Loading ...

Play interactive tourEdit tour

Analysis Report ZVKeVLZ.exe

Overview

General Information

Sample Name:ZVKeVLZ.exe
MD5:b32d28ebab62e99cd2d46aca8b2ffb81
SHA1:956ff7f40b1d35d523b433cba6c36388f08750ff
SHA256:a70a4bed3b213319b99237f8b3f7790f0c02206d784ee2a077c8c1d6cec9d762

Most interesting Screenshot:

Detection

Trickbot
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • ZVKeVLZ.exe (PID: 5384 cmdline: 'C:\Users\user\Desktop\ZVKeVLZ.exe' MD5: B32D28EBAB62E99CD2D46ACA8B2FFB81)
    • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wermgr.exe (PID: 5764 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"gtag": "ono45", "C2 list": ["36.91.45.10:449", "185.99.2.66:443", "110.50.84.5:449", "185.90.61.9:443", "5.1.81.68:443", "45.6.16.68:449", "185.99.2.65:443", "51.81.112.144:443", "192.3.247.123:443", "194.5.250.121:443", "85.204.116.216:443", "190.136.178.52:449", "200.107.35.154:449", "134.119.191.21:443", "185.14.31.104:443", "36.89.243.241:449", "107.175.72.141:443", "110.93.15.98:449", "36.66.218.117:449", "121.100.19.18:449", "95.171.16.42:443", "134.119.191.11:443", "78.108.216.47:443", "181.129.134.18:449", "122.50.6.122:449", "181.129.104.139:449", "131.161.253.190:449", "80.210.32.67:449", "182.253.113.67:449", "103.12.161.194:449", "85.204.116.100:443", "36.89.182.225:449", "181.112.157.42:449", "91.235.129.20:443", "36.92.19.205:449", "103.111.83.246:449", "110.232.76.39:449"], "modules": ["pwgrab", "mcconf"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: wermgr.exe PID: 5764JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: wermgr.exe.5764.5.memstrMalware Configuration Extractor: Trickbot {"gtag": "ono45", "C2 list": ["36.91.45.10:449", "185.99.2.66:443", "110.50.84.5:449", "185.90.61.9:443", "5.1.81.68:443", "45.6.16.68:449", "185.99.2.65:443", "51.81.112.144:443", "192.3.247.123:443", "194.5.250.121:443", "85.204.116.216:443", "190.136.178.52:449", "200.107.35.154:449", "134.119.191.21:443", "185.14.31.104:443", "36.89.243.241:449", "107.175.72.141:443", "110.93.15.98:449", "36.66.218.117:449", "121.100.19.18:449", "95.171.16.42:443", "134.119.191.11:443", "78.108.216.47:443", "181.129.134.18:449", "122.50.6.122:449", "181.129.104.139:449", "131.161.253.190:449", "80.210.32.67:449", "182.253.113.67:449", "103.12.161.194:449", "85.204.116.100:443", "36.89.182.225:449", "181.112.157.42:449", "91.235.129.20:443", "36.92.19.205:449", "103.111.83.246:449", "110.232.76.39:449"], "modules": ["pwgrab", "mcconf"]}
    Multi AV Scanner detection for domain / URLShow sources
    Source: https://181.129.134.18:449/Virustotal: Detection: 10%Perma Link
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 5764, type: MEMORY
    Machine Learning detection for sampleShow sources
    Source: ZVKeVLZ.exeJoe Sandbox ML: detected

    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5559070 FindFirstFileW,FindNextFileW,5_2_00000189C5559070
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C555E390 FindFirstFileW,5_2_00000189C555E390

    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax5_2_00000189C5553DC0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax5_2_00000189C55541D0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp5_2_00000189C5552A50
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax5_2_00000189C55494C0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp5_2_00000189C55508D0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx esi, word ptr [edi+02h]5_2_00000189C555B160
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax5_2_00000189C5543550
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax5_2_00000189C5552912
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx5_2_00000189C555FBB0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ebx, edx5_2_00000189C5556860
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then test esi, esi5_2_00000189C554A460
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp ebp, dword ptr [esp+edi*4+00000080h]5_2_00000189C554A460
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx5_2_00000189C55467F0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax5_2_00000189C554B2C0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [ecx]5_2_00000189C554F670
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax5_2_00000189C555A740
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc edx5_2_00000189C555BB60
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov edx, ecx5_2_00000189C5556F50
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then lea eax, dword ptr [ecx-01h]5_2_00000189C5556F50
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ebp, word ptr [eax]5_2_00000189C55482F0

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.7:49725 -> 181.129.134.18:449
    May check the online IP address of the machineShow sources
    Source: unknownDNS query: name: wtfismyip.com
    Source: unknownDNS query: name: wtfismyip.com
    Source: global trafficTCP traffic: 192.168.2.7:49725 -> 181.129.134.18:449
    Source: Joe Sandbox ViewIP Address: 51.15.23.91 51.15.23.91
    Source: Joe Sandbox ViewIP Address: 51.15.23.91 51.15.23.91
    Source: Joe Sandbox ViewASN Name: EPMTelecomunicacionesSAESPCO EPMTelecomunicacionesSAESPCO
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 107.175.72.141
    Source: unknownTCP traffic detected without corresponding DNS query: 107.175.72.141
    Source: unknownTCP traffic detected without corresponding DNS query: 107.175.72.141
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
    Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: unknownTCP traffic detected without corresponding DNS query: 181.129.134.18
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_004016AD memset,_time64,srand,malloc,printf,WSACreateEvent,WSAGetLastError,WSAEventSelect,WSAGetLastError,printf,WaitForMultipleObjects,memset,recvfrom,wcscmp,rand,Sleep,sendto,WSAGetLastError,WSAGetLastError,printf,printf,WSAResetEvent,free,WSACloseEvent,0_2_004016AD
    Source: global trafficHTTP traffic detected: GET /text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.69.1Host: wtfismyip.com
    Source: unknownDNS traffic detected: queries for: wtfismyip.com
    Source: wermgr.exe, 00000005.00000002.878297808.00000189C5882000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: wermgr.exe, 00000005.00000002.877784185.00000189C5718000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabN
    Source: wermgr.exe, 00000005.00000002.877919832.00000189C575E000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ena
    Source: wermgr.exe, 00000005.00000002.878285186.00000189C5879000.00000004.00000001.sdmpString found in binary or memory: https://181.129.134.18:449/
    Source: wermgr.exe, 00000005.00000002.878297808.00000189C5882000.00000004.00000001.sdmpString found in binary or memory: https://181.129.134.18:449/)nP
    Source: wermgr.exe, 00000005.00000002.878297808.00000189C5882000.00000004.00000001.sdmpString found in binary or memory: https://181.129.134.18:449/en
    Source: wermgr.exe, 00000005.00000002.878240662.00000189C5864000.00000004.00000001.sdmpString found in binary or memory: https://181.129.134.18:449/ono45/226546_W10017134.2DF2CE29CE65A61F0D62F8E94F121743/14/DNSBL/listed/0
    Source: wermgr.exe, 00000005.00000002.878297808.00000189C5882000.00000004.00000001.sdmpString found in binary or memory: https://181.129.134.18:449/ono45/226546_W10017134.2DF2CE29CE65A61F0D62F8E94F121743/14/path/C:%5CProg
    Source: wermgr.exe, 00000005.00000002.878297808.00000189C5882000.00000004.00000001.sdmpString found in binary or memory: https://181.129.134.18:449/ono45/226546_W10017134.2DF2CE29CE65A61F0D62F8E94F121743/14/user/user/0/
    Source: wermgr.exe, 00000005.00000002.878297808.00000189C5882000.00000004.00000001.sdmpString found in binary or memory: https://181.129.134.18:449/ono45/226546_W10017134.2DF2CE29CE65A61F0D62F8E94F121743/23/1000512/F
    Source: wermgr.exe, 00000005.00000002.878297808.00000189C5882000.00000004.00000001.sdmpString found in binary or memory: https://181.129.134.18:449/ono45/226546_W10017134.2DF2CE29CE65A61F0D62F8E94F121743/23/1000512/U
    Source: wermgr.exe, 00000005.00000002.877919832.00000189C575E000.00000004.00000020.sdmp, wermgr.exe, 00000005.00000002.877764208.00000189C5710000.00000004.00000020.sdmpString found in binary or memory: https://181.129.134.18:449/ono45/226546_W10017134.2DF2CE29CE65A61F0D62F8E94F121743/5/spk/
    Source: wermgr.exe, 00000005.00000002.878213611.00000189C5854000.00000004.00000001.sdmpString found in binary or memory: https://181.129.134.18:449/q
    Source: wermgr.exe, 00000005.00000002.878297808.00000189C5882000.00000004.00000001.sdmpString found in binary or memory: https://181.129.134.18:449/yn
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

