Play interactive tour

Edit tour

Analysis Report 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Overview

General Information

Joe Sandbox Version:	26.0.0
Analysis ID:	982876
Start date:	23.10.2019
Start time:	11:33:05
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.bank.troj.evad.winEXE@4/5@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 67% Number of executed functions: 75 Number of non-executed functions: 352
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, mscorsvw.exe Excluded IPs from analysis (whitelisted): 93.184.221.240, 8.241.121.126, 67.26.81.254, 8.241.9.254, 8.248.119.254, 8.241.9.126, 8.248.129.254, 67.26.75.254, 205.185.216.42, 205.185.216.10 Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	68	0 - 100	Report FP / FN	false	Trickbot

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts1	Scheduled Task1	Valid Accounts1	Valid Accounts1	Valid Accounts1	Input Capture11	System Time Discovery2	Application Deployment Software	Input Capture11	Data Encrypted12	Uncommonly Used Port1
Replication Through Removable Media	Execution through API1	Scheduled Task1	Access Token Manipulation11	Access Token Manipulation11	Network Sniffing	Query Registry1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol22
Drive-by Compromise	Windows Management Instrumentation	Accessibility Features	Scheduled Task1	Deobfuscate/Decode Files or Information1	Input Capture	Process Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol2
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information2	Credentials in Files	Application Window Discovery1	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol2
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Masquerading	Account Manipulation	Account Discovery1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	DLL Search Order Hijacking	Brute Force	System Owner/User Discovery1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Scripting	Path Interception	Scheduled Task	Software Packing	Two-Factor Authentication Interception	Security Software Discovery3	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port
Supply Chain Compromise	Third-party Software	Logon Scripts	Process Injection	Indicator Blocking	Bash History	Remote System Discovery1	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol
Trusted Relationship	Rundll32	DLL Search Order Hijacking	Service Registry Permissions Weakness	Process Injection	Input Prompt	System Network Configuration Discovery11	Windows Admin Shares	Automated Collection	Exfiltration Over Physical Medium	Multilayer Encryption
Hardware Additions	PowerShell	Change Default File Association	Exploitation for Privilege Escalation	Scripting	Keychain	File and Directory Discovery2	Taint Shared Content	Audio Capture		Connection Proxy
	Execution through API	File System Permissions Weakness	Valid Accounts	Indicator Removal from Tools	Private Keys	System Information Discovery14	Replication Through Removable Media	Video Capture		Communication Through Removable Media

Signature Overview

Click to jump to signature section

AV Detection:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\ProgramData\??????.exe	Code function: 2_2_005CF800 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	2_2_005CF800
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D08A0 CryptStringToBinaryW,CryptStringToBinaryW,	2_2_005D08A0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D7190 CryptBinaryToStringW,CryptBinaryToStringW,	2_2_005D7190
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	2_2_005D5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EF800 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_006EF800
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	3_2_006F5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F08A0 CryptStringToBinaryW,CryptStringToBinaryW,	3_2_006F08A0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F7190 CryptBinaryToStringW,CryptBinaryToStringW,	3_2_006F7190

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0041E050 FindFirstFileA,FindClose,	0_2_0041E050
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0041D790 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_0041D790
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CD4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,	2_2_005CD4B0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,	2_2_005D5710
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,	2_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006ED4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,	3_2_006ED4B0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,	3_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,	3_2_006EC7C0

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.1.16:49163 -> 81.190.160.139:449

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 81.190.160.139:449

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139

Found strings which match to known social media urls

Show sources

Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Urls found in memory or binary data

Show sources

Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabXy
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmp	String found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/14/path/C:%5CUsers%
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmp	String found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/23/1000477/
Source: ??????.exe, 00000003.00000002.541399359.002F3000.00000004.00000020.sdmp	String found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/5/spk/
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: https://api.ipify.org/?format=text
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_0042BF21 GetAsyncKeyState,SendMessageA,

0_2_0042BF21

E-Banking Fraud:

Detected Trickbot e-Banking trojan config

Show sources

Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp

String found in binary or memory: <mcconf> <ver>1000479</ver> <gtag>tt0002</gtag> <servs> <srv>144.91.79.9:443</srv> <srv>172.245.97.148:443</srv> <srv>85.204.116.139:443</srv> <srv>185.62.188.117:443</srv> <srv>185.222.202.76:443</srv> <srv>144.91.79.12:443</srv> <srv>185.68.93.43:443</srv> <srv>195.123.238.191:443</srv> <srv>146.185.219.29:443</srv> <srv>195.133.196.151:443</srv> <srv>91.235.129.60:443</srv> <srv>23.227.206.170:443</srv> <srv>185.222.202.192:443</srv> <srv>190.154.203.218:449</srv> <srv>178.183.150.169:449</srv> <srv>200.116.199.10:449</srv> <srv>187.58.56.26:449</srv> <srv>177.103.240.149:449</srv> <srv>81.190.160.139:449</srv> <srv>200.21.51.38:449</srv> <srv>181.49.61.237:449</srv> <srv>46.174.235.36:449</srv> <srv>36.89.85.103:449</srv> <srv>170.233.120.53:449</srv> <srv>89.228.243.148:449</srv> <srv>31.214.138.207:449</srv> <srv>186.42.98.254:449</srv> <srv>195.93.223.100:449</srv> <srv>181.112.52.26:449</srv> <srv>190.13.160.19:449</srv> <srv>186.71.150.23:449</srv> <srv>190.152.4.98:449</srv> <srv>170.82.156.53:449</s

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,		2_2_005D5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,		3_2_006F5AB0

System Summary:

Contains functionality to call native functions

Show sources

Source: C:\ProgramData\??????.exe	Code function: 2_2_005D1800 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,		2_2_005D1800
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F1800 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,		3_2_006F1800

Contains functionality to launch a process as a different user

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,

2_2_005C5470

Creates mutexes

Show sources

Source: C:\ProgramData\??????.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\789C000000010
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Mutant created: \BaseNamedObjects\Global\789C000000010

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0040C442	0_2_0040C442
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_004196D8	0_2_004196D8
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_004089E4	0_2_004089E4
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00413B90	0_2_00413B90
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C5470	2_2_005C5470
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D3430	2_2_005D3430
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CA4D0	2_2_005CA4D0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CF0E0	2_2_005CF0E0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D0920	2_2_005D0920
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D05C0	2_2_005D05C0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C4DE0	2_2_005C4DE0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D35E0	2_2_005D35E0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D41A0	2_2_005D41A0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D1A70	2_2_005D1A70
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C2E60	2_2_005C2E60
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C8230	2_2_005C8230
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C3EC0	2_2_005C3EC0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C36E0	2_2_005C36E0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5EB0	2_2_005D5EB0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5710	2_2_005D5710
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CC7C0	2_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EA4D0	3_2_006EA4D0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5710	3_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EC7C0	3_2_006EC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E5470	3_2_006E5470
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F3430	3_2_006F3430
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EF0E0	3_2_006EF0E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F0920	3_2_006F0920
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E4DE0	3_2_006E4DE0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F35E0	3_2_006F35E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F05C0	3_2_006F05C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F41A0	3_2_006F41A0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E2E60	3_2_006E2E60
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F1A70	3_2_006F1A70
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E8230	3_2_006E8230
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E36E0	3_2_006E36E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E3EC0	3_2_006E3EC0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5EB0	3_2_006F5EB0

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: String function: 00404AE0 appears 55 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: String function: 00401690 appears 31 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: String function: 00405340 appears 226 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: String function: 00417F36 appears 31 times

PE file contains strange resources

Show sources

Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ______.exe.0.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ______.exe.2.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Sample file is different than original file name gathered from version info

Show sources

Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.254939532.01880000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257684622.023A0000.00000008.00000001.sdmp	Binary or memory string: originalfilename vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257684622.023A0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257727095.025C0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

File read: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal68.bank.troj.evad.winEXE@4/5@2/3

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\ProgramData\??????.exe	Code function: 2_2_005C5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,	2_2_005C5470
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C8CD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,	2_2_005C8CD0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D2F10 Sleep,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	2_2_005D2F10
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,	3_2_006E5470
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E8CD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,	3_2_006E8CD0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F2F10 Sleep,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	3_2_006F2F10

Contains functionality to check free disk space

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_0041F155 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,

0_2_0041F155

Contains functionality to enum processes or threads

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005CC440 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpW,lstrcmpW,Process32NextW,CloseHandle,lstrcmpW,

2_2_005CC440

Contains functionality to instantiate COM classes

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C2DA0 Sleep,GetVersion,CoCreateInstance,

2_2_005C2DA0

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_004233B8 LoadResource,LockResource,GetSysColor,GetSysColor,GetSysColor,GetDC,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SelectObject,StretchDIBits,SelectObject,DeleteDC,ReleaseDC,

