Overview

overview

10

Static

static

8

2019-05-01...ts.zip

windows7-x64

1

2019-05-01...ts.zip

windows10-2004-x64

1

2019-05-01...ro.exe

windows7-x64

5

2019-05-01...ro.exe

windows10-2004-x64

10

2019-05-01...-2.exe

windows7-x64

10

2019-05-01...-2.exe

windows10-2004-x64

10

2019-05-01...-2.exe

windows7-x64

10

2019-05-01...-2.exe

windows10-2004-x64

10

2019-05-01...st.exe

windows7-x64

8

2019-05-01...st.exe

windows10-2004-x64

7

2019-05-01...nt.txt

windows7-x64

1

2019-05-01...nt.txt

windows10-2004-x64

1

2019-05-01...nt.txt

windows7-x64

1

2019-05-01...nt.txt

windows10-2004-x64

1

2019-05-01...19.doc

windows7-x64

10

2019-05-01...19.doc

windows10-2004-x64

10

2019-05-01...19.zip

windows7-x64

1

2019-05-01...19.zip

windows10-2004-x64

1

2019-05-01...tDll64

windows7-x64

1

2019-05-01...tDll64

windows10-2004-x64

1

2019-05-01...tDll64

windows7-x64

1

2019-05-01...tDll64

windows10-2004-x64

1

2019-05-01...s/dinj

windows7-x64

1

2019-05-01...s/dinj

windows10-2004-x64

1

2019-05-01.../dpost

windows7-x64

1

2019-05-01.../dpost

windows10-2004-x64

1

2019-05-01...s/sinj

windows7-x64

1

2019-05-01...s/sinj

windows10-2004-x64

1

2019-05-01...cher64

windows7-x64

1

2019-05-01...cher64

windows10-2004-x64

1

2019-05-01...ilconf

windows7-x64

1

2019-05-01...ilconf

windows10-2004-x64

1

Analysis

  • max time kernel
    108s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2023 00:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe

  • Size

    341KB

  • MD5

    094f3e14648c2f009e6eed6b18b93e50

  • SHA1

    aa37e82cbcae38e5804af281b98faee75b9ff32a

  • SHA256

    2c48e2d5b8b188acb67aefec0f9fb71bde888cfa98a0c3580cc0433a2e4f6b9a

  • SHA512

    f6b123851d5d1edbecfe97d75d79b1557368586af043e545dc035fae1c324ed388d511f35ac1a5db075ee140702ca38f10580395fa264b5c9e78582da1f26dee

  • SSDEEP

    6144:6auoLBJvcsNyRNaTc/lEmdrfHBxgFWHLpSHEBEpnCy:hnBJvcsIRmc/RBxTHdSHEBaC

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)\2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe
    "C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)\2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\system32\cmd.exe
      /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\system32\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:1068
    • C:\Windows\system32\cmd.exe
      /c sc delete WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\system32\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        PID:1544
    • C:\Windows\system32\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:836
    • C:\Users\Admin\AppData\Roaming\GpuSettings\2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe
      C:\Users\Admin\AppData\Roaming\GpuSettings\2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:328

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\GpuSettings\2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe
      Filesize

      341KB

      MD5

      094f3e14648c2f009e6eed6b18b93e50

      SHA1

      aa37e82cbcae38e5804af281b98faee75b9ff32a

      SHA256

      2c48e2d5b8b188acb67aefec0f9fb71bde888cfa98a0c3580cc0433a2e4f6b9a

      SHA512

      f6b123851d5d1edbecfe97d75d79b1557368586af043e545dc035fae1c324ed388d511f35ac1a5db075ee140702ca38f10580395fa264b5c9e78582da1f26dee

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3430344531-3702557399-3004411149-1000\0f5007522459c86e95ffcc62f32308f1_292417f2-0fed-4ad3-b090-e0c692cff81f
      Filesize

      1KB

      MD5

      9bc6ce8fecdc93b331d12ca636972a32

      SHA1

      1b83f12603bcd0f1230af0b8335a79d59ab625a6

      SHA256

      aefc598fcc9dc17dd51d8398ce67d2af8917b1c7e399e8ccd0fd2987f54af980

      SHA512

      5387da2e46060ed587ee829b49ba7edc94642bb3d98daa6f493cb9b9e6fa9b361b03670bb6cbec04ea6bdfa002e326ee683f1919b7787f35b358023949d4f278

      Download Submit
    • \Users\Admin\AppData\Roaming\GpuSettings\2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe
      Filesize

      341KB

      MD5

      094f3e14648c2f009e6eed6b18b93e50

      SHA1

      aa37e82cbcae38e5804af281b98faee75b9ff32a

      SHA256

      2c48e2d5b8b188acb67aefec0f9fb71bde888cfa98a0c3580cc0433a2e4f6b9a

      SHA512

      f6b123851d5d1edbecfe97d75d79b1557368586af043e545dc035fae1c324ed388d511f35ac1a5db075ee140702ca38f10580395fa264b5c9e78582da1f26dee

      Download Submit
    • memory/328-87-0x00000000000E0000-0x00000000000E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/328-82-0x0000000010000000-0x0000000010020000-memory.dmp
      Filesize

      128KB

      Download
    • memory/836-70-0x00000000025B0000-0x0000000002630000-memory.dmp
      Filesize

      512KB

      Download
    • memory/836-68-0x000000001B1F0000-0x000000001B4D2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/836-69-0x0000000001DF0000-0x0000000001DF8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/836-71-0x00000000025B0000-0x0000000002630000-memory.dmp
      Filesize

      512KB

      Download
    • memory/836-72-0x00000000025BB000-0x00000000025F2000-memory.dmp
      Filesize

      220KB

      Download
    • memory/856-56-0x00000000000F0000-0x00000000000F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/856-62-0x0000000000100000-0x000000000012B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/856-57-0x0000000000100000-0x000000000012B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/856-55-0x0000000000080000-0x0000000000081000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-75-0x0000000000110000-0x000000000013B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/1500-77-0x0000000010000000-0x0000000010007000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1500-86-0x0000000000110000-0x000000000013B000-memory.dmp
      Filesize

      172KB

      Download