Overview
overview
10Static
static
82019-05-01...ts.zip
windows7-x64
12019-05-01...ts.zip
windows10-2004-x64
12019-05-01...ro.exe
windows7-x64
52019-05-01...ro.exe
windows10-2004-x64
102019-05-01...-2.exe
windows7-x64
102019-05-01...-2.exe
windows10-2004-x64
102019-05-01...-2.exe
windows7-x64
102019-05-01...-2.exe
windows10-2004-x64
102019-05-01...st.exe
windows7-x64
82019-05-01...st.exe
windows10-2004-x64
72019-05-01...nt.txt
windows7-x64
12019-05-01...nt.txt
windows10-2004-x64
12019-05-01...nt.txt
windows7-x64
12019-05-01...nt.txt
windows10-2004-x64
12019-05-01...19.doc
windows7-x64
102019-05-01...19.doc
windows10-2004-x64
102019-05-01...19.zip
windows7-x64
12019-05-01...19.zip
windows10-2004-x64
12019-05-01...tDll64
windows7-x64
12019-05-01...tDll64
windows10-2004-x64
12019-05-01...tDll64
windows7-x64
12019-05-01...tDll64
windows10-2004-x64
12019-05-01...s/dinj
windows7-x64
12019-05-01...s/dinj
windows10-2004-x64
12019-05-01.../dpost
windows7-x64
12019-05-01.../dpost
windows10-2004-x64
12019-05-01...s/sinj
windows7-x64
12019-05-01...s/sinj
windows10-2004-x64
12019-05-01...cher64
windows7-x64
12019-05-01...cher64
windows10-2004-x64
12019-05-01...ilconf
windows7-x64
12019-05-01...ilconf
windows10-2004-x64
1Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-05-2023 00:28
Behavioral task
behavioral1
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts.zip
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-registry-update-to-keep-Emotet-persistent.txt
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-registry-update-to-keep-Emotet-persistent.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-sched-task-to-keep-Trickbot-persistent.txt
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-sched-task-to-keep-Trickbot-persistent.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/40606534706_May_01_2019.doc
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/40606534706_May_01_2019.doc
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/40606534706_May_01_2019.zip
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/40606534706_May_01_2019.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/importDll64
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/importDll64
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64
Resource
win10v2004-20230221-en
Behavioral task
behavioral23
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/dinj
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/dinj
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/dpost
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/dpost
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/sinj
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/sinj
Resource
win10v2004-20230221-en
Behavioral task
behavioral29
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/mailsearcher64
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/mailsearcher64
Resource
win10v2004-20230220-en
Behavioral task
behavioral31
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/mailsearcher64_configs/mailconf
Resource
win7-20230220-en
Behavioral task
behavioral32
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/mailsearcher64_configs/mailconf
Resource
win10v2004-20230220-en
General
-
Target
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe
-
Size
157KB
-
MD5
d05d59b36d76a2d919d73e5383f0b35b
-
SHA1
bdd29b90d93e3bd85b2e0291e3601a45b0c8e33c
-
SHA256
486ede4ecff9a951261af3d267072bf75a37e7812afd91dc4c30bf5535dede8b
-
SHA512
74efa7b921beda7eff6c56ccd43eef44d4e1ec19e6bb76ccb08e879b2e491a7fffbf176b095244a73181098583d925d56f44fc9cb41c73b67c43a85224f04fc2
-
SSDEEP
3072:paROF9HwBJa2vMjrmok3XxK6T9f5pNF/NB+GQIiqGgyVcU4TZP8eIn:l9wBJa2EmvXxKy9FJjQIi1gyR/
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
cycleidebug.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat cycleidebug.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 21 IoCs
Processes:
cycleidebug.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cycleidebug.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{330C5A84-1111-46AA-B22C-1FD8FCAF7589}\WpadDecisionReason = "1" cycleidebug.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{330C5A84-1111-46AA-B22C-1FD8FCAF7589}\WpadDecisionTime = 101bb272b083d901 cycleidebug.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-20-00-e3-f9-4f cycleidebug.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-20-00-e3-f9-4f\WpadDecisionReason = "1" cycleidebug.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-20-00-e3-f9-4f\WpadDecisionTime = 101bb272b083d901 cycleidebug.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings cycleidebug.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections cycleidebug.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-20-00-e3-f9-4f\WpadDecision = "0" cycleidebug.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{330C5A84-1111-46AA-B22C-1FD8FCAF7589} cycleidebug.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{330C5A84-1111-46AA-B22C-1FD8FCAF7589}\WpadDecision = "0" cycleidebug.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{330C5A84-1111-46AA-B22C-1FD8FCAF7589}\f6-20-00-e3-f9-4f cycleidebug.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings cycleidebug.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cycleidebug.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix cycleidebug.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cycleidebug.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" cycleidebug.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad cycleidebug.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{330C5A84-1111-46AA-B22C-1FD8FCAF7589}\WpadNetworkName = "Network 2" cycleidebug.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" cycleidebug.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" cycleidebug.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
cycleidebug.exepid process 1216 cycleidebug.exe 1216 cycleidebug.exe 1216 cycleidebug.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exepid process 1756 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.execycleidebug.execycleidebug.exepid process 996 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 1756 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 1204 cycleidebug.exe 1216 cycleidebug.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.execycleidebug.exedescription pid process target process PID 996 wrote to memory of 1756 996 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe PID 996 wrote to memory of 1756 996 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe PID 996 wrote to memory of 1756 996 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe PID 996 wrote to memory of 1756 996 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe PID 996 wrote to memory of 1756 996 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe PID 996 wrote to memory of 1756 996 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe PID 996 wrote to memory of 1756 996 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe 2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe PID 1204 wrote to memory of 1216 1204 cycleidebug.exe cycleidebug.exe PID 1204 wrote to memory of 1216 1204 cycleidebug.exe cycleidebug.exe PID 1204 wrote to memory of 1216 1204 cycleidebug.exe cycleidebug.exe PID 1204 wrote to memory of 1216 1204 cycleidebug.exe cycleidebug.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)\2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe"C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)\2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)\2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe--f96050b52⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
PID:1756
-
C:\Windows\SysWOW64\cycleidebug.exe"C:\Windows\SysWOW64\cycleidebug.exe"1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\cycleidebug.exe--1f448c662⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/996-54-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/996-55-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1216-60-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1216-61-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1756-56-0x0000000000240000-0x0000000000251000-memory.dmpFilesize
68KB
-
memory/1756-57-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1756-59-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB