Loading ...

Play interactive tourEdit tour

Analysis Report 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:982876
Start date:23.10.2019
Start time:11:33:05
Joe Sandbox Product:Cloud
Overall analysis duration:0h 10m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.bank.troj.evad.winEXE@4/5@2/3
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 67%
  • Number of executed functions: 75
  • Number of non-executed functions: 352
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, mscorsvw.exe
  • Excluded IPs from analysis (whitelisted): 93.184.221.240, 8.241.121.126, 67.26.81.254, 8.241.9.254, 8.248.119.254, 8.241.9.126, 8.248.129.254, 67.26.75.254, 205.185.216.42, 205.185.216.10
  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold680 - 100Report FP / FNfalse
Trickbot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Scheduled Task1Valid Accounts1Valid Accounts1Valid Accounts1Input Capture11System Time Discovery2Application Deployment SoftwareInput Capture11Data Encrypted12Uncommonly Used Port1
Replication Through Removable MediaExecution through API1Scheduled Task1Access Token Manipulation11Access Token Manipulation11Network SniffingQuery Registry1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol22
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesScheduled Task1Deobfuscate/Decode Files or Information1Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesApplication Window Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationAccount Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Owner/User Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSecurity Software Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryRemote System Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Network Configuration Discovery11Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption
Hardware AdditionsPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainFile and Directory Discovery2Taint Shared ContentAudio CaptureConnection Proxy
Execution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysSystem Information Discovery14Replication Through Removable MediaVideo CaptureCommunication Through Removable Media

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005CF800 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,2_2_005CF800
Source: C:\ProgramData\??????.exeCode function: 2_2_005D08A0 CryptStringToBinaryW,CryptStringToBinaryW,2_2_005D08A0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D7190 CryptBinaryToStringW,CryptBinaryToStringW,2_2_005D7190
Source: C:\ProgramData\??????.exeCode function: 2_2_005D5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,2_2_005D5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EF800 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,3_2_006EF800
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,3_2_006F5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F08A0 CryptStringToBinaryW,CryptStringToBinaryW,3_2_006F08A0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F7190 CryptBinaryToStringW,CryptBinaryToStringW,3_2_006F7190

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgIDJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgIDJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041E050 FindFirstFileA,FindClose,0_2_0041E050
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041D790 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_0041D790
Source: C:\ProgramData\??????.exeCode function: 2_2_005CD4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,2_2_005CD4B0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,2_2_005D5710
Source: C:\ProgramData\??????.exeCode function: 2_2_005CC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,2_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006ED4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,3_2_006ED4B0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,3_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,3_2_006EC7C0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.1.16:49163 -> 81.190.160.139:449
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49163 -> 81.190.160.139:449
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Found strings which match to known social media urlsShow sources
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: api.ipify.org
Urls found in memory or binary dataShow sources
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabXy
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmpString found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/14/path/C:%5CUsers%
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmpString found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/23/1000477/
Source: ??????.exe, 00000003.00000002.541399359.002F3000.00000004.00000020.sdmpString found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/5/spk/
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: https://api.ipify.org/?format=text
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0042BF21 GetAsyncKeyState,SendMessageA,0_2_0042BF21

E-Banking Fraud:

barindex
Detected Trickbot e-Banking trojan configShow sources
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: <mcconf> <ver>1000479</ver> <gtag>tt0002</gtag> <servs> <srv>144.91.79.9:443</srv> <srv>172.245.97.148:443</srv> <srv>85.204.116.139:443</srv> <srv>185.62.188.117:443</srv> <srv>185.222.202.76:443</srv> <srv>144.91.79.12:443</srv> <srv>185.68.93.43:443</srv> <srv>195.123.238.191:443</srv> <srv>146.185.219.29:443</srv> <srv>195.133.196.151:443</srv> <srv>91.235.129.60:443</srv> <srv>23.227.206.170:443</srv> <srv>185.222.202.192:443</srv> <srv>190.154.203.218:449</srv> <srv>178.183.150.169:449</srv> <srv>200.116.199.10:449</srv> <srv>187.58.56.26:449</srv> <srv>177.103.240.149:449</srv> <srv>81.190.160.139:449</srv> <srv>200.21.51.38:449</srv> <srv>181.49.61.237:449</srv> <srv>46.174.235.36:449</srv> <srv>36.89.85.103:449</srv> <srv>170.233.120.53:449</srv> <srv>89.228.243.148:449</srv> <srv>31.214.138.207:449</srv> <srv>186.42.98.254:449</srv> <srv>195.93.223.100:449</srv> <srv>181.112.52.26:449</srv> <srv>190.13.160.19:449</srv> <srv>186.71.150.23:449</srv> <srv>190.152.4.98:449</srv> <srv>170.82.156.53:449</s
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005D5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,2_2_005D5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,3_2_006F5AB0

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005D1800 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,2_2_005D1800
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F1800 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,3_2_006F1800
Contains functionality to launch a process as a different userShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,2_2_005C5470
Creates mutexesShow sources
Source: C:\ProgramData\??????.exeMutant created: \Sessions\1\BaseNamedObjects\Global\789C000000010
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeMutant created: \BaseNamedObjects\Global\789C000000010
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0040C4420_2_0040C442
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_004196D80_2_004196D8
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_004089E40_2_004089E4
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00413B900_2_00413B90
Source: C:\ProgramData\??????.exeCode function: 2_2_005C54702_2_005C5470
Source: C:\ProgramData\??????.exeCode function: 2_2_005D34302_2_005D3430
Source: C:\ProgramData\??????.exeCode function: 2_2_005CA4D02_2_005CA4D0
Source: C:\ProgramData\??????.exeCode function: 2_2_005CF0E02_2_005CF0E0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D09202_2_005D0920
Source: C:\ProgramData\??????.exeCode function: 2_2_005D05C02_2_005D05C0
Source: C:\ProgramData\??????.exeCode function: 2_2_005C4DE02_2_005C4DE0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D35E02_2_005D35E0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D41A02_2_005D41A0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D1A702_2_005D1A70
Source: C:\ProgramData\??????.exeCode function: 2_2_005C2E602_2_005C2E60
Source: C:\ProgramData\??????.exeCode function: 2_2_005C82302_2_005C8230
Source: C:\ProgramData\??????.exeCode function: 2_2_005C3EC02_2_005C3EC0
Source: C:\ProgramData\??????.exeCode function: 2_2_005C36E02_2_005C36E0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D5EB02_2_005D5EB0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D57102_2_005D5710
Source: C:\ProgramData\??????.exeCode function: 2_2_005CC7C02_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EA4D03_2_006EA4D0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F57103_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EC7C03_2_006EC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E54703_2_006E5470
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F34303_2_006F3430
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EF0E03_2_006EF0E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F09203_2_006F0920
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E4DE03_2_006E4DE0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F35E03_2_006F35E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F05C03_2_006F05C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F41A03_2_006F41A0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E2E603_2_006E2E60
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F1A703_2_006F1A70
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E82303_2_006E8230
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E36E03_2_006E36E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E3EC03_2_006E3EC0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F5EB03_2_006F5EB0
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: String function: 00404AE0 appears 55 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: String function: 00401690 appears 31 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: String function: 00405340 appears 226 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: String function: 00417F36 appears 31 times
PE file contains strange resourcesShow sources
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ______.exe.0.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ______.exe.2.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.254939532.01880000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257684622.023A0000.00000008.00000001.sdmpBinary or memory string: originalfilename vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257684622.023A0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257727095.025C0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeFile read: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal68.bank.troj.evad.winEXE@4/5@2/3
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,2_2_005C5470
Source: C:\ProgramData\??????.exeCode function: 2_2_005C8CD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,2_2_005C8CD0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D2F10 Sleep,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_005D2F10
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,3_2_006E5470
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E8CD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,3_2_006E8CD0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F2F10 Sleep,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_006F2F10
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041F155 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_0041F155
Contains functionality to enum processes or threadsShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005CC440 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpW,lstrcmpW,Process32NextW,CloseHandle,lstrcmpW,2_2_005CC440
Contains functionality to instantiate COM classesShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C2DA0 Sleep,GetVersion,CoCreateInstance,2_2_005C2DA0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_004233B8 LoadResource,LockResource,GetSysColor,GetSysColor,GetSysColor,GetDC,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SelectObject,StretchDIBits,SelectObject,DeleteDC,ReleaseDC,0_2_004233B8
Creates files inside the user directoryShow sources
Source: C:\ProgramData\??????.exeFile created: C:\Users\user\AppData\Roaming\HomeLanJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe 'C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe'
Source: unknownProcess created: C:\ProgramData\??????.exe 'C:\ProgramData\??????.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\HomeLan\??????.exe C:\Users\user\AppData\Roaming\HomeLan\??????.exe
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess created: C:\ProgramData\??????.exe 'C:\ProgramData\??????.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeFile written: C:\Users\user\AppData\Roaming\HomeLan\settings.iniJump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041B1EF GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,0_2_0041B1EF
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00405340 push eax; ret 0_2_0040535E
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00405B80 push eax; ret 0_2_00405BAE
Source: C:\ProgramData\??????.exeCode function: 2_2_005C88E1 push esp; ret 2_2_005C88E5
Source: C:\ProgramData\??????.exeCode function: 2_2_005C1F50 push eax; mov dword ptr [esp], 00000103h2_2_005C1F52
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E88E1 push esp; ret 3_2_006E88E5
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E1F50 push eax; mov dword ptr [esp], 00000103h3_2_006E1F52

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeFile created: C:\ProgramData\??????.exeJump to dropped file
Source: C:\ProgramData\??????.exeFile created: C:\Users\user\AppData\Roaming\HomeLan\??????.exeJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeFile created: C:\ProgramData\??????.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_004042FB IsIconic,GetWindowPlacement,GetWindowRect,0_2_004042FB
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00411340 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,0_2_00411340
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00420A57 GetParent,GetParent,GetParent,IsIconic,0_2_00420A57
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00411AF0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,0_2_00411AF0
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00425C28 IsIconic,IsWindowVisible,0_2_00425C28
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0042ED76 IsWindowVisible,IsIconic,0_2_0042ED76
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0042AFA7 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_0042AFA7
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeRDTSC instruction interceptor: First address: 6e8171 second address: 6e8171 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+08h], eax 0x00000006 mov dword ptr [esp+0Ch], edx 0x0000000a mov eax, dword ptr [esp+08h] 0x0000000e mov dword ptr [esp+04h], 00000001h 0x00000016 lea edx, dword ptr [00000000h+eax*8] 0x0000001d test edx, 000007F8h 0x00000023 je 1F81FB82h 0x00000025 add ecx, eax 0x00000027 mov eax, ecx 0x00000029 mov esp, ebp 0x0000002b pop ebp 0x0000002c ret 0x0000002d xor edx, edx 0x0000002f div ebx 0x00000031 test esi, esi 0x00000033 mov ebp, edx 0x00000035 je 1F81FABCh 0x00000037 mov ecx, dword ptr [edi+ebp*4] 0x0000003a lea eax, dword ptr [esi+01h] 0x0000003d test ecx, ecx 0x0000003f jne 1F81F7B7h 0x00000041 mov esi, eax 0x00000043 call 1F823662h 0x00000048 push ebp 0x00000049 mov ebp, esp 0x0000004b and esp, FFFFFFF8h 0x0000004e sub esp, 10h 0x00000051 call dword ptr [006F9CECh] 0x00000057 jmp 1F81FA17h 0x00000059 jmp dword ptr [75761C4Ch] 0x0000005f mov ecx, dword ptr [7FFE0324h] 0x00000065 mov edx, dword ptr [7FFE0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeRDTSC instruction interceptor: First address: 6e8171 second address: 6e8171 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+08h], eax 0x00000006 mov dword ptr [esp+0Ch], edx 0x0000000a mov eax, dword ptr [esp+08h] 0x0000000e mov dword ptr [esp+04h], 00000001h 0x00000016 lea edx, dword ptr [00000000h+eax*8] 0x0000001d test edx, 000007F8h 0x00000023 je 1F81F9E2h 0x00000025 add ecx, eax 0x00000027 mov eax, ecx 0x00000029 mov esp, ebp 0x0000002b pop ebp 0x0000002c ret 0x0000002d sub esi, ebx 0x0000002f xor edx, edx 0x00000031 xor ebp, ebp 0x00000033 div esi 0x00000035 mov esi, edx 0x00000037 add esi, ebx 0x00000039 test esi, esi 0x0000003b jle 1F81F701h 0x0000003d lea ebx, dword ptr [edi+esi] 0x00000040 call 1F81BC78h 0x00000045 push ebp 0x00000046 mov ebp, esp 0x00000048 and esp, FFFFFFF8h 0x0000004b sub esp, 10h 0x0000004e call dword ptr [006F9CECh] 0x00000054 jmp 1F81F9D7h 0x00000056 jmp dword ptr [75761C4Ch] 0x0000005c mov ecx, dword ptr [7FFE0324h] 0x00000062 mov edx, dword ptr [7FFE0320h] 0x00000068 mov eax, dword ptr [7FFE03
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C8160 rdtsc 2_2_005C8160
Contains functionality to query network adapater informationShow sources
Source: C:\ProgramData\??????.exeCode function: GetAdaptersInfo,GetAdaptersInfo,2_2_005D6780
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: GetAdaptersInfo,GetAdaptersInfo,3_2_006F6780
Found evasive API chain checking for process token informationShow sources
Source: C:\ProgramData\??????.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-9757
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeAPI coverage: 2.7 %
Source: C:\ProgramData\??????.exeAPI coverage: 6.3 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe TID: 3592Thread sleep time: -36000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041E050 FindFirstFileA,FindClose,0_2_0041E050
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041D790 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_0041D790
Source: C:\ProgramData\??????.exeCode function: 2_2_005CD4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,2_2_005CD4B0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,2_2_005D5710
Source: C:\ProgramData\??????.exeCode function: 2_2_005CC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,2_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006ED4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,3_2_006ED4B0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,3_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,3_2_006EC7C0
Contains functionality to query system informationShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C1FB0 GetVersionExW,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,2_2_005C1FB0
Program exit pointsShow sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeAPI call chain: ExitProcess graph end nodegraph_3-9659