    E-Banking Fraud:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 5764, type: MEMORY

    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C555CEA0 NtQuerySystemInformation,SleepEx,DuplicateHandle,lstrcmpiW,FindCloseChangeNotification,FindCloseChangeNotification,5_2_00000189C555CEA0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C554FA605_2_00000189C554FA60
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C55462105_2_00000189C5546210
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C555D8E05_2_00000189C555D8E0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C555E3905_2_00000189C555E390
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C555CEA05_2_00000189C555CEA0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C55532F05_2_00000189C55532F0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C554B5705_2_00000189C554B570
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5557D9A5_2_00000189C5557D9A
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C554F1A85_2_00000189C554F1A8
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C55465905_2_00000189C5546590
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C55496405_2_00000189C5549640
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C555F2605_2_00000189C555F260
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5548E605_2_00000189C5548E60
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C55436505_2_00000189C5543650
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C554E0C05_2_00000189C554E0C0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5551CE05_2_00000189C5551CE0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C554BC905_2_00000189C554BC90
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C554E4F95_2_00000189C554E4F9
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5555BC05_2_00000189C5555BC0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5558C305_2_00000189C5558C30
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C555C4605_2_00000189C555C460
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C554A4605_2_00000189C554A460
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C55448605_2_00000189C5544860
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C55427F55_2_00000189C55427F5
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C555A2B05_2_00000189C555A2B0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5550A705_2_00000189C5550A70
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5556F505_2_00000189C5556F50
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C55606F05_2_00000189C55606F0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C555EEF05_2_00000189C555EEF0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C554D2F05_2_00000189C554D2F0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5557AF05_2_00000189C5557AF0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C55482F05_2_00000189C55482F0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C554BF205_2_00000189C554BF20
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C554AF105_2_00000189C554AF10
    Source: ZVKeVLZ.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
    Source: ZVKeVLZ.exeBinary or memory string: OriginalFilenamesfc_os.dllj% vs ZVKeVLZ.exe
    Source: ZVKeVLZ.exeBinary or memory string: OriginalFilenametxfw32.dlllJ vs ZVKeVLZ.exe
    Source: classification engineClassification label: mal96.troj.evad.winEXE@4/0@3/7
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C555DFD0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,5_2_00000189C555DFD0
    Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ACDC39AA-C56D-B31A-11EB-81D7924C048D}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_01
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeFile created: C:\Users\user\AppData\Local\Temp\log9BD0.tmpJump to behavior
    Source: ZVKeVLZ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformationJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\ZVKeVLZ.exe 'C:\Users\user\Desktop\ZVKeVLZ.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dllJump to behavior
    Source: ZVKeVLZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: sfc_os.pdb)4 source: ZVKeVLZ.exe
    Source: Binary string: sfc_os.pdb source: ZVKeVLZ.exe
    Source: Binary string: C:\Users\User\Desktop\Windows-classic-samples-master\Windows-classic-samples-master\Samples\Win7Samples\winbase\DeviceFoundation\FunctionDiscovery\Provider\Win32\Release\FDProviderSampleDevice.pdb source: ZVKeVLZ.exe

    Source: ZVKeVLZ.exeStatic PE information: real checksum: 0x4820c should be: 0x4821c
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_004028C1 push ecx; ret 0_2_004028D4
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00402A6C push ecx; ret 0_2_00402A6B
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00A8C580 push dword ptr [edx+14h]; ret 0_2_00A8C68D
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00AA1DE7 push 5E614CE4h; retf 0_2_00AA1E22
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00AA1DC3 push 5E614CE4h; retf 0_2_00AA1E22
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00A8B803 pushad ; ret 0_2_00A8B804
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00AA1504 push es; ret 0_2_00AA1508
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00A8C516 push dword ptr [edx+14h]; ret 0_2_00A8C68D
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00A8C448 push dword ptr [edx+14h]; ret 0_2_00A8C68D
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00AA1A5D pushfd ; retf 0_2_00AA1A61

