Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Packed.140.3453.15717

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Packed.140.3453.15717 (renamed file extension from 15717 to exe)
Analysis ID:255712
MD5:cb254981aa8af596d5463a174a08c79e
SHA1:b25f55ab97eb9da84a1047b0956db3bd695adf63
SHA256:4e7e9d264a3c7e6808daf86b8cccc4f2f0d3ab7860c7659890adcb821fe059be

Most interesting Screenshot:

Detection

Trickbot
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Delayed program exit found
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.Packed.140.3453.exe (PID: 6940 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exe' MD5: CB254981AA8AF596D5463A174A08C79E)
    • wermgr.exe (PID: 4992 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"gtag": "ono57", "C2 list": ["36.91.45.10:449", "185.99.2.65:443", "185.99.2.66:443", "110.50.84.5:449", "185.90.61.9:443", "5.1.81.68:443", "45.6.16.68:449", "181.112.157.42:449", "121.100.19.18:449", "80.210.32.67:449", "181.129.104.139:449", "110.93.15.98:449", "122.50.6.122:449", "134.119.191.21:443", "36.92.19.205:449", "78.108.216.47:443", "107.175.72.141:443", "85.204.116.216:443", "95.171.16.42:443", "51.81.112.144:443", "103.12.161.194:449", "36.89.243.241:449", "185.14.31.104:443", "103.111.83.246:449", "110.232.76.39:449", "36.66.218.117:449", "131.161.253.190:449", "190.136.178.52:449", "200.107.35.154:449", "134.119.191.11:443", "181.129.134.18:449", "36.89.182.225:449", "182.253.113.67:449", "192.3.247.123:443", "91.235.129.20:443", "85.204.116.100:443", "194.5.250.121:443"], "modules": ["pwgrab", "mcconf"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: wermgr.exe PID: 4992JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: wermgr.exe.4992.10.memstrMalware Configuration Extractor: Trickbot {"gtag": "ono57", "C2 list": ["36.91.45.10:449", "185.99.2.65:443", "185.99.2.66:443", "110.50.84.5:449", "185.90.61.9:443", "5.1.81.68:443", "45.6.16.68:449", "181.112.157.42:449", "121.100.19.18:449", "80.210.32.67:449", "181.129.104.139:449", "110.93.15.98:449", "122.50.6.122:449", "134.119.191.21:443", "36.92.19.205:449", "78.108.216.47:443", "107.175.72.141:443", "85.204.116.216:443", "95.171.16.42:443", "51.81.112.144:443", "103.12.161.194:449", "36.89.243.241:449", "185.14.31.104:443", "103.111.83.246:449", "110.232.76.39:449", "36.66.218.117:449", "131.161.253.190:449", "190.136.178.52:449", "200.107.35.154:449", "134.119.191.11:443", "181.129.134.18:449", "36.89.182.225:449", "182.253.113.67:449", "192.3.247.123:443", "91.235.129.20:443", "85.204.116.100:443", "194.5.250.121:443"], "modules": ["pwgrab", "mcconf"]}
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 4992, type: MEMORY
    Machine Learning detection for sampleShow sources
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exeJoe Sandbox ML: detected
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B521240 FindFirstFileW,FindNextFileW,10_2_000001518B521240
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B515EC0 FindFirstFileW,10_2_000001518B515EC0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_000001518B50DA90
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp10_2_000001518B517280
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then call 000001518B506E40h10_2_000001518B504A80
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_000001518B504700
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_000001518B51EB20
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx10_2_000001518B5056D0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_000001518B51E175
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_000001518B51E19A
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_000001518B50B570
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_000001518B51E154
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_000001518B51E209
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [ecx]10_2_000001518B50C200
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_000001518B51E1C9
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_000001518B51E1E7
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_000001518B51C074
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_000001518B5078A0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp10_2_000001518B50FD10
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebx10_2_000001518B50F100
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_000001518B51E0E0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp10_2_000001518B514F88
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_000001518B503B80
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_000001518B503B80
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_000001518B516F50
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_000001518B51B010
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_000001518B508400
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_000001518B504BD0

