Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Packed.140.12400.3061

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Packed.140.12400.3061 (renamed file extension from 3061 to exe)
Analysis ID:255720
MD5:dd709ccd8e1280268450735c99b6371b
SHA1:078f31c5a43c2f91fb8d195906f74a9ca883bdc4
SHA256:6c0f8a6446d58193dee31e148205c81334c4341e5d707b80a612fe48d53b83df

Most interesting Screenshot:

Detection

Trickbot
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Delayed program exit found
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.Packed.140.12400.exe (PID: 4596 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exe' MD5: DD709CCD8E1280268450735C99B6371B)
    • wermgr.exe (PID: 5840 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"gtag": "ono57", "C2 list": ["12.253.113.67:449", "5.1.81.68:443", "45.6.16.68:449", "185.99.2.66:443", "110.50.84.5:449", "36.91.45.10:449", "185.90.61.9:443", "185.99.2.65:443", "194.5.250.121:443", "107.175.72.141:443", "78.108.216.47:443", "91.235.129.20:443", "122.50.6.122:449", "190.136.178.52:449", "80.210.32.67:449", "103.111.83.246:449", "36.89.182.225:449", "51.81.112.144:443", "110.232.76.39:449", "85.204.116.100:443", "36.89.243.241:449", "36.66.218.117:449", "185.14.31.104:443", "200.107.35.154:449", "181.129.134.18:449", "192.3.247.123:443", "121.100.19.18:449", "134.119.191.11:443", "134.119.191.21:443", "181.129.104.139:449", "110.93.15.98:449", "131.161.253.190:449", "95.171.16.42:443", "182.253.113.67:449", "103.12.161.194:449", "181.112.157.42:449", "85.204.116.216:443", "36.92.19.205:449"], "modules": ["pwgrab", "mcconf"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: wermgr.exe PID: 5840JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: wermgr.exe.5840.2.memstrMalware Configuration Extractor: Trickbot {"gtag": "ono57", "C2 list": ["12.253.113.67:449", "5.1.81.68:443", "45.6.16.68:449", "185.99.2.66:443", "110.50.84.5:449", "36.91.45.10:449", "185.90.61.9:443", "185.99.2.65:443", "194.5.250.121:443", "107.175.72.141:443", "78.108.216.47:443", "91.235.129.20:443", "122.50.6.122:449", "190.136.178.52:449", "80.210.32.67:449", "103.111.83.246:449", "36.89.182.225:449", "51.81.112.144:443", "110.232.76.39:449", "85.204.116.100:443", "36.89.243.241:449", "36.66.218.117:449", "185.14.31.104:443", "200.107.35.154:449", "181.129.134.18:449", "192.3.247.123:443", "121.100.19.18:449", "134.119.191.11:443", "134.119.191.21:443", "181.129.104.139:449", "110.93.15.98:449", "131.161.253.190:449", "95.171.16.42:443", "182.253.113.67:449", "103.12.161.194:449", "181.112.157.42:449", "85.204.116.216:443", "36.92.19.205:449"], "modules": ["pwgrab", "mcconf"]}
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 5840, type: MEMORY
    Machine Learning detection for sampleShow sources
    Source: SecuriteInfo.com.Trojan.Packed.140.12400.exeJoe Sandbox ML: detected
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_0000027763905EC0 FindFirstFileW,2_2_0000027763905EC0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_0000027763911240 FindFirstFileW,FindNextFileW,2_2_0000027763911240
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_000002776390EB20
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_0000027763906F50
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp2_2_0000027763904F88
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000277638F3B80
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000277638F3B80
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx2_2_00000277638F56D0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000277638F4700
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then call 00000277638F6E40h2_2_00000277638F4A80
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000277638FDA90
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp2_2_0000027763907280
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_000002776390E19A
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_000002776390E1C9
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_000002776390E1E7
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_000002776390E209
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [ecx]2_2_00000277638FC200
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_000002776390E154
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000277638FB570
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_000002776390E175
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000277638F78A0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_000002776390E0E0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp2_2_00000277638FFD10
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebx2_2_00000277638FF100
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_000002776390C074
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000277638F4BD0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_00000277638F8400
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_000002776390B010

