Loading ...

Play interactive tourEdit tour

Analysis Report _#U00e6dB1C3.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:208271
Start date:13.02.2020
Start time:22:35:05
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 57s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:_#U00e6dB1C3.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winEXE@9/4@1/6
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 92.8% (good quality ratio 66.6%)
  • Quality average: 56.8%
  • Quality standard deviation: 39.8%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 82
  • Number of non-executed functions: 229
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 8.248.131.254, 67.27.158.254, 8.253.95.121, 67.27.158.126, 67.26.137.254, 67.26.73.254, 8.253.95.120, 8.253.207.120, 8.248.119.254
  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Trickbot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation21Winlogon Helper DLLAccess Token Manipulation1Masquerading1Credential DumpingVirtualization/Sandbox Evasion3Remote File Copy1Data from Local SystemData Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API11Port MonitorsProcess Injection11Software Packing1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution1Accessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion3Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingAccess Token Manipulation1Credentials in FilesSecurity Software Discovery31Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection11Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDeobfuscate/Decode Files or Information1Brute ForceSystem Network Configuration Discovery11Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information1Two-Factor Authentication InterceptionFile and Directory Discovery4Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Information Discovery23Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/14/NAT%20statusAvira URL Cloud: Label: malware
Source: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/23/1000496/Avira URL Cloud: Label: malware
Source: https://181.112.157.42:449/llAvira URL Cloud: Label: malware
Source: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/23/1000496/ncodAvira URL Cloud: Label: malware
Source: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/63/systeminfo/GAvira URL Cloud: Label: malware
Source: https://181.112.157.42:449/Avira URL Cloud: Label: malware
Source: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/23/1000496/03Avira URL Cloud: Label: malware
Source: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/5/spk/Avira URL Cloud: Label: malware
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeAvira: detection malicious, Label: TR/AD.TrickBot.kcihv
Antivirus detection for sampleShow sources
Source: _#U00e6dB1C3.exeAvira: detection malicious, Label: TR/AD.TrickBot.kcihv
Found malware configurationShow sources
Source: svchost.exe.5984.4.memstrMalware Configuration Extractor: Trickbot {"C2 list": ["181.140.173.186:449", "181.112.157.42:449", "212.109.220.111:443", "170.84.78.224:449", "200.21.51.38:449", "79.143.31.246:443", "181.113.28.146:449", "979.143.31.246:443", "185.62.188.34:443", "185.252.144.135:443", "104.168.96.113:443", "5.182.210.226:443", "93.189.46.122:443", "5.182.210.246:443", "91.235.129.25:443", "5.182.210.109:443", "181.129.104.139:449", "190.214.13.2:449", "46.174.235.36:449", "36.89.85.103:449", "181.129.134.18:449", "195.123.217.226:443", "186.71.150.23:449", "131.161.253.190:449", "200.127.121.99:449", "82.146.62.52:443", "85.204.116.128:443", "31.184.254.50:443", "185.99.2.117:443", "185.142.99.8:443", "188.165.62.36:443", "186.232.91.240:449", "982.146.62.52:443", "119.252.165.75:449", "181.196.207.202:449", "180.180.216.177:449", "171.100.142.238:449", "114.8.133.71:449", "121.100.19.18:449", "202.29.215.114:449", "198.8.91.10:443", "5.2.78.43:443", "5.2.78.98:443", "145.2.78.43:443", "5.34.177.40:443", "5.2.78.70:443", "025.2.78.70:443", "5.2.78.77:443", "164.68.120.56:443", "185.11.146.86:443", "185.65.202.240:443", "193.26.217.243:443", "81.177.180.254:443", "185.186.77.222:443", "188.227.84.209:443", "185.45.193.76:443", "46.229.213.27:443", "88.99.112.87:443", "51.254.164.240:443", "45.148.120.13:443", "64.44.51.125:443", "107.172.165.149:443", "45.148.120.14:443"], "modules": ["systeminfo", "pwgrab", "mcconf"]}
Multi AV Scanner detection for domain / URLShow sources
Source: https://181.112.157.42:449/Virustotal: Detection: 11%Perma Link
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000004.00000002.2396092444.0000019AB6035000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5984, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5164, type: MEMORY
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: _#U00e6dB1C3.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0._#U00e6dB1C3.exe.400000.0.unpackAvira: Label: TR/AD.TrickBot.kcihv
Source: 3.0._#U00c4dB1C3.exe.400000.0.unpackAvira: Label: TR/AD.TrickBot.kcihv
Source: 8.0._#U00c4dB1C3.exe.400000.0.unpackAvira: Label: TR/AD.TrickBot.kcihv