0_2_004233B8

Creates files inside the user directory

Show sources

Source: C:\ProgramData\??????.exe

File created: C:\Users\user\AppData\Roaming\HomeLan

Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe 'C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe'
Source: unknown	Process created: C:\ProgramData\??????.exe 'C:\ProgramData\??????.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\HomeLan\??????.exe C:\Users\user\AppData\Roaming\HomeLan\??????.exe
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process created: C:\ProgramData\??????.exe 'C:\ProgramData\??????.exe'	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Writes ini files

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe

File written: C:\Users\user\AppData\Roaming\HomeLan\settings.ini

Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_0041B1EF GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

0_2_0041B1EF

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00405340 push eax; ret	0_2_0040535E
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00405B80 push eax; ret	0_2_00405BAE
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C88E1 push esp; ret	2_2_005C88E5
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C1F50 push eax; mov dword ptr [esp], 00000103h	2_2_005C1F52
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E88E1 push esp; ret	3_2_006E88E5
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E1F50 push eax; mov dword ptr [esp], 00000103h	3_2_006E1F52

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	File created: C:\ProgramData\??????.exe			Jump to dropped file
Source: C:\ProgramData\??????.exe	File created: C:\Users\user\AppData\Roaming\HomeLan\??????.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

File created: C:\ProgramData\??????.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_004042FB IsIconic,GetWindowPlacement,GetWindowRect,	0_2_004042FB
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00411340 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,	0_2_00411340
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00420A57 GetParent,GetParent,GetParent,IsIconic,	0_2_00420A57
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00411AF0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,	0_2_00411AF0
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00425C28 IsIconic,IsWindowVisible,	0_2_00425C28
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0042ED76 IsWindowVisible,IsIconic,	0_2_0042ED76
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0042AFA7 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	0_2_0042AFA7

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	RDTSC instruction interceptor: First address: 6e8171 second address: 6e8171 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+08h], eax 0x00000006 mov dword ptr [esp+0Ch], edx 0x0000000a mov eax, dword ptr [esp+08h] 0x0000000e mov dword ptr [esp+04h], 00000001h 0x00000016 lea edx, dword ptr [00000000h+eax8] 0x0000001d test edx, 000007F8h 0x00000023 je 1F81FB82h 0x00000025 add ecx, eax 0x00000027 mov eax, ecx 0x00000029 mov esp, ebp 0x0000002b pop ebp 0x0000002c ret 0x0000002d xor edx, edx 0x0000002f div ebx 0x00000031 test esi, esi 0x00000033 mov ebp, edx 0x00000035 je 1F81FABCh 0x00000037 mov ecx, dword ptr [edi+ebp4] 0x0000003a lea eax, dword ptr [esi+01h] 0x0000003d test ecx, ecx 0x0000003f jne 1F81F7B7h 0x00000041 mov esi, eax 0x00000043 call 1F823662h 0x00000048 push ebp 0x00000049 mov ebp, esp 0x0000004b and esp, FFFFFFF8h 0x0000004e sub esp, 10h 0x00000051 call dword ptr [006F9CECh] 0x00000057 jmp 1F81FA17h 0x00000059 jmp dword ptr [75761C4Ch] 0x0000005f mov ecx, dword ptr [7FFE0324h] 0x00000065 mov edx, dword ptr [7FFE0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	RDTSC instruction interceptor: First address: 6e8171 second address: 6e8171 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+08h], eax 0x00000006 mov dword ptr [esp+0Ch], edx 0x0000000a mov eax, dword ptr [esp+08h] 0x0000000e mov dword ptr [esp+04h], 00000001h 0x00000016 lea edx, dword ptr [00000000h+eax*8] 0x0000001d test edx, 000007F8h 0x00000023 je 1F81F9E2h 0x00000025 add ecx, eax 0x00000027 mov eax, ecx 0x00000029 mov esp, ebp 0x0000002b pop ebp 0x0000002c ret 0x0000002d sub esi, ebx 0x0000002f xor edx, edx 0x00000031 xor ebp, ebp 0x00000033 div esi 0x00000035 mov esi, edx 0x00000037 add esi, ebx 0x00000039 test esi, esi 0x0000003b jle 1F81F701h 0x0000003d lea ebx, dword ptr [edi+esi] 0x00000040 call 1F81BC78h 0x00000045 push ebp 0x00000046 mov ebp, esp 0x00000048 and esp, FFFFFFF8h 0x0000004b sub esp, 10h 0x0000004e call dword ptr [006F9CECh] 0x00000054 jmp 1F81F9D7h 0x00000056 jmp dword ptr [75761C4Ch] 0x0000005c mov ecx, dword ptr [7FFE0324h] 0x00000062 mov edx, dword ptr [7FFE0320h] 0x00000068 mov eax, dword ptr [7FFE03