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.3:49732 -> 181.112.157.42:449
    May check the online IP address of the machineShow sources
    Source: unknownDNS query: name: checkip.amazonaws.com
    Source: unknownDNS query: name: checkip.amazonaws.com
    Source: global trafficTCP traffic: 192.168.2.3:49732 -> 181.112.157.42:449
    Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
    Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
    Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.69.1Host: checkip.amazonaws.com
    Source: unknownDNS traffic detected: queries for: checkip.amazonaws.com
    Source: wermgr.exe, 00000002.00000002.512011909.0000027765586000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com/F
    Source: wermgr.exe, 00000002.00000002.512011909.0000027765586000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
    Source: wermgr.exe, 00000002.00000002.512011909.0000027765586000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: wermgr.exe, 00000002.00000002.512011909.0000027765586000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
    Source: wermgr.exe, 00000002.00000002.511984263.0000027765579000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
    Source: wermgr.exe, 00000002.00000002.512011909.0000027765586000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: wermgr.exe, 00000002.00000002.512011909.0000027765586000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsup181.112.157.42:449/
    Source: wermgr.exe, 00000002.00000003.346212880.0000027763AA6000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: wermgr.exe, 00000002.00000003.346212880.0000027763AA6000.00000004.00000001.sdmp, wermgr.exe, 00000002.00000003.345740285.00000277655F4000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?24031bc35d44b
    Source: wermgr.exe, 00000002.00000002.510406231.0000027763A10000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enci
    Source: wermgr.exe, 00000002.00000002.511984263.0000027765579000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: wermgr.exe, 00000002.00000002.512011909.0000027765586000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/
    Source: wermgr.exe, 00000002.00000002.512011909.0000027765586000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/0
    Source: wermgr.exe, 00000002.00000002.510350333.00000277639E8000.00000004.00000020.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/980108_W10017134.C3B3CC97FD5BB33C91D1E5173FF55B5A/0/Windows%2010%20
    Source: wermgr.exe, 00000002.00000002.511984263.0000027765579000.00000004.00000001.sdmp, wermgr.exe, 00000002.00000002.510514518.0000027763AB6000.00000004.00000001.sdmp, wermgr.exe, 00000002.00000002.510469104.0000027763AA6000.00000004.00000001.sdmp, wermgr.exe, 00000002.00000002.512188096.00000277655F4000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/980108_W10017134.C3B3CC97FD5BB33C91D1E5173FF55B5A/14/DNSBL/listed/0
    Source: wermgr.exe, 00000002.00000002.510469104.0000027763AA6000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/980108_W10017134.C3B3CC97FD5BB33C91D1E5173FF55B5A/14/user/user/0/
    Source: wermgr.exe, 00000002.00000002.510469104.0000027763AA6000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/980108_W10017134.C3B3CC97FD5BB33C91D1E5173FF55B5A/23/1000512/
    Source: wermgr.exe, 00000002.00000002.510469104.0000027763AA6000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/980108_W10017134.C3B3CC97FD5BB33C91D1E5173FF55B5A/23/1000512/(
    Source: wermgr.exe, 00000002.00000002.512011909.0000027765586000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/980108_W10017134.C3B3CC97FD5BB33C91D1E5173FF55B5A/23/1000512/0/0/
    Source: wermgr.exe, 00000002.00000002.510469104.0000027763AA6000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/980108_W10017134.C3B3CC97FD5BB33C91D1E5173FF55B5A/23/1000512/b
    Source: wermgr.exe, 00000002.00000002.511984263.0000027765579000.00000004.00000001.sdmp, wermgr.exe, 00000002.00000002.512011909.0000027765586000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/980108_W10017134.C3B3CC97FD5BB33C91D1E5173FF55B5A/5/spk/
    Source: wermgr.exe, 00000002.00000002.511984263.0000027765579000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443