    Source: C:\Users\user\Desktop\ZVKeVLZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    High number of junk calls founds (likely related to sandbox DOS / API hammering)Show sources
    Source: Global behaviorJunk call stats: NtWriteFile 1841508
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 00000189C5556AE0 second address: 00000189C5556AE0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a sub eax, BBCF9FC1h 0x0000000f lea eax, dword ptr [eax+esi-4430603Fh] 0x00000016 dec eax 0x00000017 add esp, 20h 0x0000001a pop esi 0x0000001b ret 0x0000001c imul eax, eax, 9E3779B9h 0x00000022 mov dword ptr [esp+34h], eax 0x00000026 call 00007F7544C987D6h 0x0000002b push esi 0x0000002c dec eax 0x0000002d sub esp, 20h 0x00000030 call dword ptr [00002A4Fh] 0x00000036 mov ecx, 7FFE0320h 0x0000003b dec eax 0x0000003c mov ecx, dword ptr [ecx] 0x0000003e mov eax, dword ptr [7FFE0004h] 0x00000045 dec eax 0x00000046 imul eax, ecx 0x00000049 dec eax 0x0000004a shr eax, 18h 0x0000004d ret 0x0000004e mov esi, eax 0x00000050 call 00007F7544C8E2B3h 0x00000055 rdtsc
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5556AE0 rdtsc 5_2_00000189C5556AE0
    Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,5_2_00000189C555A0F0
    Source: C:\Windows\System32\wermgr.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-11320
    Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
    Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5559070 FindFirstFileW,FindNextFileW,5_2_00000189C5559070
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C555E390 FindFirstFileW,5_2_00000189C555E390
    Source: wermgr.exe, 00000005.00000002.877784185.00000189C5718000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW

    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5556AE0 rdtsc 5_2_00000189C5556AE0
    Source: C:\Windows\System32\wermgr.exeCode function: 5_2_00000189C5558EA0 LdrLoadDll,5_2_00000189C5558EA0
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_004021EC IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,0_2_004021EC
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00A30467 mov eax, dword ptr fs:[00000030h]0_2_00A30467
    Source: C:\Windows\System32\wermgr.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_004025FC SetUnhandledExceptionFilter,0_2_004025FC
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_004021EC IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,0_2_004021EC

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 189C5540000 protect: page execute and read and writeJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeMemory written: C:\Windows\System32\wermgr.exe base: 189C5540000Jump to behavior
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeMemory written: C:\Windows\System32\wermgr.exe base: 7FF692062860Jump to behavior
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
    Source: wermgr.exe, 00000005.00000002.878537619.00000189C5CC0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: wermgr.exe, 00000005.00000002.878537619.00000189C5CC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: wermgr.exe, 00000005.00000002.878537619.00000189C5CC0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: wermgr.exe, 00000005.00000002.878537619.00000189C5CC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00402928 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00402928

    Stealing of Sensitive Information:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 5764, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 5764, type: MEMORY
    Source: C:\Users\user\Desktop\ZVKeVLZ.exeCode function: 0_2_00401DCE FreeConsole,memset,memset,memset,WSAStartup,GetAddrInfoW,GetAddrInfoW,GetAddrInfoW,socket,WSAGetLastError,bind,WSAGetLastError,CreateEventW,GetLastError,CreateThread,GetLastError,_getwch,printf,printf,FreeAddrInfoW,FreeAddrInfoW,FreeAddrInfoW,closesocket,CloseHandle,CloseHandle,CloseHandle,WSACleanup,0_2_00401DCE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsExecution through API1Winlogon Helper DLLAccess Token Manipulation1Access Token Manipulation1Credential DumpingSystem Time Discovery1Remote File Copy2Data from Local SystemData Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection212Process Injection212Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumCommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureSecurity Software Discovery121Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedRemote File Copy2SIM Card SwapPremium SMS Toll Fraud
    Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Network Configuration Discovery11Shared WebrootData StagedScheduled TransferStandard Non-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceFile and Directory Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsStandard Application Layer Protocol3Jamming or Denial of ServiceAbuse Accessibility Features
    Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery113Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.