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49761 -> 36.91.45.10:449
    May check the online IP address of the machineShow sources
    Source: unknownDNS query: name: wtfismyip.com
    Source: unknownDNS query: name: wtfismyip.com
    Source: global trafficTCP traffic: 192.168.2.5:49761 -> 36.91.45.10:449
    Source: unknownTCP traffic detected without corresponding DNS query: 51.81.112.144
    Source: unknownTCP traffic detected without corresponding DNS query: 51.81.112.144
    Source: unknownTCP traffic detected without corresponding DNS query: 51.81.112.144
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 185.14.31.104
    Source: unknownTCP traffic detected without corresponding DNS query: 185.14.31.104
    Source: unknownTCP traffic detected without corresponding DNS query: 185.14.31.104
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: unknownTCP traffic detected without corresponding DNS query: 36.91.45.10
    Source: global trafficHTTP traffic detected: GET /text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.69.1Host: wtfismyip.com
    Source: unknownDNS traffic detected: queries for: wtfismyip.com
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: wermgr.exe, 0000000A.00000002.1536838728.000001518B67F000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmp, wermgr.exe, 0000000A.00000002.1536838728.000001518B67F000.00000004.00000020.sdmpString found in binary or memory: https://36.91.45.10:449/
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpString found in binary or memory: https://36.91.45.10:449/der
    Source: wermgr.exe, 0000000A.00000002.1536902567.000001518B69F000.00000004.00000020.sdmpString found in binary or memory: https://36.91.45.10:449/ono57/116938_W10017134.5C7BBA8511D03E208DF15C433B3B9952/14/DNSBL/listed/0/
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpString found in binary or memory: https://36.91.45.10:449/ono57/116938_W10017134.5C7BBA8511D03E208DF15C433B3B9952/14/DNSBL/listed/0/B
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpString found in binary or memory: https://36.91.45.10:449/ono57/116938_W10017134.5C7BBA8511D03E208DF15C433B3B9952/14/DNSBL/listed/0/F5
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpString found in binary or memory: https://36.91.45.10:449/ono57/116938_W10017134.5C7BBA8511D03E208DF15C433B3B9952/14/DNSBL/listed/0/g
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpString found in binary or memory: https://36.91.45.10:449/ono57/116938_W10017134.5C7BBA8511D03E208DF15C433B3B9952/14/DNSBL/listed/0/ve
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpString found in binary or memory: https://36.91.45.10:449/ono57/116938_W10017134.5C7BBA8511D03E208DF15C433B3B9952/14/user/user/0/
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpString found in binary or memory: https://36.91.45.10:449/ono57/116938_W10017134.5C7BBA8511D03E208DF15C433B3B9952/14/user/user/0/Enc
    Source: wermgr.exe, 0000000A.00000002.1537362941.000001518D0B4000.00000004.00000001.sdmp, wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpString found in binary or memory: https://36.91.45.10:449/ono57/116938_W10017134.5C7BBA8511D03E208DF15C433B3B9952/23/1000512/
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpString found in binary or memory: https://36.91.45.10:449/ono57/116938_W10017134.5C7BBA8511D03E208DF15C433B3B9952/23/1000512/d
    Source: wermgr.exe, 0000000A.00000002.1536902567.000001518B69F000.00000004.00000020.sdmp, wermgr.exe, 0000000A.00000002.1536838728.000001518B67F000.00000004.00000020.sdmpString found in binary or memory: https://36.91.45.10:449/ono57/116938_W10017134.5C7BBA8511D03E208DF15C433B3B9952/5/spk/
    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exe, 00000000.00000002.1373393799.000000000073A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    E-Banking Fraud:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 4992, type: MEMORY
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_022A0010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_022A0010
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B503DA0 NtQuerySystemInformation,SleepEx,DuplicateHandle,lstrcmpiW,FindCloseChangeNotification,FindCloseChangeNotification,10_2_000001518B503DA0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_02BE1D9E0_2_02BE1D9E
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B51AB2010_2_000001518B51AB20
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B515EC010_2_000001518B515EC0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B503DA010_2_000001518B503DA0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B51DD5010_2_000001518B51DD50
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50180010_2_000001518B501800
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50A7E010_2_000001518B50A7E0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B5162B010_2_000001518B5162B0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B51D30010_2_000001518B51D300
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50973010_2_000001518B509730
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50CED010_2_000001518B50CED0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50F2F010_2_000001518B50F2F0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B503D9010_2_000001518B503D90
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B511DA010_2_000001518B511DA0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B51997010_2_000001518B519970
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B517E0210_2_000001518B517E02
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B51EE0010_2_000001518B51EE00
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B51A62010_2_000001518B51A620
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B5031D010_2_000001518B5031D0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B5149E010_2_000001518B5149E0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B507C9010_2_000001518B507C90
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B513C8010_2_000001518B513C80
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B5078A010_2_000001518B5078A0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B51CC6010_2_000001518B51CC60
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B510D0010_2_000001518B510D00
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B5130C010_2_000001518B5130C0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B505B8010_2_000001518B505B80
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50DBA010_2_000001518B50DBA0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50100210_2_000001518B501002
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50840010_2_000001518B508400
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50702310_2_000001518B507023
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B51142310_2_000001518B511423
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B51C3C010_2_000001518B51C3C0
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B519FC010_2_000001518B519FC0
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exe, 00000000.00000002.1373598004.0000000002260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.Packed.140.3453.exe