    E-Banking Fraud:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 5840, type: MEMORY
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_02140010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_02140010
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F3DA0 NtQuerySystemInformation,SleepEx,DuplicateHandle,lstrcmpiW,FindCloseChangeNotification,FindCloseChangeNotification,2_2_00000277638F3DA0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_000002776390AB202_2_000002776390AB20
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_0000027763905EC02_2_0000027763905EC0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F3DA02_2_00000277638F3DA0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_000002776390DD502_2_000002776390DD50
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638FA7E02_2_00000277638FA7E0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F18002_2_00000277638F1800
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F97302_2_00000277638F9730
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F5B802_2_00000277638F5B80
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277639062B02_2_00000277639062B0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638FCED02_2_00000277638FCED0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638FF2F02_2_00000277638FF2F0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_000002776390D3002_2_000002776390D300
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_000002776390A6202_2_000002776390A620
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_0000027763901DA02_2_0000027763901DA0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F31D02_2_00000277638F31D0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277639049E02_2_00000277639049E0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_000002776390EE002_2_000002776390EE00
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_0000027763907E022_2_0000027763907E02
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277639099702_2_0000027763909970
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F3D902_2_00000277638F3D90
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F78A02_2_00000277638F78A0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277639030C02_2_00000277639030C0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_0000027763900D002_2_0000027763900D00
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F70232_2_00000277638F7023
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277639014232_2_0000027763901423
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_000002776390CC602_2_000002776390CC60
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F7C902_2_00000277638F7C90
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_0000027763903C802_2_0000027763903C80
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638FDBA02_2_00000277638FDBA0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_000002776390C3C02_2_000002776390C3C0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_0000027763909FC02_2_0000027763909FC0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F10022_2_00000277638F1002
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638F84002_2_00000277638F8400
    Source: SecuriteInfo.com.Trojan.Packed.140.12400.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: SecuriteInfo.com.Trojan.Packed.140.12400.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: SecuriteInfo.com.Trojan.Packed.140.12400.exe, 00000000.00000002.266065832.0000000002100000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.Packed.140.12400.exe
    Source: SecuriteInfo.com.Trojan.Packed.140.12400.exeBinary or memory string: OriginalFilenameVistor3.exect vs SecuriteInfo.com.Trojan.Packed.140.12400.exe
    Source: SecuriteInfo.com.Trojan.Packed.140.12400.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbpL3@%
    Source: SecuriteInfo.com.Trojan.Packed.140.12400.exe, 00000000.00000002.265518669.000000000043D000.00000004.00020000.sdmpBinary or memory string: b@*\AD:\An_amazing\Vistor3.vbp
    Source: SecuriteInfo.com.Trojan.Packed.140.12400.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbp
    Source: classification engineClassification label: mal88.troj.evad.winEXE@3/3@3/4
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638FE3E0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,2_2_00000277638FE3E0
    Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9841DEC1-4DB2-B49B-9614-9E160EF9A136}
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeFile created: C:\Users\user\AppData\Local\Temp\log473C.tmpJump to behavior
    Source: SecuriteInfo.com.Trojan.Packed.140.12400.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformationJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exe'
    Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32Jump to behavior
    Source: SecuriteInfo.com.Trojan.Packed.140.12400.exeStatic PE information: real checksum: 0x44ba1 should be: 0x7cbe0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_0040C85F push edx; retf 0_2_0040C874
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_0040C87F push edx; retf 0_2_0040C874
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_00403483 push ds; retn 0000h0_2_00403487
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_0040D947 push ds; retf 0_2_0040D949
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_0040754C push es; ret 0_2_00407566
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_0040D93A push ds; retf 0_2_0040D946
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_0040C188 push FFFFFFF9h; iretd 0_2_0040C18F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_0218073B push dword ptr [edx+14h]; ret 0_2_0218079D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A08D8 push edx; ret 0_2_020A0901
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A5A03 push edx; ret 0_2_020A5A31
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A4205 push edx; ret 0_2_020A4231
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A2A05 push edx; ret 0_2_020A2A31
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A1205 push edx; ret 0_2_020A1231
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A0218 push edx; ret 0_2_020A0241
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A4A13 push edx; ret 0_2_020A4A41
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A3213 push edx; ret 0_2_020A3241
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A1A13 push edx; ret 0_2_020A1A41
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A6214 push edx; ret 0_2_020A6241
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A9A23 push edx; ret 0_2_020A9A51
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A3A24 push edx; ret 0_2_020A3A51
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A2224 push edx; ret 0_2_020A2251
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A0A24 push edx; ret 0_2_020A0A51
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A6A24 push edx; ret 0_2_020A6A51
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A5225 push edx; ret 0_2_020A5251
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A4233 push edx; ret 0_2_020A4261
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A2A33 push edx; ret 0_2_020A2A61
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A1233 push edx; ret 0_2_020A1261
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A5A33 push edx; ret 0_2_020A5A61
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A0248 push edx; ret 0_2_020A0271
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A4A44 push edx; ret 0_2_020A4A71
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_020A3244 push edx; ret 0_2_020A3271
    Source: initial sampleStatic PE information: section name: .text entropy: 6.81163592969
    Source: C:\Windows\System32\wermgr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Delayed program exit foundShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_02168B1E Sleep,ExitProcess,0_2_02168B1E
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 00000277638FFD00 second address: 00000277638FFD00 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec eax 0x0000000b mov esi, eax 0x0000000d call dword ptr [0001C6F2h] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e inc eax 0x0000002f movzx ebx, dh 0x00000032 call 00007FD120865A41h 0x00000037 rdtsc
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638FFD00 rdtsc 2_2_00000277638FFD00
    Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,2_2_000002776390B840
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeWindow / User API: threadDelayed 2717Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeWindow / User API: threadDelayed 7241Jump to behavior
    Source: C:\Windows\System32\wermgr.exeWindow / User API: threadDelayed 605Jump to behavior
    Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
    Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_0000027763905EC0 FindFirstFileW,2_2_0000027763905EC0
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_0000027763911240 FindFirstFileW,FindNextFileW,2_2_0000027763911240
    Source: wermgr.exe, 00000002.00000002.510350333.00000277639E8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638FFD00 rdtsc 2_2_00000277638FFD00
    Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000277638FFDB0 LdrLoadDll,2_2_00000277638FFDB0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeCode function: 0_2_02140010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_02140010
    Source: C:\Windows\System32\wermgr.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 277638F0000 protect: page execute and read and writeJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeMemory written: C:\Windows\System32\wermgr.exe base: 277638F0000Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeMemory written: C:\Windows\System32\wermgr.exe base: 7FF698692860Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.12400.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
    Source: wermgr.exe, 00000002.00000002.510993186.00000277640F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: SecuriteInfo.com.Trojan.Packed.140.12400.exeBinary or memory string: Shell_TrayWnd
    Source: wermgr.exe, 00000002.00000002.510993186.00000277640F0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: wermgr.exe, 00000002.00000002.510993186.00000277640F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 5840, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 5840, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Access Token Manipulation1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection212Process Injection212LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery112Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.