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C8160 rdtsc

2_2_005C8160

Contains functionality to query network adapater information

Show sources

Source: C:\ProgramData\??????.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		2_2_005D6780
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		3_2_006F6780

Found evasive API chain checking for process token information

Show sources

Source: C:\ProgramData\??????.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-9757

Found large amount of non-executed APIs

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	API coverage: 2.7 %
Source: C:\ProgramData\??????.exe	API coverage: 6.3 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe TID: 3592

Thread sleep time: -36000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe

Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0041E050 FindFirstFileA,FindClose,	0_2_0041E050
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0041D790 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_0041D790
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CD4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,	2_2_005CD4B0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,	2_2_005D5710
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,	2_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006ED4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,	3_2_006ED4B0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,	3_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,	3_2_006EC7C0

Contains functionality to query system information

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C1FB0 GetVersionExW,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,

2_2_005C1FB0

Program exit points

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe

API call chain: ExitProcess graph end node

graph_3-9659

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C8160 rdtsc

2_2_005C8160

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005CC6D0 LdrLoadDll,

2_2_005CC6D0

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_0041B1EF GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

0_2_0041B1EF

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00402D50 mov eax, dword ptr fs:[00000030h]	0_2_00402D50
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C35D0 mov ecx, dword ptr fs:[00000030h]	2_2_005C35D0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E35D0 mov ecx, dword ptr fs:[00000030h]	3_2_006E35D0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C3180 GetProcessHeap,RtlReAllocateHeap,RtlAllocateHeap,

2_2_005C3180

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00409A06 SetUnhandledExceptionFilter,	0_2_00409A06
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00409A18 SetUnhandledExceptionFilter,	0_2_00409A18
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D2370 GetLastError,SetLastError,GetModuleHandleW,GetLastError,RtlAddVectoredExceptionHandler,SetCurrentDirectoryW,GetTickCount,Sleep,Sleep,CreateThread,GetTickCount,Sleep,Sleep,Sleep,CoUninitialize,OleUninitialize,ExitProcess,	2_2_005D2370
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F2370 GetLastError,SetLastError,GetModuleHandleW,GetLastError,RtlAddVectoredExceptionHandler,SetCurrentDirectoryW,GetTickCount,Sleep,Sleep,CreateThread,GetTickCount,Sleep,Sleep,Sleep,CoUninitialize,ExitProcess,	3_2_006F2370

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to create a new security descriptor

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C3A80 GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,

2_2_005C3A80

Language, Device and Operating System Detection:

Contains functionality to inject threads in other processes

Show sources

Source: C:\ProgramData\??????.exe	Code function: 2_2_005C1250 CreateEventW,CreateEventW,CreateEventW,CreateEventW,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,ResetEvent,ResetEvent,ResetEvent,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualFreeEx,VirtualFreeEx,		2_2_005C1250
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E1250 CreateEventW,CreateEventW,CreateEventW,CreateEventW,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,ResetEvent,ResetEvent,ResetEvent,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualFreeEx,VirtualFreeEx,		3_2_006E1250

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\ProgramData\??????.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005D4E70 GetSystemTimeAsFileTime,_aulldiv,

2_2_005D4E70

Contains functionality to query the account / user name

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005D1960 Sleep,GetUserNameW,

2_2_005D1960

Contains functionality to query time zone information

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_0040A95E GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0040A95E

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_00432740 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

0_2_00432740

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Remote Access Functionality:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
11:33:31	API Interceptor	6x Sleep call for process: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe modified
11:33:37	API Interceptor	905x Sleep call for process: ??????.exe modified
11:33:38	Task Scheduler	Run new task: Home lan application path: C:\Users\user\AppData\Roaming\HomeLan\.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	JoeSecurity_Trickbot_1	Yara detected Trickbot	Joe Security
Process Memory Space: ______.exe PID: 3448	JoeSecurity_Trickbot_1	Yara detected Trickbot	Joe Security

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Thumbnails