSPOOL.DRV ClosePrinter, DocumentPropertiesA, OpenPrinterA ADVAPI32.dll RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegCloseKey SHLWAPI.dll PathFindFileNameA, PathFindExtensionA OLEAUT32.dll VariantClear, VariantChangeType, VariantInit

Version Infos

Description Data LegalCopyright Copyright (C) 1998 InternalName PieDemo FileVersion 1, 0, 0, 1 CompanyName LegalTrademarks ProductName PieDemo Application ProductVersion 1, 0, 0, 1 FileDescription PieDemo MFC Application OriginalFilename PieDemo.EXE Translation 0x0409 0x04b0

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

Network Behavior

Snort IDS Alerts

Source Dest Timestamp Protocol SID Message Port Port Source IP Dest IP 07/19/20- TCP 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 49721 443 192.168.2.6 109.117.53.230 02:29:06.576866 07/19/20- TCP 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 49723 8080 192.168.2.6 212.51.142.238 02:29:30.755342 07/19/20- TCP 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 49724 80 192.168.2.6 190.160.53.126 02:29:33.276655 07/19/20- TCP 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 49728 443 192.168.2.6 186.208.123.210 02:30:31.679270

Network Port Distribution

Total Packets: 24 • 7080 undefined • 80 (HTTP) • 8080 undefined • 443 (HTTPS)

Copyright null 2020 Page 17 of 21 TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Jul 19, 2020 02:29:06.576865911 CEST 49721 443 192.168.2.6 109.117.53.230 Jul 19, 2020 02:29:09.588313103 CEST 49721 443 192.168.2.6 109.117.53.230 Jul 19, 2020 02:29:15.599040031 CEST 49721 443 192.168.2.6 109.117.53.230 Jul 19, 2020 02:29:30.755342007 CEST 49723 8080 192.168.2.6 212.51.142.238 Jul 19, 2020 02:29:30.778750896 CEST 8080 49723 212.51.142.238 192.168.2.6 Jul 19, 2020 02:29:30.779016018 CEST 49723 8080 192.168.2.6 212.51.142.238 Jul 19, 2020 02:29:30.779659986 CEST 49723 8080 192.168.2.6 212.51.142.238 Jul 19, 2020 02:29:30.779773951 CEST 49723 8080 192.168.2.6 212.51.142.238 Jul 19, 2020 02:29:30.802874088 CEST 8080 49723 212.51.142.238 192.168.2.6 Jul 19, 2020 02:29:30.803005934 CEST 8080 49723 212.51.142.238 192.168.2.6 Jul 19, 2020 02:29:30.803024054 CEST 8080 49723 212.51.142.238 192.168.2.6 Jul 19, 2020 02:29:30.803045988 CEST 8080 49723 212.51.142.238 192.168.2.6 Jul 19, 2020 02:29:30.803060055 CEST 8080 49723 212.51.142.238 192.168.2.6 Jul 19, 2020 02:29:30.926610947 CEST 8080 49723 212.51.142.238 192.168.2.6 Jul 19, 2020 02:29:30.926994085 CEST 49723 8080 192.168.2.6 212.51.142.238 Jul 19, 2020 02:29:33.276654959 CEST 49724 80 192.168.2.6 190.160.53.126 Jul 19, 2020 02:29:33.927027941 CEST 8080 49723 212.51.142.238 192.168.2.6 Jul 19, 2020 02:29:33.927253008 CEST 49723 8080 192.168.2.6 212.51.142.238 Jul 19, 2020 02:29:36.285697937 CEST 49724 80 192.168.2.6 190.160.53.126 Jul 19, 2020 02:29:42.295258999 CEST 49724 80 192.168.2.6 190.160.53.126 Jul 19, 2020 02:29:58.249866962 CEST 49725 8080 192.168.2.6 139.59.60.244 Jul 19, 2020 02:29:58.409033060 CEST 8080 49725 139.59.60.244 192.168.2.6 Jul 19, 2020 02:29:58.916014910 CEST 49725 8080 192.168.2.6 139.59.60.244 Jul 19, 2020 02:29:59.074743986 CEST 8080 49725 139.59.60.244 192.168.2.6 Jul 19, 2020 02:29:59.586004019 CEST 49725 8080 192.168.2.6 139.59.60.244 Jul 19, 2020 02:29:59.744894981 CEST 8080 49725 139.59.60.244 192.168.2.6 Jul 19, 2020 02:30:03.091547966 CEST 49726 7080 192.168.2.6 91.211.88.52 Jul 19, 2020 02:30:03.152071953 CEST 7080 49726 91.211.88.52 192.168.2.6 Jul 19, 2020 02:30:03.655467987 CEST 49726 7080 192.168.2.6 91.211.88.52 Jul 19, 2020 02:30:03.715857983 CEST 7080 49726 91.211.88.52 192.168.2.6 Jul 19, 2020 02:30:04.224874973 CEST 49726 7080 192.168.2.6 91.211.88.52 Jul 19, 2020 02:30:04.285579920 CEST 7080 49726 91.211.88.52 192.168.2.6 Jul 19, 2020 02:30:08.033632994 CEST 49727 443 192.168.2.6 190.108.228.62 Jul 19, 2020 02:30:11.059251070 CEST 49727 443 192.168.2.6 190.108.228.62 Jul 19, 2020 02:30:17.074948072 CEST 49727 443 192.168.2.6 190.108.228.62 Jul 19, 2020 02:30:31.679270029 CEST 49728 443 192.168.2.6 186.208.123.210 Jul 19, 2020 02:30:34.683748007 CEST 49728 443 192.168.2.6 186.208.123.210 Jul 19, 2020 02:30:40.689205885 CEST 49728 443 192.168.2.6 186.208.123.210

