Overview
overview
10Static
static
82019-05-01...ts.zip
windows7-x64
12019-05-01...ts.zip
windows10-2004-x64
12019-05-01...ro.exe
windows7-x64
52019-05-01...ro.exe
windows10-2004-x64
102019-05-01...-2.exe
windows7-x64
102019-05-01...-2.exe
windows10-2004-x64
102019-05-01...-2.exe
windows7-x64
102019-05-01...-2.exe
windows10-2004-x64
102019-05-01...st.exe
windows7-x64
82019-05-01...st.exe
windows10-2004-x64
72019-05-01...nt.txt
windows7-x64
12019-05-01...nt.txt
windows10-2004-x64
12019-05-01...nt.txt
windows7-x64
12019-05-01...nt.txt
windows10-2004-x64
12019-05-01...19.doc
windows7-x64
102019-05-01...19.doc
windows10-2004-x64
102019-05-01...19.zip
windows7-x64
12019-05-01...19.zip
windows10-2004-x64
12019-05-01...tDll64
windows7-x64
12019-05-01...tDll64
windows10-2004-x64
12019-05-01...tDll64
windows7-x64
12019-05-01...tDll64
windows10-2004-x64
12019-05-01...s/dinj
windows7-x64
12019-05-01...s/dinj
windows10-2004-x64
12019-05-01.../dpost
windows7-x64
12019-05-01.../dpost
windows10-2004-x64
12019-05-01...s/sinj
windows7-x64
12019-05-01...s/sinj
windows10-2004-x64
12019-05-01...cher64
windows7-x64
12019-05-01...cher64
windows10-2004-x64
12019-05-01...ilconf
windows7-x64
12019-05-01...ilconf
windows10-2004-x64
1Analysis
-
max time kernel
108s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-05-2023 00:28
Behavioral task
behavioral1
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts.zip
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-retrieved-by-Word-macro.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-1-of-2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Emotet-binary-updated-after-initial-infection-2-of-2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-registry-update-to-keep-Emotet-persistent.txt
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-registry-update-to-keep-Emotet-persistent.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-sched-task-to-keep-Trickbot-persistent.txt
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-sched-task-to-keep-Trickbot-persistent.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/40606534706_May_01_2019.doc
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/40606534706_May_01_2019.doc
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/40606534706_May_01_2019.zip
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/40606534706_May_01_2019.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/importDll64
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/importDll64
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64
Resource
win10v2004-20230221-en
Behavioral task
behavioral23
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/dinj
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/dinj
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/dpost
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/dpost
Resource
win10v2004-20230220-en
Behavioral task
behavioral27
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/sinj
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/injectDll64_configs/sinj
Resource
win10v2004-20230221-en
Behavioral task
behavioral29
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/mailsearcher64
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/mailsearcher64
Resource
win10v2004-20230220-en
Behavioral task
behavioral31
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/mailsearcher64_configs/mailconf
Resource
win7-20230220-en
Behavioral task
behavioral32
Sample
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/GpuSettings/Data/mailsearcher64_configs/mailconf
Resource
win10v2004-20230220-en
General
-
Target
2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)/2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe
-
Size
341KB
-
MD5
094f3e14648c2f009e6eed6b18b93e50
-
SHA1
aa37e82cbcae38e5804af281b98faee75b9ff32a
-
SHA256
2c48e2d5b8b188acb67aefec0f9fb71bde888cfa98a0c3580cc0433a2e4f6b9a
-
SHA512
f6b123851d5d1edbecfe97d75d79b1557368586af043e545dc035fae1c324ed388d511f35ac1a5db075ee140702ca38f10580395fa264b5c9e78582da1f26dee
-
SSDEEP
6144:6auoLBJvcsNyRNaTc/lEmdrfHBxgFWHLpSHEBEpnCy:hnBJvcsIRmc/RBxTHdSHEBaC
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exepid process 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe -
Loads dropped DLL 1 IoCs
Processes:
2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exepid process 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 1068 sc.exe 1544 sc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exepowershell.exepid process 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe 836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 836 powershell.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.execmd.execmd.execmd.exe2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exedescription pid process target process PID 856 wrote to memory of 520 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 856 wrote to memory of 520 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 856 wrote to memory of 520 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 856 wrote to memory of 520 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 520 wrote to memory of 1068 520 cmd.exe sc.exe PID 520 wrote to memory of 1068 520 cmd.exe sc.exe PID 520 wrote to memory of 1068 520 cmd.exe sc.exe PID 856 wrote to memory of 1016 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 856 wrote to memory of 1016 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 856 wrote to memory of 1016 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 856 wrote to memory of 1016 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 856 wrote to memory of 268 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 856 wrote to memory of 268 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 856 wrote to memory of 268 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 856 wrote to memory of 268 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe cmd.exe PID 1016 wrote to memory of 1544 1016 cmd.exe sc.exe PID 1016 wrote to memory of 1544 1016 cmd.exe sc.exe PID 1016 wrote to memory of 1544 1016 cmd.exe sc.exe PID 856 wrote to memory of 1500 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe PID 856 wrote to memory of 1500 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe PID 856 wrote to memory of 1500 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe PID 856 wrote to memory of 1500 856 2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe PID 268 wrote to memory of 836 268 cmd.exe powershell.exe PID 268 wrote to memory of 836 268 cmd.exe powershell.exe PID 268 wrote to memory of 836 268 cmd.exe powershell.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe PID 1500 wrote to memory of 328 1500 2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)\2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe"C:\Users\Admin\AppData\Local\Temp\2019-05-01-Emotet-and-Trickbot-malware-and-artifacts(1)\2019-05-01-Trickbot-malware-retrieved-by-Emotet-infected-host.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\system32\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:1068 -
C:\Windows\system32\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\sc.exesc delete WinDefend3⤵
- Launches sc.exe
PID:1544 -
C:\Windows\system32\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Users\Admin\AppData\Roaming\GpuSettings\2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exeC:\Users\Admin\AppData\Roaming\GpuSettings\2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\GpuSettings\2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exeFilesize
341KB
MD5094f3e14648c2f009e6eed6b18b93e50
SHA1aa37e82cbcae38e5804af281b98faee75b9ff32a
SHA2562c48e2d5b8b188acb67aefec0f9fb71bde888cfa98a0c3580cc0433a2e4f6b9a
SHA512f6b123851d5d1edbecfe97d75d79b1557368586af043e545dc035fae1c324ed388d511f35ac1a5db075ee140702ca38f10580395fa264b5c9e78582da1f26dee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3430344531-3702557399-3004411149-1000\0f5007522459c86e95ffcc62f32308f1_292417f2-0fed-4ad3-b090-e0c692cff81fFilesize
1KB
MD59bc6ce8fecdc93b331d12ca636972a32
SHA11b83f12603bcd0f1230af0b8335a79d59ab625a6
SHA256aefc598fcc9dc17dd51d8398ce67d2af8917b1c7e399e8ccd0fd2987f54af980
SHA5125387da2e46060ed587ee829b49ba7edc94642bb3d98daa6f493cb9b9e6fa9b361b03670bb6cbec04ea6bdfa002e326ee683f1919b7787f35b358023949d4f278
-
\Users\Admin\AppData\Roaming\GpuSettings\2019-07-01-Vticmbqt-oanwate-tettieved-by-Eoqtet-ipfected-hqut.exeFilesize
341KB
MD5094f3e14648c2f009e6eed6b18b93e50
SHA1aa37e82cbcae38e5804af281b98faee75b9ff32a
SHA2562c48e2d5b8b188acb67aefec0f9fb71bde888cfa98a0c3580cc0433a2e4f6b9a
SHA512f6b123851d5d1edbecfe97d75d79b1557368586af043e545dc035fae1c324ed388d511f35ac1a5db075ee140702ca38f10580395fa264b5c9e78582da1f26dee
-
memory/328-87-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/328-82-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/836-70-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/836-68-0x000000001B1F0000-0x000000001B4D2000-memory.dmpFilesize
2.9MB
-
memory/836-69-0x0000000001DF0000-0x0000000001DF8000-memory.dmpFilesize
32KB
-
memory/836-71-0x00000000025B0000-0x0000000002630000-memory.dmpFilesize
512KB
-
memory/836-72-0x00000000025BB000-0x00000000025F2000-memory.dmpFilesize
220KB
-
memory/856-56-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/856-62-0x0000000000100000-0x000000000012B000-memory.dmpFilesize
172KB
-
memory/856-57-0x0000000000100000-0x000000000012B000-memory.dmpFilesize
172KB
-
memory/856-55-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1500-75-0x0000000000110000-0x000000000013B000-memory.dmpFilesize
172KB
-
memory/1500-77-0x0000000010000000-0x0000000010007000-memory.dmpFilesize
28KB
-
memory/1500-86-0x0000000000110000-0x000000000013B000-memory.dmpFilesize
172KB