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D5A40 FindFirstFileW,FindNextFileW,FindClose,2_2_000002170B2D5A40
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E22B30 FindFirstFileW,4_2_0000019AB5E22B30
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E35A40 FindFirstFileW,FindNextFileW,FindClose,4_2_0000019AB5E35A40
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E36090 FindFirstFileW,FindNextFileW,4_2_0000019AB5E36090
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E5A40 FindFirstFileW,FindNextFileW,FindClose,9_2_00000195DC0E5A40
Enumerates the file systemShow sources
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Spelling\Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\ncryptprov.dllJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\System32\taskschd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49790 -> 5.182.210.226:443
Source: TrafficSnort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.5:49792 -> 188.165.62.36:443
Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.5:49793 -> 181.112.157.42:449
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: myexternalip.com
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49793 -> 181.112.157.42:449
Source: global trafficTCP traffic: 192.168.2.5:49795 -> 181.140.173.186:449
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 5.182.210.226 5.182.210.226
Source: Joe Sandbox ViewIP Address: 216.239.32.21 216.239.32.21
Source: Joe Sandbox ViewIP Address: 216.239.32.21 216.239.32.21
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: e62a5f4d538cbf169c2af71bec2399b4
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.217.226
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.217.226
Source: unknownTCP traffic detected without corresponding DNS query: 195.123.217.226
Source: unknownTCP traffic detected without corresponding DNS query: 188.165.62.36
Source: unknownTCP traffic detected without corresponding DNS query: 188.165.62.36
Source: unknownTCP traffic detected without corresponding DNS query: 188.165.62.36
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
Source: unknownTCP traffic detected without corresponding DNS query: 181.140.173.186
Source: unknownTCP traffic detected without corresponding DNS query: 181.140.173.186
Source: unknownTCP traffic detected without corresponding DNS query: 181.140.173.186
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /raw HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.67.0Host: myexternalip.com
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: myexternalip.com
Urls found in memory or binary dataShow sources
Source: svchost.exe, 00000004.00000002.2396212387.0000019AB607B000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: svchost.exe, 00000004.00000002.2396212387.0000019AB607B000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: svchost.exe, 00000004.00000002.2396212387.0000019AB607B000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: svchost.exe, 00000004.00000002.2396212387.0000019AB607B000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: svchost.exe, 00000004.00000002.2397742936.0000019AB6B12000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000004.00000002.2396212387.0000019AB607B000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: svchost.exe, 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: svchost.exe, 00000004.00000003.2298743763.0000019AB6B89000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.
Source: svchost.exe, 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000004.00000002.2396263210.0000019AB609E000.00000004.00000001.sdmpString found in binary or memory: http://ipecho.net/plain
Source: svchost.exe, 00000004.00000002.2396212387.0000019AB607B000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: svchost.exe, 00000004.00000002.2396212387.0000019AB607B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: svchost.exe, 00000004.00000002.2398005639.0000019AB6BF8000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/
Source: svchost.exe, 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/ll
Source: svchost.exe, 00000004.00000002.2396263210.0000019AB609E000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/14/NAT%20status
Source: svchost.exe, 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/23/1000496/
Source: svchost.exe, 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/23/1000496/03
Source: svchost.exe, 00000004.00000002.2396212387.0000019AB607B000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/23/1000496/ncod
Source: svchost.exe, 00000004.00000002.2396296318.0000019AB60B3000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/5/spk/
Source: svchost.exe, 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/63/systeminfo/G
Source: svchost.exe, 00000004.00000002.2398005639.0000019AB6BF8000.00000004.00000001.sdmpString found in binary or memory: https://181.140.173.186:449/hy
Source: svchost.exe, 00000004.00000002.2398005639.0000019AB6BF8000.00000004.00000001.sdmpString found in binary or memory: https://181.140.173.186:449/l
Source: svchost.exe, 00000004.00000002.2397992176.0000019AB6BF2000.00000004.00000001.sdmpString found in binary or memory: https://181.140.173.186:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/5/spk/
Source: svchost.exe, 00000004.00000002.2396212387.0000019AB607B000.00000004.00000001.sdmpString found in binary or memory: https://5.182.210.226/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/5/spk/
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443

E-Banking Fraud:

barindex
Detected Trickbot e-Banking trojan configShow sources
Source: svchost.exe, 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmpString found in binary or memory: <mcconf> <ver>1000498</ver> <gtag>tt0002</gtag> <servs> <srv>5.182.210.226:443</srv> <srv>82.146.62.52:443</srv> <srv>164.68.120.56:443</srv> <srv>185.11.146.86:443</srv> <srv>5.2.78.70:443</srv> <srv>185.65.202.240:443</srv> <srv>193.26.217.243:443</srv> <srv>81.177.180.254:443</srv> <srv>5.34.177.40:443</srv> <srv>185.186.77.222:443</srv> <srv>188.227.84.209:443</srv> <srv>185.45.193.76:443</srv> <srv>46.229.213.27:443</srv> <srv>88.99.112.87:443</srv> <srv>51.254.164.240:443</srv> <srv>45.148.120.13:443</srv> <srv>5.2.78.77:443</srv> <srv>64.44.51.125:443</srv> <srv>107.172.165.149:443</srv> <srv>45.148.120.14:443</srv> <srv>190.214.13.2:449</srv> <srv>181.140.173.186:449</srv> <srv>181.129.104.139:449</srv> <srv>181.113.28.146:449</srv> <srv>181.112.157.42:449</srv> <srv>170.84.78.224:449</srv> <srv>200.21.51.38:449</srv> <srv>46.174.235.36:449</srv> <srv>36.89.85.103:449</srv> <srv>181.129.134.18:449</srv> <srv>186.71.150.23:449</srv> <srv>131.161.253.190:449</srv> <srv>200.127.121.99:449</srv> <srv>114.8.133.71:449</srv> <srv>119.252.165.75:449</srv> <srv>121.100.19.18:449</srv> <srv>202.29.215.114:449</srv> <srv>180.180.216.177:449</srv> <srv>171.100.142.238:449</srv> <srv>186.232.91.240:449</srv> <srv>181.196.207.202:449</srv> </servs> <autorun> <module name="pwgrab"/> </autorun> </mcconf>
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000004.00000002.2396092444.0000019AB6035000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5984, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5164, type: MEMORY

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D5A402_2_000002170B2D5A40
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2C75F02_2_000002170B2C75F0
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D5DD02_2_000002170B2D5DD0
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2C8CE02_2_000002170B2C8CE0
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D4FC02_2_000002170B2D4FC0
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2C86502_2_000002170B2C8650
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D82A02_2_000002170B2D82A0
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D7A902_2_000002170B2D7A90
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2DC6902_2_000002170B2DC690
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2DDAE02_2_000002170B2DDAE0
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D8F202_2_000002170B2D8F20
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2C2B302_2_000002170B2C2B30
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D41702_2_000002170B2D4170
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2CB1702_2_000002170B2CB170
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2DC9902_2_000002170B2DC990
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D69D02_2_000002170B2D69D0
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2CA5D02_2_000002170B2CA5D0
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2DA2302_2_000002170B2DA230
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2C26002_2_000002170B2C2600
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2CD4702_2_000002170B2CD470
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2C54802_2_000002170B2C5480
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D60902_2_000002170B2D6090
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2CF4902_2_000002170B2CF490
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D98902_2_000002170B2D9890
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D38D02_2_000002170B2D38D0
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D95202_2_000002170B2D9520
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2DAB602_2_000002170B2DAB60
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2C6BA02_2_000002170B2C6BA0
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D77902_2_000002170B2D7790
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2C7BF02_2_000002170B2C7BF0
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2C10052_2_000002170B2C1005
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E27BF04_2_0000019AB5E27BF0
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E34FC04_2_0000019AB5E34FC0
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E26BA04_2_0000019AB5E26BA0
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E22B304_2_0000019AB5E22B30
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E35A404_2_0000019AB5E35A40
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E226004_2_0000019AB5E22600
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E275F04_2_0000019AB5E275F0
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E35DD04_2_0000019AB5E35DD0
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E28CE04_2_0000019AB5E28CE0
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E360904_2_0000019AB5E36090
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E210054_2_0000019AB5E21005
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E377904_2_0000019AB5E37790
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E3AB604_2_0000019AB5E3AB60
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E38F204_2_0000019AB5E38F20
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E3DAE04_2_0000019AB5E3DAE0
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E382A04_2_0000019AB5E382A0
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E37A904_2_0000019AB5E37A90
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E3C6904_2_0000019AB5E3C690
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E286504_2_0000019AB5E28650
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E3A2304_2_0000019AB5E3A230
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E2A5D04_2_0000019AB5E2A5D0
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E369D04_2_0000019AB5E369D0
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E3C9904_2_0000019AB5E3C990
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E2B1704_2_0000019AB5E2B170
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E341704_2_0000019AB5E34170
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E395204_2_0000019AB5E39520
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E338D04_2_0000019AB5E338D0
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E254804_2_0000019AB5E25480
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E2F4904_2_0000019AB5E2F490
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E398904_2_0000019AB5E39890
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E2D4704_2_0000019AB5E2D470
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0D8CE09_2_00000195DC0D8CE0
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E5DD09_2_00000195DC0E5DD0
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0D26009_2_00000195DC0D2600
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E5A409_2_00000195DC0E5A40
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E8F209_2_00000195DC0E8F20
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0D2B309_2_00000195DC0D2B30
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0EAB609_2_00000195DC0EAB60
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E77909_2_00000195DC0E7790
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0D6BA09_2_00000195DC0D6BA0
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E4FC09_2_00000195DC0E4FC0
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0D7BF09_2_00000195DC0D7BF0
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0D10059_2_00000195DC0D1005
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0DD4709_2_00000195DC0DD470
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0D54809_2_00000195DC0D5480
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E60909_2_00000195DC0E6090
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0DF4909_2_00000195DC0DF490
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E98909_2_00000195DC0E9890
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E38D09_2_00000195DC0E38D0
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E95209_2_00000195DC0E9520
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E41709_2_00000195DC0E4170
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0DB1709_2_00000195DC0DB170
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0EC9909_2_00000195DC0EC990
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E69D09_2_00000195DC0E69D0
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0DA5D09_2_00000195DC0DA5D0
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0D75F09_2_00000195DC0D75F0
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0EA2309_2_00000195DC0EA230
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0D86509_2_00000195DC0D8650
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E7A909_2_00000195DC0E7A90
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0EC6909_2_00000195DC0EC690
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E82A09_2_00000195DC0E82A0
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0EDAE09_2_00000195DC0EDAE0
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeCode function: String function: 0040543E appears 46 times
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeCode function: String function: 004057C0 appears 60 times
PE file contains strange resourcesShow sources
Source: _#U00e6dB1C3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: _#U00e6dB1C3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: _#U00e6dB1C3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: _#U00e6dB1C3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: _#U00c4dB1C3.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: _#U00c4dB1C3.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: _#U00c4dB1C3.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: _#U00c4dB1C3.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: _#U00e6dB1C3.exe, 00000000.00000000.1969750672.000000000040A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZoomPerspective.EXEX vs _#U00e6dB1C3.exe
Source: _#U00e6dB1C3.exe, 00000000.00000002.1976678768.0000000000A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMFC42.DLL.MUIR vs _#U00e6dB1C3.exe
Source: _#U00e6dB1C3.exeBinary or memory string: OriginalFilenameZoomPerspective.EXEX vs _#U00e6dB1C3.exe
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@9/4@1/6
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E29920 AdjustTokenPrivileges,RevertToSelf,FindCloseChangeNotification,AdjustTokenPrivileges,FindCloseChangeNotification,4_2_0000019AB5E29920
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E23C40 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,4_2_0000019AB5E23C40
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeCode function: 0_2_00403492 #1168,FindResourceA,LoadResource,LockResource,SizeofResource,#823,#350,#1200,0_2_00403492
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Roaming\WinNetCoreJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\19F59F9A7E6932832
Source: C:\Windows\System32\svchost.exeMutant created: \BaseNamedObjects\Global\19F59F9A7E6932832
PE file has an executable .text section and no other executable sectionShow sources
Source: _#U00e6dB1C3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Windows\System32\svchost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\_#U00e6dB1C3.exe 'C:\Users\user\Desktop\_#U00e6dB1C3.exe'
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exe C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exe C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
Writes ini filesShow sources
Source: C:\Windows\System32\svchost.exeFile written: C:\Users\user\AppData\Roaming\WinNetCore\settings.iniJump to behavior

Persistence and Installation Behavior:

barindex
Yara detected PersistenceViaHiddenTaskShow sources
Source: Yara matchFile source: 00000002.00000002.1980828717.000002170B446000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5928, type: MEMORY
Drops PE filesShow sources
Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeJump to dropped file

Boot Survival:

barindex
Yara detected PersistenceViaHiddenTaskShow sources
Source: Yara matchFile source: 00000002.00000002.1980828717.000002170B446000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5928, type: MEMORY