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C8160 rdtsc 2_2_005C8160
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005CC6D0 LdrLoadDll,2_2_005CC6D0
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041B1EF GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,0_2_0041B1EF
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00402D50 mov eax, dword ptr fs:[00000030h]0_2_00402D50
Source: C:\ProgramData\??????.exeCode function: 2_2_005C35D0 mov ecx, dword ptr fs:[00000030h]2_2_005C35D0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E35D0 mov ecx, dword ptr fs:[00000030h]3_2_006E35D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C3180 GetProcessHeap,RtlReAllocateHeap,RtlAllocateHeap,2_2_005C3180
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00409A06 SetUnhandledExceptionFilter,0_2_00409A06
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00409A18 SetUnhandledExceptionFilter,0_2_00409A18
Source: C:\ProgramData\??????.exeCode function: 2_2_005D2370 GetLastError,SetLastError,GetModuleHandleW,GetLastError,RtlAddVectoredExceptionHandler,SetCurrentDirectoryW,GetTickCount,Sleep,Sleep,CreateThread,GetTickCount,Sleep,Sleep,Sleep,CoUninitialize,OleUninitialize,ExitProcess,2_2_005D2370
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F2370 GetLastError,SetLastError,GetModuleHandleW,GetLastError,RtlAddVectoredExceptionHandler,SetCurrentDirectoryW,GetTickCount,Sleep,Sleep,CreateThread,GetTickCount,Sleep,Sleep,Sleep,CoUninitialize,ExitProcess,3_2_006F2370

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptorShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C3A80 GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,2_2_005C3A80

Language, Device and Operating System Detection:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C1250 CreateEventW,CreateEventW,CreateEventW,CreateEventW,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,ResetEvent,ResetEvent,ResetEvent,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualFreeEx,VirtualFreeEx,2_2_005C1250
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E1250 CreateEventW,CreateEventW,CreateEventW,CreateEventW,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,ResetEvent,ResetEvent,ResetEvent,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualFreeEx,VirtualFreeEx,3_2_006E1250
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\ProgramData\??????.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005D4E70 GetSystemTimeAsFileTime,_aulldiv,2_2_005D4E70
Contains functionality to query the account / user nameShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005D1960 Sleep,GetUserNameW,2_2_005D1960
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0040A95E GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0040A95E
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00432740 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,0_2_00432740
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Remote Access Functionality:

barindex
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 982876 Sample: 2019-10-21-Trickbot-gtag-mo... Startdate: 23/10/2019 Architecture: WINDOWS Score: 68 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Detected Trickbot e-Banking trojan config 2->33 35 Yara detected Trickbot 2->35 37 May check the online IP address of the machine 2->37 6 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe 11 2->6         started        9 ??????.exe 9 2->9         started        process3 dnsIp4 17 C:\ProgramData\??????.exe, PE32 6->17 dropped 19 C:\ProgramData\??????.exe:Zone.Identifier, ASCII 6->19 dropped 13 ??????.exe 13 6->13         started        25 81.190.160.139, 449, 49163 unknown Poland 9->25 27 192.168.1.255 unknown unknown 9->27 29 3 other IPs or domains 9->29 39 Contains functionality to inject threads in other processes 9->39 41 Tries to detect virtualization through RDTSC time measurements 9->41 file5 signatures6 process7 file8 21 C:\Users\user\AppData\Roaming\...\??????.exe, PE32 13->21 dropped 23 C:\Users\user\...\??????.exe:Zone.Identifier, ASCII 13->23 dropped 43 Contains functionality to inject threads in other processes 13->43 signatures9

Simulations

Behavior and APIs

TimeTypeDescription
11:33:31API Interceptor6x Sleep call for process: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe modified
11:33:37API Interceptor905x Sleep call for process: ??????.exe modified
11:33:38Task SchedulerRun new task: Home lan application path: C:\Users\user\AppData\Roaming\HomeLan\.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.541461598.0032A000.00000004.00000020.sdmpJoeSecurity_Trickbot_1Yara detected TrickbotJoe Security
    Process Memory Space: ______.exe PID: 3448JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security

      Unpacked PEs

      No yara matches

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.