HTTP Request Dependency Graph

212.51.142.238 212.51.142.238:8080

HTTP Packets Copyright null 2020 Page 18 of 21 Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.6 49723 212.51.142.238 8080 C:\Windows\SysWOW64\msvcr100_clr0400\winusb.exe

kBytes Timestamp transferred Direction Data Jul 19, 2020 29 OUT POST /NZgRIGPtdewKckvDoM/3tquCs7N/3821c4lTeIxWa/ HTTP/1.1 02:29:30.779659986 CEST Referer: http://212.51.142.238/NZgRIGPtdewKckvDoM/3tquCs7N/3821c4lTeIxWa/ Content-Type: multipart/form-data; boundary=------095170382608052 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 212.51.142.238:8080 Content-Length: 4612 Connection: Keep-Alive Cache-Control: no-cache Jul 19, 2020 34 IN HTTP/1.1 502 Bad Gateway 02:29:30.926610947 CEST Server: nginx Date: Sun, 19 Jul 2020 00:29:30 GMT Content-Type: text/html; charset=utf-8 Content-Length: 552 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 7 4 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 7 2 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii:

502 Bad Gateway

nginx... a padding to disable MSIE and Chrome friendly error page -->... a padding to d isable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padd ing to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Code Manipulations

Statistics

Behavior

• 2020-07-17-Emotet-EXE-update-3-a… • winusb.exe

Click to jump to process

System Behavior

Copyright null 2020 Page 19 of 21 Analysis Process: 2020-07-17-Emotet-EXE-update-3-after-initial-infection.exe PID: 1164 Parent PID: 4944

General

Start time: 02:28:47 Start date: 19/07/2020 Path: C:\Users\user\Desktop\2020-07-17-Emotet-EXE-update-3-after-initial-infection.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\2020-07-17-Emotet-EXE-update-3-after-initial-infection.exe' Imagebase: 0x400000 File size: 282624 bytes MD5 hash: F5DA292E91D60BF0549DDB6479033937 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Deleted

Source File Path Completion Count Address Symbol C:\Windows\SysWOW64\msvcr100_clr0400\winusb.exe:Zone.Identifier success or wait 1 5B27DE DeleteFileW

Source Old File Path New File Path Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: winusb.exe PID: 2960 Parent PID: 1164

General

Start time: 02:28:49 Start date: 19/07/2020 Path: C:\Windows\SysWOW64\msvcr100_clr0400\winusb.exe Wow64 process (32bit): true Commandline: C:\Windows\SysWOW64\msvcr100_clr0400\winusb.exe Imagebase: 0x400000 File size: 282624 bytes MD5 hash: F5DA292E91D60BF0549DDB6479033937 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright null 2020 Page 20 of 21 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\INetCache read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\History read data or list device directory file | object name collision 1 226239F HttpSendRequestW directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Disassembly

Code Analysis

Copyright null 2020 Page 21 of 21