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\System32\svchost.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_2-11385
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 0000019AB5E3B2AC second address: 0000019AB5E3B2AC instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 xor edx, edx 0x0000000b div esi 0x0000000d mov ebx, edx 0x0000000f test ebp, ebp 0x00000011 je 00007F59BCACC82Ch 0x00000013 mov ecx, dword ptr [edi+ebx*4] 0x00000016 lea eax, dword ptr [ebp+01h] 0x00000019 test ecx, ecx 0x0000001b jne 00007F59BCACC807h 0x0000001d mov ebp, eax 0x0000001f call 00007F59BCAD4B56h 0x00000024 dec eax 0x00000025 sub esp, 28h 0x00000028 call dword ptr [000062BAh] 0x0000002e mov ecx, 7FFE0320h 0x00000033 dec eax 0x00000034 mov ecx, dword ptr [ecx] 0x00000036 mov eax, dword ptr [7FFE0004h] 0x0000003d dec eax 0x0000003e imul eax, ecx 0x00000041 dec eax 0x00000042 shr eax, 18h 0x00000045 ret 0x00000046 mov ecx, eax 0x00000048 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 0000019AB5E3B2AC second address: 0000019AB5E3B2AC instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 00007F59BC696855h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 00007F59BC6989B6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [000062BAh] 0x0000002c mov ecx, 7FFE0320h 0x00000031 dec eax 0x00000032 mov ecx, dword ptr [ecx] 0x00000034 mov eax, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c imul eax, ecx 0x0000003f dec eax 0x00000040 shr eax, 18h 0x00000043 ret 0x00000044 mov ecx, eax 0x00000046 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 0000019AB5E3B2AC second address: 0000019AB5E3B2AC instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 00007F59BCACC824h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 00007F59BCACC7F3h 0x00000033 call 00007F59BCACE9B6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [000062BAh] 0x00000042 mov ecx, 7FFE0320h 0x00000047 dec eax 0x00000048 mov ecx, dword ptr [ecx] 0x0000004a mov eax, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 imul eax, ecx 0x00000055 dec eax 0x00000056 shr eax, 18h 0x00000059 ret 0x0000005a mov ecx, eax 0x0000005c rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 0000019AB5E3B2AC second address: 0000019AB5E3B2AC instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 00007F59BC696824h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 00007F59BC6967F3h 0x00000031 call 00007F59BC6989B6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [000062BAh] 0x00000040 mov ecx, 7FFE0320h 0x00000045 dec eax 0x00000046 mov ecx, dword ptr [ecx] 0x00000048 mov eax, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 imul eax, ecx 0x00000053 dec eax 0x00000054 shr eax, 18h 0x00000057 ret 0x00000058 mov ecx, eax 0x0000005a rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 0000019AB5E3B2AC second address: 0000019AB5E3B2AC instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 00007F59BCACC855h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 00007F59BCACE9B6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [000062BAh] 0x0000002c mov ecx, 7FFE0320h 0x00000031 dec eax 0x00000032 mov ecx, dword ptr [ecx] 0x00000034 mov eax, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c imul eax, ecx 0x0000003f dec eax 0x00000040 shr eax, 18h 0x00000043 ret 0x00000044 mov ecx, eax 0x00000046 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 0000019AB5E3B2AC second address: 0000019AB5E3B2AC instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 00007F59BC696824h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 00007F59BC6967F3h 0x00000033 call 00007F59BC6989B6h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [000062BAh] 0x00000042 mov ecx, 7FFE0320h 0x00000047 dec eax 0x00000048 mov ecx, dword ptr [ecx] 0x0000004a mov eax, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 imul eax, ecx 0x00000055 dec eax 0x00000056 shr eax, 18h 0x00000059 ret 0x0000005a mov ecx, eax 0x0000005c rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 0000019AB5E3B2AC second address: 0000019AB5E3B2AC instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 00007F59BCACC824h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 00007F59BCACC7F3h 0x00000031 call 00007F59BCACE9B6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [000062BAh] 0x00000040 mov ecx, 7FFE0320h 0x00000045 dec eax 0x00000046 mov ecx, dword ptr [ecx] 0x00000048 mov eax, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 imul eax, ecx 0x00000053 dec eax 0x00000054 shr eax, 18h 0x00000057 ret 0x00000058 mov ecx, eax 0x0000005a rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 0000019AB5E3B2AC second address: 0000019AB5E3B2AC instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 sub edi, ebx 0x0000000b xor ebp, ebp 0x0000000d xor edx, edx 0x0000000f div edi 0x00000011 inc esp 0x00000012 mov esi, edx 0x00000014 inc esp 0x00000015 add esi, ebx 0x00000017 je 00007F59BCA39765h 0x00000019 dec edx 0x0000001a lea edi, dword ptr [esi+esi] 0x0000001d call 00007F59BCA3B8C6h 0x00000022 dec eax 0x00000023 sub esp, 28h 0x00000026 call dword ptr [000062BAh] 0x0000002c mov ecx, 7FFE0320h 0x00000031 dec eax 0x00000032 mov ecx, dword ptr [ecx] 0x00000034 mov eax, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c imul eax, ecx 0x0000003f dec eax 0x00000040 shr eax, 18h 0x00000043 ret 0x00000044 mov ecx, eax 0x00000046 rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 0000019AB5E3B2AC second address: 0000019AB5E3B2AC instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 00007F59BCACCAB4h 0x00000022 mov ebx, edx 0x00000024 mov al, cl 0x00000026 lea ebp, dword ptr [eax+eax*2] 0x00000029 mov byte ptr [esi], bl 0x0000002b dec eax 0x0000002c inc esi 0x0000002e dec eax 0x0000002f cmp esi, edi 0x00000031 jc 00007F59BCACCA83h 0x00000033 call 00007F59BCACEC46h 0x00000038 dec eax 0x00000039 sub esp, 28h 0x0000003c call dword ptr [000062BAh] 0x00000042 mov ecx, 7FFE0320h 0x00000047 dec eax 0x00000048 mov ecx, dword ptr [ecx] 0x0000004a mov eax, dword ptr [7FFE0004h] 0x00000051 dec eax 0x00000052 imul eax, ecx 0x00000055 dec eax 0x00000056 shr eax, 18h 0x00000059 ret 0x0000005a mov ecx, eax 0x0000005c rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 0000019AB5E3B2AC second address: 0000019AB5E3B2AC instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 add ebp, 19h 0x0000000c xor edx, edx 0x0000000e div ebp 0x00000010 add dl, 00000061h 0x00000013 xor eax, eax 0x00000015 cmp dl, 0000007Bh 0x00000018 setl cl 0x0000001b mov bl, 20h 0x0000001d cmp dl, 0000007Ah 0x00000020 jnle 00007F59BCA39734h 0x00000022 mov al, cl 0x00000024 lea ebp, dword ptr [eax+eax*2] 0x00000027 mov byte ptr [esi], bl 0x00000029 dec eax 0x0000002a inc esi 0x0000002c dec eax 0x0000002d cmp esi, edi 0x0000002f jc 00007F59BCA39703h 0x00000031 call 00007F59BCA3B8C6h 0x00000036 dec eax 0x00000037 sub esp, 28h 0x0000003a call dword ptr [000062BAh] 0x00000040 mov ecx, 7FFE0320h 0x00000045 dec eax 0x00000046 mov ecx, dword ptr [ecx] 0x00000048 mov eax, dword ptr [7FFE0004h] 0x0000004f dec eax 0x00000050 imul eax, ecx 0x00000053 dec eax 0x00000054 shr eax, 18h 0x00000057 ret 0x00000058 mov ecx, eax 0x0000005a rdtsc
Source: C:\Windows\System32\svchost.exeRDTSC instruction interceptor: First address: 00000195DC0EB2AC second address: 00000195DC0EB2AC instructions: 0x00000000 rdtsc 0x00000002 add eax, ecx 0x00000004 dec eax 0x00000005 add esp, 28h 0x00000008 ret 0x00000009 xor edx, edx 0x0000000b div esi 0x0000000d mov ebx, edx 0x0000000f test ebp, ebp 0x00000011 je 00007F59BCACC82Ch 0x00000013 mov ecx, dword ptr [edi+ebx*4] 0x00000016 lea eax, dword ptr [ebp+01h] 0x00000019 test ecx, ecx 0x0000001b jne 00007F59BCACC807h 0x0000001d mov ebp, eax 0x0000001f call 00007F59BCAD4B56h 0x00000024 dec eax 0x00000025 sub esp, 28h 0x00000028 call dword ptr [000062BAh] 0x0000002e mov ecx, 7FFE0320h 0x00000033 dec eax 0x00000034 mov ecx, dword ptr [ecx] 0x00000036 mov eax, dword ptr [7FFE0004h] 0x0000003d dec eax 0x0000003e imul eax, ecx 0x00000041 dec eax 0x00000042 shr eax, 18h 0x00000045 ret 0x00000046 mov ecx, eax 0x00000048 rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2DB2A0 rdtsc 2_2_000002170B2DB2A0
Contains functionality to query network adapater informationShow sources
Source: C:\Windows\System32\svchost.exeCode function: GetAdaptersInfo,2_2_000002170B2C9650
Source: C:\Windows\System32\svchost.exeCode function: GetAdaptersInfo,4_2_0000019AB5E29650
Source: C:\Windows\System32\svchost.exeCode function: GetAdaptersInfo,9_2_00000195DC0D9650
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 630Jump to behavior
Found evasive API chain checking for process token informationShow sources
Source: C:\Windows\System32\svchost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-11354
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\svchost.exe TID: 5932Thread sleep count: 32 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5988Thread sleep count: 32 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6000Thread sleep time: -54000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5988Thread sleep count: 313 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5200Thread sleep count: 32 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5200Thread sleep count: 630 > 30Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2D5A40 FindFirstFileW,FindNextFileW,FindClose,2_2_000002170B2D5A40
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E22B30 FindFirstFileW,4_2_0000019AB5E22B30
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E35A40 FindFirstFileW,FindNextFileW,FindClose,4_2_0000019AB5E35A40
Source: C:\Windows\System32\svchost.exeCode function: 4_2_0000019AB5E36090 FindFirstFileW,FindNextFileW,4_2_0000019AB5E36090
Source: C:\Windows\System32\svchost.exeCode function: 9_2_00000195DC0E5A40 FindFirstFileW,FindNextFileW,FindClose,9_2_00000195DC0E5A40
Enumerates the file systemShow sources
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Spelling\Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\ncryptprov.dllJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\System32\taskschd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Jump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: svchost.exe, 00000004.00000003.2319084394.0000019AB6BB1000.00000004.00000001.sdmpBinary or memory string: <service>@wgencounter.inf,%GenCounter.SVCDESC%;Microsoft Hyper-V Generation Counter</service>
Source: svchost.exe, 00000004.00000002.2396263210.0000019AB609E000.00000004.00000001.sdmpBinary or memory string: @%SystemRoot%\System32\fveui.dll,-843Hyper-V RAW
Source: svchost.exe, 00000004.00000003.2319084394.0000019AB6BB1000.00000004.00000001.sdmpBinary or memory string: <service>@virtdisk.inf,%service_desc%;Microsoft Hyper-V VHDPMEM BTT Filter</service>
Source: svchost.exe, 00000004.00000002.2396026560.0000019AB6013000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@b
Source: svchost.exe, 00000004.00000002.2396212387.0000019AB607B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmpBinary or memory string: @wvmgid.inf,%VmGid.SVCDESC%;Microsoft Hyper-V Guest Infrastructure Driver
Source: svchost.exe, 00000004.00000003.2319084394.0000019AB6BB1000.00000004.00000001.sdmpBinary or memory string: <service>@wstorflt.inf,%service_desc%;Microsoft Hyper-V Storage Accelerator</service>
Source: svchost.exe, 00000004.00000003.2319084394.0000019AB6BB1000.00000004.00000001.sdmpBinary or memory string: <service>@wvpci.inf,%vpci.SVCDESC%;Microsoft Hyper-V Virtual PCI Bus</service>
Source: svchost.exe, 00000002.00000002.1980740176.000002170B413000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.2163501278.00000195DC213000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000004.00000003.2319084394.0000019AB6BB1000.00000004.00000001.sdmpBinary or memory string: <service>@wvmgid.inf,%VmGid.SVCDESC%;Microsoft Hyper-V Guest Infrastructure Driver</service>
Queries a list of all running processesShow sources
Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2DB2A0 rdtsc 2_2_000002170B2DB2A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Windows\System32\svchost.exeCode function: 2_2_000002170B2CDE10 LdrLoadDll,2_2_000002170B2CDE10
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeCode function: 0_2_004041A4 mov eax, dword ptr fs:[00000030h]0_2_004041A4
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeCode function: 0_2_004041B6 mov eax, dword ptr fs:[00000030h]0_2_004041B6
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeCode function: 0_2_00A80350 mov eax, dword ptr fs:[00000030h]0_2_00A80350
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeCode function: 0_2_00A90467 mov eax, dword ptr fs:[00000030h]0_2_00A90467
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeCode function: 3_2_004041A4 mov eax, dword ptr fs:[00000030h]3_2_004041A4
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeCode function: 3_2_004041B6 mov eax, dword ptr fs:[00000030h]3_2_004041B6
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeCode function: 3_2_00EF0350 mov eax, dword ptr fs:[00000030h]3_2_00EF0350
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeCode function: 3_2_00F00467 mov eax, dword ptr fs:[00000030h]3_2_00F00467
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeCode function: 8_2_004041A4 mov eax, dword ptr fs:[00000030h]8_2_004041A4
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeCode function: 8_2_004041B6 mov eax, dword ptr fs:[00000030h]8_2_004041B6