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exeBinary or memory string: OriginalFilenameVistor3.exect vs SecuriteInfo.com.Trojan.Packed.140.3453.exe
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbpL3@%
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exe, 00000000.00000002.1372814117.000000000043D000.00000004.00020000.sdmpBinary or memory string: b@*\AD:\An_amazing\Vistor3.vbp
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbp
    Source: classification engineClassification label: mal88.troj.evad.winEXE@3/1@3/5
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50E3E0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,10_2_000001518B50E3E0
    Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{8A24F955-E17D-3739-C574-14E6891B75E7}
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeFile created: C:\Users\user\AppData\Local\Temp\log9899.tmpJump to behavior
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformationJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exe'
    Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32Jump to behavior
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exeStatic PE information: real checksum: 0x44ba1 should be: 0x7d9a3
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_0040C85F push edx; retf 0_2_0040C874
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_0040C87F push edx; retf 0_2_0040C874
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_00403483 push ds; retn 0000h0_2_00403487
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_0040D947 push ds; retf 0_2_0040D949
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_0040754C push es; ret 0_2_00407566
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_0040D93A push ds; retf 0_2_0040D946
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_0040C188 push FFFFFFF9h; iretd 0_2_0040C18F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_02BE0739 push dword ptr [edx+14h]; ret 0_2_02BE079D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E08D8 push edx; ret 0_2_021E0901
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E0218 push edx; ret 0_2_021E0241
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E6214 push edx; ret 0_2_021E6241
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E4A13 push edx; ret 0_2_021E4A41
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E3213 push edx; ret 0_2_021E3241
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E1A13 push edx; ret 0_2_021E1A41
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E4205 push edx; ret 0_2_021E4231
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E2A05 push edx; ret 0_2_021E2A31
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E1205 push edx; ret 0_2_021E1231
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E5A03 push edx; ret 0_2_021E5A31
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E4233 push edx; ret 0_2_021E4261
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E2A33 push edx; ret 0_2_021E2A61
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E1233 push edx; ret 0_2_021E1261
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E5A33 push edx; ret 0_2_021E5A61
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E3A24 push edx; ret 0_2_021E3A51
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E2224 push edx; ret 0_2_021E2251
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E0A24 push edx; ret 0_2_021E0A51
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E6A24 push edx; ret 0_2_021E6A51
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E5225 push edx; ret 0_2_021E5251
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E9A23 push edx; ret 0_2_021E9A51
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E0A58 push edx; ret 0_2_021E0A81
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E3A54 push edx; ret 0_2_021E3A81
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_021E2254 push edx; ret 0_2_021E2281
    Source: initial sampleStatic PE information: section name: .text entropy: 6.81163592969
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Delayed program exit foundShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_02BC8B1E Sleep,ExitProcess,0_2_02BC8B1E
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 000001518B50FD00 second address: 000001518B50FD00 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec eax 0x0000000b mov esi, eax 0x0000000d call dword ptr [0001C6F2h] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e inc eax 0x0000002f movzx ebx, dh 0x00000032 call 00007F5B9C99E751h 0x00000037 rdtsc
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50FD00 rdtsc 10_2_000001518B50FD00
    Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,10_2_000001518B51B840
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeWindow / User API: threadDelayed 2537Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeWindow / User API: threadDelayed 6733Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeWindow / User API: threadDelayed 531Jump to behavior
    Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B521240 FindFirstFileW,FindNextFileW,10_2_000001518B521240
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B515EC0 FindFirstFileW,10_2_000001518B515EC0
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: wermgr.exe, 0000000A.00000002.1537294361.000001518D048000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW"'
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50FD00 rdtsc 10_2_000001518B50FD00
    Source: C:\Windows\System32\wermgr.exeCode function: 10_2_000001518B50FDB0 LdrLoadDll,10_2_000001518B50FDB0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeCode function: 0_2_022A0010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_022A0010
    Source: C:\Windows\System32\wermgr.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 1518B500000 protect: page execute and read and writeJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeMemory written: C:\Windows\System32\wermgr.exe base: 1518B500000Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeMemory written: C:\Windows\System32\wermgr.exe base: 7FF661372860Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.3453.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
    Source: SecuriteInfo.com.Trojan.Packed.140.3453.exeBinary or memory string: Shell_TrayWnd
    Source: wermgr.exe, 0000000A.00000002.1537148724.000001518BBB0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: wermgr.exe, 0000000A.00000002.1537148724.000001518BBB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: wermgr.exe, 0000000A.00000002.1537148724.000001518BBB0000.00000002.00000001.sdmpBinary or memory string: Program Manager@
    Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 4992, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 4992, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Access Token Manipulation1Input Capture1Security Software Discovery121Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection212Process Injection212LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerApplication Window Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Network Configuration Discovery11SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet