Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Generic.mg.5930091b65aed962.29544

Overview

General Information

Sample Name:SecuriteInfo.com.Generic.mg.5930091b65aed962.29544 (renamed file extension from 29544 to exe)
Analysis ID:249929
MD5:5930091b65aed9627dd1a4e86458b72f
SHA1:1e6ee2e805e21c007aa70217856bf31141ccc552
SHA256:91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3

Most interesting Screenshot:

Detection

Trickbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Delayed program exit found
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query network adapater information
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Trickbot

{"gtag": "tot773", "C2 list": ["10.232.76.39:449", "12.50.6.122:449", "110.50.84.5:449", "36.91.45.10:449", "185.90.61.9:443", "5.1.81.68:443", "185.99.2.66:443", "45.6.16.68:449", "185.99.2.65:443", "181.129.104.139:449", "91.235.129.20:443", "190.136.178.52:449", "36.89.182.225:449", "182.253.113.67:449", "134.119.191.21:443", "51.81.112.144:443", "103.111.83.246:449", "194.5.250.121:443", "192.3.247.123:443", "36.66.218.117:449", "36.92.19.205:449", "85.204.116.216:443", "122.50.6.122:449", "78.108.216.47:443", "134.119.191.11:443", "185.14.31.104:443", "95.171.16.42:443", "110.232.76.39:449", "36.89.243.241:449", "131.161.253.190:449", "200.107.35.154:449", "85.204.116.100:443", "181.112.157.42:449", "80.210.32.67:449", "121.100.19.18:449", "103.12.161.194:449", "107.175.72.141:443", "181.129.134.18:449", "110.93.15.98:449"], "modules": ["pwgrab", "mcconf"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1225534063.000002116664E000.00000004.00000020.sdmpJoeSecurity_Trickbot_1Yara detected TrickbotJoe Security
    Process Memory Space: wermgr.exe PID: 3092JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: wermgr.exe.3092.1.memstrMalware Configuration Extractor: Trickbot {"gtag": "tot773", "C2 list": ["10.232.76.39:449", "12.50.6.122:449", "110.50.84.5:449", "36.91.45.10:449", "185.90.61.9:443", "5.1.81.68:443", "185.99.2.66:443", "45.6.16.68:449", "185.99.2.65:443", "181.129.104.139:449", "91.235.129.20:443", "190.136.178.52:449", "36.89.182.225:449", "182.253.113.67:449", "134.119.191.21:443", "51.81.112.144:443", "103.111.83.246:449", "194.5.250.121:443", "192.3.247.123:443", "36.66.218.117:449", "36.92.19.205:449", "85.204.116.216:443", "122.50.6.122:449", "78.108.216.47:443", "134.119.191.11:443", "185.14.31.104:443", "95.171.16.42:443", "110.232.76.39:449", "36.89.243.241:449", "131.161.253.190:449", "200.107.35.154:449", "85.204.116.100:443", "181.112.157.42:449", "80.210.32.67:449", "121.100.19.18:449", "103.12.161.194:449", "107.175.72.141:443", "181.129.134.18:449", "110.93.15.98:449"], "modules": ["pwgrab", "mcconf"]}
      Multi AV Scanner detection for domain / URLShow sources
      Source: https://134.119.191.11//Virustotal: Detection: 10%Perma Link
      Source: https://185.90.61.9/Virustotal: Detection: 8%Perma Link
      Source: https://134.119.191.21/Virustotal: Detection: 8%Perma Link
      Source: https://134.119.191.11/Virustotal: Detection: 10%Perma Link
      Source: https://85.204.116.216/Virustotal: Detection: 7%Perma Link
      Source: https://185.99.2.66/Virustotal: Detection: 8%Perma Link
      Source: https://45.6.16.68:449/Virustotal: Detection: 6%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeVirustotal: Detection: 19%Perma Link
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeReversingLabs: Detection: 18%
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 00000001.00000002.1225534063.000002116664E000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 3092, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeJoe Sandbox ML: detected
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D4A10 FindFirstFileW,1_2_00000211665D4A10
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D0D50 FindFirstFileW,FindNextFileW,1_2_00000211665D0D50
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then add ebx, 01h1_2_00000211665CD260
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000211665C6600
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov byte ptr [ecx+eax], dl1_2_00000211665D1230
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov byte ptr [eax], 00000000h1_2_00000211665D8A20
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov esi, edx1_2_00000211665D12C0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp1_2_00000211665CA6B0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000211665C72A0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000211665CDB70
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esi1_2_00000211665CAB70
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edi+03h]1_2_00000211665D6360
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp1_2_00000211665C1310
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx1_2_00000211665D7329
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000211665CCBB0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000211665C8FB0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000211665C6840
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then test ebp, ebp1_2_00000211665C4470
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp1_2_00000211665D7427
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx1_2_00000211665C58C0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec esp1_2_00000211665C9C80
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000211665D34B0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000211665D1140
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000211665C4D60
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [ecx]1_2_00000211665D1D00
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov dword ptr [esp+eax*4+70h], eax1_2_00000211665C1D00
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx1_2_00000211665C1D00
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax1_2_00000211665D4D80

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.5:49735 -> 185.90.61.9:443
      Source: global trafficTCP traffic: 192.168.2.5:49719 -> 110.232.76.39:449
      Source: global trafficTCP traffic: 192.168.2.5:49723 -> 45.6.16.68:449
      Source: Joe Sandbox ViewIP Address: 185.90.61.9 185.90.61.9
      Source: Joe Sandbox ViewASN Name: GLOBALHOST-BOSNIA-ASBA GLOBALHOST-BOSNIA-ASBA
      Source: Joe Sandbox ViewASN Name: VELIANET-ASvelianetInternetdiensteGmbHDE VELIANET-ASvelianetInternetdiensteGmbHDE
      Source: Joe Sandbox ViewJA3 fingerprint: 8916410db85077a5460817142dcbc8de
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 45.6.16.68
      Source: unknownTCP traffic detected without corresponding DNS query: 45.6.16.68
      Source: unknownTCP traffic detected without corresponding DNS query: 45.6.16.68
      Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.216
      Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.216
      Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.216
      Source: unknownTCP traffic detected without corresponding DNS query: 185.90.61.9
      Source: unknownTCP traffic detected without corresponding DNS query: 185.90.61.9
      Source: unknownTCP traffic detected without corresponding DNS query: 185.90.61.9
      Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
      Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
      Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.11
      Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
      Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
      Source: unknownTCP traffic detected without corresponding DNS query: 134.119.191.21
      Source: wermgr.exe, 00000001.00000002.1225985319.0000021166820000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: wermgr.exe, 00000001.00000002.1225985319.0000021166820000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
      Source: wermgr.exe, 00000001.00000002.1225985319.0000021166820000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
      Source: wermgr.exe, 00000001.00000002.1225985319.0000021166820000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: wermgr.exe, 00000001.00000002.1225985319.0000021166820000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com07
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeString found in binary or memory: http://www.myhomepage.com
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://134.119.191.11/
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://134.119.191.11//
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://134.119.191.11/7
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://134.119.191.11/W
      Source: wermgr.exe, 00000001.00000002.1225534063.000002116664E000.00000004.00000020.sdmpString found in binary or memory: https://134.119.191.11/tot773/301389_W10017134.98540ECEF76EAED1911CDE564F5F2CC7/5/spk/
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://134.119.191.21/
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://134.119.191.21/O
      Source: wermgr.exe, 00000001.00000002.1225534063.000002116664E000.00000004.00000020.sdmpString found in binary or memory: https://134.119.191.21/tot773/301389_W10017134.98540ECEF76EAED1911CDE564F5F2CC7/5/spk/
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://134.119.191.21/tot773/301389_W10017134.98540ECEF76EAED1911CDE564F5F2CC7/5/spk/%
      Source: wermgr.exe, 00000001.00000002.1225985319.0000021166820000.00000004.00000001.sdmpString found in binary or memory: https://134.119.191.21:443/tot773/301389_W10017134.98540ECEF76EAED1911CDE564F5F2CC7/5/spk/
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://185.90.61.9/
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://185.90.61.9/9/#
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://185.90.61.9/o
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://185.90.61.9/s
      Source: wermgr.exe, 00000001.00000002.1225942911.0000021166804000.00000004.00000001.sdmpString found in binary or memory: https://185.99.2.66/
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://45.6.16.68:449/
      Source: wermgr.exe, 00000001.00000002.1225985319.0000021166820000.00000004.00000001.sdmpString found in binary or memory: https://45.6.16.68:449/tot773/301389_W10017134.98540ECEF76EAED1911CDE564F5F2CC7/5/spk/
      Source: wermgr.exe, 00000001.00000002.1226012983.000002116682F000.00000004.00000001.sdmpString found in binary or memory: https://85.204.116.216/
      Source: wermgr.exe, 00000001.00000002.1225985319.0000021166820000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exe, 00000000.00000002.829009794.000000000076A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 00000001.00000002.1225534063.000002116664E000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 3092, type: MEMORY
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665CC6D0 NtQuerySystemInformation,SleepEx,DuplicateHandle,lstrcmpiW,FindCloseChangeNotification,FindCloseChangeNotification,1_2_00000211665CC6D0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeCode function: 0_2_004035580_2_00403558
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeCode function: 0_2_0040357C0_2_0040357C
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeCode function: 0_2_004035880_2_00403588
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeCode function: 0_2_004035930_2_00403593
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D82401_2_00000211665D8240
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665CC6D01_2_00000211665CC6D0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D4FC01_2_00000211665D4FC0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665C6C301_2_00000211665C6C30
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665C9A501_2_00000211665C9A50
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D96601_2_00000211665D9660
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665DC2101_2_00000211665DC210
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665C6E101_2_00000211665C6E10
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D8A201_2_00000211665D8A20
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665CFEB01_2_00000211665CFEB0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D5AB01_2_00000211665D5AB0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665C23501_2_00000211665C2350
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D63601_2_00000211665D6360
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D87001_2_00000211665D8700
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665CBFD01_2_00000211665CBFD0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D7BC01_2_00000211665D7BC0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D13E01_2_00000211665D13E0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D6F801_2_00000211665D6F80
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665CB7B01_2_00000211665CB7B0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665C44701_2_00000211665C4470
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665C84101_2_00000211665C8410
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665C58C01_2_00000211665C58C0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665C40E01_2_00000211665C40E0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D34B01_2_00000211665D34B0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665C39D01_2_00000211665C39D0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665C2DB01_2_00000211665C2DB0
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665CA9A01_2_00000211665CA9A0
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeBinary or memory string: OriginalFilenameTextFormat.exect vs SecuriteInfo.com.Generic.mg.5930091b65aed962.exe
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeBinary or memory string: E@@E*\AF:\Draw_\TextFormat.vbp4
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exe, 00000000.00000002.828015377.0000000000454000.00000004.00020000.sdmpBinary or memory string: @*\AF:\Draw_\TextFormat.vbp
      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/0@0/7
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665DADB0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,1_2_00000211665DADB0
      Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{A680BD2E-C2AA-4AF6-892F-46FA57635406}
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeFile created: C:\Users\user\AppData\Local\Temp\~DF6BC4AE9441C08AF4.TMPJump to behavior
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformationJump to behavior
      Source: C:\Windows\System32\wermgr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeVirustotal: Detection: 19%
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeReversingLabs: Detection: 18%
      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exe'
      Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32Jump to behavior
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\Users\911\Desktop\TextFormat.pdb source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exe
      Source: SecuriteInfo.com.Generic.mg.5930091b65aed962.exeStatic PE information: real checksum: 0x5e755 should be: 0x87f13
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeCode function: 0_2_0218228B push dword ptr [edx+14h]; ret 0_2_021822ED
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeCode function: 0_2_021821E0 push dword ptr [edx+14h]; ret 0_2_021822ED
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Delayed program exit foundShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeCode function: 0_2_0218515F Sleep,ExitProcess,0_2_0218515F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeCode function: 0_2_02185099 Sleep,ExitProcess,0_2_02185099
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 00000211665D6B10 second address: 00000211665D6B10 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a add eax, esi 0x0000000c dec eax 0x0000000d add esp, 20h 0x00000010 pop esi 0x00000011 ret 0x00000012 imul eax, eax, 9E3779B9h 0x00000018 mov dword ptr [esp+34h], eax 0x0000001c call 00007F56E4B8B426h 0x00000021 push esi 0x00000022 dec eax 0x00000023 sub esp, 20h 0x00000026 call dword ptr [00018085h] 0x0000002c mov ecx, 7FFE0320h 0x00000031 dec eax 0x00000032 mov ecx, dword ptr [ecx] 0x00000034 mov eax, dword ptr [7FFE0004h] 0x0000003b dec eax 0x0000003c imul eax, ecx 0x0000003f dec eax 0x00000040 shr eax, 18h 0x00000043 ret 0x00000044 mov esi, eax 0x00000046 call 00007F56E4BAD0C3h 0x0000004b rdtsc
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D6B10 rdtsc 1_2_00000211665D6B10
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665CF941 sldt word ptr [eax]1_2_00000211665CF941
      Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,1_2_00000211665D3C60
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeWindow / User API: threadDelayed 2285Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeWindow / User API: threadDelayed 451Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeWindow / User API: threadDelayed 7068Jump to behavior
      Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
      Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D4A10 FindFirstFileW,1_2_00000211665D4A10
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D0D50 FindFirstFileW,FindNextFileW,1_2_00000211665D0D50
      Source: wermgr.exe, 00000001.00000002.1225942911.0000021166804000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW7
      Source: wermgr.exe, 00000001.00000002.1225942911.0000021166804000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D6B10 rdtsc 1_2_00000211665D6B10
      Source: C:\Windows\System32\wermgr.exeCode function: 1_2_00000211665D6230 LdrLoadDll,1_2_00000211665D6230
      Source: C:\Windows\System32\wermgr.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 211665C0000 protect: page execute and read and writeJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeMemory written: C:\Windows\System32\wermgr.exe base: 211665C0000Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeMemory written: C:\Windows\System32\wermgr.exe base: 7FF72A282860Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Generic.mg.5930091b65aed962.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
      Source: wermgr.exe, 00000001.00000002.1226269447.0000021166D20000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: wermgr.exe, 00000001.00000002.1226269447.0000021166D20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: wermgr.exe, 00000001.00000002.1226269447.0000021166D20000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: wermgr.exe, 00000001.00000002.1226269447.0000021166D20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 00000001.00000002.1225534063.000002116664E000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 3092, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 00000001.00000002.1225534063.000002116664E000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 3092, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Remote ManagementWinlogon Helper DLLAccess Token Manipulation1Virtualization/Sandbox Evasion1Input Capture1Virtualization/Sandbox Evasion1Application Deployment SoftwareInput Capture1Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection212Access Token Manipulation1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection212Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesSecurity Software Discovery111Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
      Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Network Configuration Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceFile and Directory Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
      Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery112Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.