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\svchost.exeFile created: _#U00c4dB1C3.exe.2.drJump to dropped file
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\_#U00e6dB1C3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000004.00000002.2396092444.0000019AB6035000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5984, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5164, type: MEMORY

Remote Access Functionality:

barindex
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000004.00000002.2396092444.0000019AB6035000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5984, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5164, type: MEMORY

Malware Configuration

Threatname: Trickbot

{"C2 list": ["181.140.173.186:449", "181.112.157.42:449", "212.109.220.111:443", "170.84.78.224:449", "200.21.51.38:449", "79.143.31.246:443", "181.113.28.146:449", "979.143.31.246:443", "185.62.188.34:443", "185.252.144.135:443", "104.168.96.113:443", "5.182.210.226:443", "93.189.46.122:443", "5.182.210.246:443", "91.235.129.25:443", "5.182.210.109:443", "181.129.104.139:449", "190.214.13.2:449", "46.174.235.36:449", "36.89.85.103:449", "181.129.134.18:449", "195.123.217.226:443", "186.71.150.23:449", "131.161.253.190:449", "200.127.121.99:449", "82.146.62.52:443", "85.204.116.128:443", "31.184.254.50:443", "185.99.2.117:443", "185.142.99.8:443", "188.165.62.36:443", "186.232.91.240:449", "982.146.62.52:443", "119.252.165.75:449", "181.196.207.202:449", "180.180.216.177:449", "171.100.142.238:449", "114.8.133.71:449", "121.100.19.18:449", "202.29.215.114:449", "198.8.91.10:443", "5.2.78.43:443", "5.2.78.98:443", "145.2.78.43:443", "5.34.177.40:443", "5.2.78.70:443", "025.2.78.70:443", "5.2.78.77:443", "164.68.120.56:443", "185.11.146.86:443", "185.65.202.240:443", "193.26.217.243:443", "81.177.180.254:443", "185.186.77.222:443", "188.227.84.209:443", "185.45.193.76:443", "46.229.213.27:443", "88.99.112.87:443", "51.254.164.240:443", "45.148.120.13:443", "64.44.51.125:443", "107.172.165.149:443", "45.148.120.14:443"], "modules": ["systeminfo", "pwgrab", "mcconf"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
22:36:16Task SchedulerRun new task: Windows Net Core path: C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
_#U00e6dB1C3.exe100%AviraTR/AD.TrickBot.kcihv
_#U00e6dB1C3.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exe100%AviraTR/AD.TrickBot.kcihv
C:\Users\user\AppData\Roaming\WinNetCore\_#U00c4dB1C3.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0._#U00e6dB1C3.exe.400000.0.unpack100%AviraTR/AD.TrickBot.kcihvDownload File
8.2._#U00c4dB1C3.exe.a30000.2.unpack100%AviraHEUR/AGEN.1002615Download File
3.0._#U00c4dB1C3.exe.400000.0.unpack100%AviraTR/AD.TrickBot.kcihvDownload File
0.2._#U00e6dB1C3.exe.b20000.2.unpack100%AviraHEUR/AGEN.1002615Download File
8.0._#U00c4dB1C3.exe.400000.0.unpack100%AviraTR/AD.TrickBot.kcihvDownload File
3.2._#U00c4dB1C3.exe.31c0000.2.unpack100%AviraHEUR/AGEN.1002615Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/14/NAT%20status100%Avira URL Cloudmalware
https://181.140.173.186:449/l0%Avira URL Cloudsafe
http://cps.letsencrypt.org00%URL Reputationsafe
https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/23/1000496/100%Avira URL Cloudmalware
https://5.182.210.226/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/5/spk/0%Avira URL Cloudsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
https://181.112.157.42:449/ll100%Avira URL Cloudmalware
https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/23/1000496/ncod100%Avira URL Cloudmalware
https://181.140.173.186:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/5/spk/0%Avira URL Cloudsafe
https://181.140.173.186:449/hy0%Avira URL Cloudsafe
https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/63/systeminfo/G100%Avira URL Cloudmalware
https://181.112.157.42:449/11%VirustotalBrowse
https://181.112.157.42:449/100%Avira URL Cloudmalware
https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/23/1000496/03100%Avira URL Cloudmalware
http://ipecho.net/plain1%VirustotalBrowse
http://ipecho.net/plain0%Avira URL Cloudsafe
https://181.112.157.42:449/wecan14/414408_W10017134.3F6EFD21885D356394CC1F1E6F329668/5/spk/100%Avira URL Cloudmalware
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1980828717.000002170B446000.00000004.00000001.sdmpJoeSecurity_PersistenceViaHiddenTaskYara detected PersistenceViaHiddenTaskJoe Security
    00000004.00000002.2396092444.0000019AB6035000.00000004.00000001.sdmpJoeSecurity_Trickbot_1Yara detected TrickbotJoe Security
      00000004.00000002.2396345130.0000019AB60CB000.00000004.00000001.sdmpJoeSecurity_Trickbot_1Yara detected TrickbotJoe Security
        Process Memory Space: svchost.exe PID: 5984JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security
          Process Memory Space: svchost.exe PID: 5928JoeSecurity_PersistenceViaHiddenTaskYara detected PersistenceViaHiddenTaskJoe Security
            Process Memory Space: svchost.exe PID: 5164JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security

              Unpacked PEs

              No yara matches

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Suspicious Svchost ProcessShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\_#U00e6dB1C3.exe' , ParentImage: C:\Users\user\Desktop\_#U00e6dB1C3.exe, ParentProcessId: 5872, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 5928
              Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user\Desktop\_#U00e6dB1C3.exe' , ParentImage: C:\Users\user\Desktop\_#U00e6dB1C3.exe, ParentProcessId: 5872, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 5928

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              181.112.157.42yas10.exeGet hashmaliciousBrowse
                fo3DJ9X7CRMdt.exeGet hashmaliciousBrowse
                  195.123.217.226H604C6A.exeGet hashmaliciousBrowse
                    181.140.173.186miss_doc_4368-17683.docGet hashmaliciousBrowse
                      35#U0441.exeGet hashmaliciousBrowse
                        Preview_Report.exeGet hashmaliciousBrowse
                          5.182.210.226Document_Preview.exeGet hashmaliciousBrowse
                            H604C6A.exeGet hashmaliciousBrowse
                              TR9kHQAC5s.exeGet hashmaliciousBrowse
                                30#U042b.exeGet hashmaliciousBrowse
                                  35#U0441.exeGet hashmaliciousBrowse
                                    https://www.kurt-schwitters.schule/wp-includes/eTrac/qt8rkivp/h9ik4v-7660928-80870848-r6ml-35qzenw/Get hashmaliciousBrowse
                                      Preview PDF.exeGet hashmaliciousBrowse
                                        216.239.32.21iss_cont_DT_174_23992.docGet hashmaliciousBrowse
                                        • ipecho.net/plain
                                        bin_e57d.msiGet hashmaliciousBrowse
                                        • www.manifestationlifecoach.com/yk5/
                                        http://ipecx.co.uk/#jean.champagne@xmedius.comGet hashmaliciousBrowse
                                        • ipecx.co.uk/
                                        http://srvinsopoypole.com/Get hashmaliciousBrowse
                                        • srvinsopoypole.com/
                                        updflsh32x64xxxda.htaGet hashmaliciousBrowse
                                        • ipinfo.io/json
                                        fo3DJ9X7CRMdt.exeGet hashmaliciousBrowse
                                        • myexternalip.com/raw
                                        http://185.142.99.64/images/flygame.pngGet hashmaliciousBrowse
                                        • ipecho.net/plain
                                        http://185.142.99.64/images/mini.pngGet hashmaliciousBrowse
                                        • myexternalip.com/raw
                                        iH89YuvaBT.exeGet hashmaliciousBrowse
                                        • ipinfo.io/ip
                                        COMPANY PROFILE.docGet hashmaliciousBrowse
                                        • ifconfig.me/ip
                                        http://kecforging.com/products/cara.exeGet hashmaliciousBrowse
                                        • ifconfig.me/ip
                                        Product Specifications.docGet hashmaliciousBrowse
                                        • ifconfig.me/ip
                                        INQ No REF1500-2019.docGet hashmaliciousBrowse
                                        • ifconfig.me/ip
                                        TNT_COLLECTIONS_CONSIGNMENT_K378-19-SIC-RY_-_ATHENA_REF._AE19-295111_1.jsGet hashmaliciousBrowse
                                        • myexternalip.com/raw
                                        filedata.exeGet hashmaliciousBrowse
                                        • ipecho.net/plain
                                        BHD0Pi7B.docGet hashmaliciousBrowse
                                        • ipecho.net/plain
                                        mtwvc.exeGet hashmaliciousBrowse
                                        • myexternalip.com/raw
                                        BsU4oObXHL.exeGet hashmaliciousBrowse
                                        • ipecho.net/plain
                                        183229448.exeGet hashmaliciousBrowse
                                        • ipinfo.io/ip
                                        #U305f#U4efb#U30c1#U79c1#U3064#U3082#U305f#U30a7#U62b1.exeGet hashmaliciousBrowse
                                        • ipecho.net/plain

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        myexternalip.comDocument_Preview.exeGet hashmaliciousBrowse
                                        • 216.239.32.21
                                        Preview Document.exeGet hashmaliciousBrowse
                                        • 216.239.32.21
                                        https://protect-us.mimecast.com/s/z9PfC9rYmEuzL735soaia7?domain=microsoftonlinedocuments.onlyoffice.euGet hashmaliciousBrowse
                                        • 216.239.32.21
                                        Preview PDF.exeGet hashmaliciousBrowse
                                        • 216.239.32.21
                                        sample.exeGet hashmaliciousBrowse
                                        • 216.239.32.21
                                        fo3DJ9X7CRMdt.exeGet hashmaliciousBrowse
                                        • 216.239.32.21
                                        Preview.exeGet hashmaliciousBrowse
                                        • 216.239.32.21
                                        Print Document.exeGet hashmaliciousBrowse
                                        • 216.239.32.21
                                        http://185.142.99.64/images/mini.pngGet hashmaliciousBrowse
                                        • 216.239.32.21

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        unknowntrsss.exeGet hashmaliciousBrowse
                                        • 185.244.30.53
                                        http://kolpino-sppk.ruGet hashmaliciousBrowse
                                        • 93.158.134.119
                                        trsss.exeGet hashmaliciousBrowse
                                        • 185.244.30.53
                                        https://pastebin.com/raw/XUjp6uEeGet hashmaliciousBrowse
                                        • 104.20.67.143
                                        https://www.impressservice.com/off/out/out/Get hashmaliciousBrowse
                                        • 107.180.51.106
                                        https://pastebin.com/raw/XUjp6uEeGet hashmaliciousBrowse
                                        • 104.20.68.143
                                        ClearTemp.ps1Get hashmaliciousBrowse
                                        • 195.2.93.23
                                        https://ikosim-dz.com/DD/Get hashmaliciousBrowse
                                        • 192.229.221.185
                                        presentation_k4p.vbsGet hashmaliciousBrowse
                                        • 47.90.201.224
                                        DOC130219-171355.xlsGet hashmaliciousBrowse
                                        • 92.38.184.121
                                        http://cdnclntr.com/684a91d7f4464c3350.jsGet hashmaliciousBrowse
                                        • 64.58.121.60
                                        http://u14948049.ct.sendgrid.net/ls/click?upn=Rc36Z2fMJU3D7rUrJ-2FkkU3x9FoOSsCNHxEF7UyWtjxgNVcQrh7XW3AAywKlc3FGOhsol6ax9F-2FLkv2YvveSe8qDOyYY8-2FqYJAVU-2FFSj2CeXtVC-2BUVIJEmRXx6eToxaZZyHQi_BUyQusJNY49RaztUqeTfE3REOLwoc0J5w11hPz4Ms1nWw9P02q1Cb-2BvvUQLzwO02wM-2F76O6-2F6VazbGwq6uN-2BlY08Ixy7OUs2-2B0fuOipKqLmCxoxZxSo2Sm-2FJCpU4KQeYci9eAYoaBTINQ29QYlV8Uou0QbtURCYDYgJoG73Hsts0oiJ-2FxFEz4w5loXiwkct6ZuNuWdITOT5CBWGU7noRVA-3D-3DGet hashmaliciousBrowse
                                        • 104.27.173.123
                                        iss_cont_DT_174_23992.docGet hashmaliciousBrowse
                                        • 193.26.217.243
                                        http://my-backup-club-911.xyzGet hashmaliciousBrowse
                                        • 195.22.26.248
                                        EmailAccessHere-32156676.exeGet hashmaliciousBrowse
                                        • 52.7.11.87
                                        sample2.docmGet hashmaliciousBrowse
                                        • 45.60.23.133
                                        http://www.scotia2online.com/supportGet hashmaliciousBrowse
                                        • 23.23.86.44
                                        ndt7-client.exeGet hashmaliciousBrowse
                                        • 216.58.201.115
                                        http://linkangood.comGet hashmaliciousBrowse
                                        • 172.241.69.28
                                        OneCloud Files.htmGet hashmaliciousBrowse
                                        • 68.66.224.58
                                        unknowntrsss.exeGet hashmaliciousBrowse
                                        • 185.244.30.53
                                        http://kolpino-sppk.ruGet hashmaliciousBrowse
                                        • 93.158.134.119
                                        trsss.exeGet hashmaliciousBrowse
                                        • 185.244.30.53
                                        https://pastebin.com/raw/XUjp6uEeGet hashmaliciousBrowse
                                        • 104.20.67.143
                                        https://www.impressservice.com/off/out/out/Get hashmaliciousBrowse
                                        • 107.180.51.106
                                        https://pastebin.com/raw/XUjp6uEeGet hashmaliciousBrowse
                                        • 104.20.68.143
                                        ClearTemp.ps1Get hashmaliciousBrowse
                                        • 195.2.93.23
                                        https://ikosim-dz.com/DD/Get hashmaliciousBrowse
                                        • 192.229.221.185
                                        presentation_k4p.vbsGet hashmaliciousBrowse
                                        • 47.90.201.224
                                        DOC130219-171355.xlsGet hashmaliciousBrowse
                                        • 92.38.184.121
                                        http://cdnclntr.com/684a91d7f4464c3350.jsGet hashmaliciousBrowse
                                        • 64.58.121.60
                                        http://u14948049.ct.sendgrid.net/ls/click?upn=Rc36Z2fMJU3D7rUrJ-2FkkU3x9FoOSsCNHxEF7UyWtjxgNVcQrh7XW3AAywKlc3FGOhsol6ax9F-2FLkv2YvveSe8qDOyYY8-2FqYJAVU-2FFSj2CeXtVC-2BUVIJEmRXx6eToxaZZyHQi_BUyQusJNY49RaztUqeTfE3REOLwoc0J5w11hPz4Ms1nWw9P02q1Cb-2BvvUQLzwO02wM-2F76O6-2F6VazbGwq6uN-2BlY08Ixy7OUs2-2B0fuOipKqLmCxoxZxSo2Sm-2FJCpU4KQeYci9eAYoaBTINQ29QYlV8Uou0QbtURCYDYgJoG73Hsts0oiJ-2FxFEz4w5loXiwkct6ZuNuWdITOT5CBWGU7noRVA-3D-3DGet hashmaliciousBrowse
                                        • 104.27.173.123
                                        iss_cont_DT_174_23992.docGet hashmaliciousBrowse
                                        • 193.26.217.243
                                        http://my-backup-club-911.xyzGet hashmaliciousBrowse
                                        • 195.22.26.248
                                        EmailAccessHere-32156676.exeGet hashmaliciousBrowse
                                        • 52.7.11.87
                                        sample2.docmGet hashmaliciousBrowse
                                        • 45.60.23.133
                                        http://www.scotia2online.com/supportGet hashmaliciousBrowse
                                        • 23.23.86.44
                                        ndt7-client.exeGet hashmaliciousBrowse
                                        • 216.58.201.115
                                        http://linkangood.comGet hashmaliciousBrowse
                                        • 172.241.69.28
                                        OneCloud Files.htmGet hashmaliciousBrowse
                                        • 68.66.224.58
                                        unknowntrsss.exeGet hashmaliciousBrowse
                                        • 185.244.30.53
                                        http://kolpino-sppk.ruGet hashmaliciousBrowse
                                        • 93.158.134.119
                                        trsss.exeGet hashmaliciousBrowse
                                        • 185.244.30.53
                                        https://pastebin.com/raw/XUjp6uEeGet hashmaliciousBrowse
                                        • 104.20.67.143
                                        https://www.impressservice.com/off/out/out/Get hashmaliciousBrowse
                                        • 107.180.51.106
                                        https://pastebin.com/raw/XUjp6uEeGet hashmaliciousBrowse
                                        • 104.20.68.143
                                        ClearTemp.ps1Get hashmaliciousBrowse
                                        • 195.2.93.23
                                        https://ikosim-dz.com/DD/Get hashmaliciousBrowse
                                        • 192.229.221.185
                                        presentation_k4p.vbsGet hashmaliciousBrowse
                                        • 47.90.201.224
                                        DOC130219-171355.xlsGet hashmaliciousBrowse
                                        • 92.38.184.121
                                        http://cdnclntr.com/684a91d7f4464c3350.jsGet hashmaliciousBrowse
                                        • 64.58.121.60
                                        http://u14948049.ct.sendgrid.net/ls/click?upn=Rc36Z2fMJU3D7rUrJ-2FkkU3x9FoOSsCNHxEF7UyWtjxgNVcQrh7XW3AAywKlc3FGOhsol6ax9F-2FLkv2YvveSe8qDOyYY8-2FqYJAVU-2FFSj2CeXtVC-2BUVIJEmRXx6eToxaZZyHQi_BUyQusJNY49RaztUqeTfE3REOLwoc0J5w11hPz4Ms1nWw9P02q1Cb-2BvvUQLzwO02wM-2F76O6-2F6VazbGwq6uN-2BlY08Ixy7OUs2-2B0fuOipKqLmCxoxZxSo2Sm-2FJCpU4KQeYci9eAYoaBTINQ29QYlV8Uou0QbtURCYDYgJoG73Hsts0oiJ-2FxFEz4w5loXiwkct6ZuNuWdITOT5CBWGU7noRVA-3D-3DGet hashmaliciousBrowse
                                        • 104.27.173.123
                                        iss_cont_DT_174_23992.docGet hashmaliciousBrowse
                                        • 193.26.217.243
                                        http://my-backup-club-911.xyzGet hashmaliciousBrowse
                                        • 195.22.26.248
                                        EmailAccessHere-32156676.exeGet hashmaliciousBrowse
                                        • 52.7.11.87
                                        sample2.docmGet hashmaliciousBrowse
                                        • 45.60.23.133
                                        http://www.scotia2online.com/supportGet hashmaliciousBrowse
                                        • 23.23.86.44
                                        ndt7-client.exeGet hashmaliciousBrowse
                                        • 216.58.201.115
                                        http://linkangood.comGet hashmaliciousBrowse
                                        • 172.241.69.28
                                        OneCloud Files.htmGet hashmaliciousBrowse
                                        • 68.66.224.58

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        e62a5f4d538cbf169c2af71bec2399b4iss_cont_DT_174_23992.docGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        TrickBot-evil.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        H604C6A.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        tb.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        TR9kHQAC5s.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        Preview Document.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        30#U042b.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        0493-39-c939920GHsuun29930-2993.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        0Q73CN8U6u.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        35#U0441.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        https://protect-us.mimecast.com/s/z9PfC9rYmEuzL735soaia7?domain=microsoftonlinedocuments.onlyoffice.euGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        http://etwowofficiel.fr/wp-content/hIAqM/Get hashmaliciousBrowse
                                        • 5.182.210.226
                                        https://www.kurt-schwitters.schule/wp-includes/eTrac/qt8rkivp/h9ik4v-7660928-80870848-r6ml-35qzenw/Get hashmaliciousBrowse
                                        • 5.182.210.226
                                        http://biomedmat.org/cgi-bin/balance/h4qpml1ykg3l/pr9-105505870-6993813-a72hv4g7t-ofhb/Get hashmaliciousBrowse
                                        • 5.182.210.226
                                        http://yesimsatirli.com/baby/Documentation/Get hashmaliciousBrowse
                                        • 5.182.210.226
                                        Preview PDF.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        Unsigned_document_5466367.docGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        fo3DJ9X7CRMdt.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        Preview.exeGet hashmaliciousBrowse
                                        • 5.182.210.226
                                        stsvc.exeGet hashmaliciousBrowse
                                        • 5.182.210.226

                                        Dropped Files

                                        No context

                                        Screenshots

                                        Thumbnails

                                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.