Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Packed.140.4340.12788

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Packed.140.4340.12788 (renamed file extension from 12788 to exe)
Analysis ID:255724
MD5:be6695d1db89ead22ac6aad12c97bc3e
SHA1:f8b871bf348eb212051ee21a93fc9fff7b5f71f1
SHA256:7fc26548e849f1ed9cfe22fddc4f76030e7fbf75c2659325586934fe71b6fd98

Most interesting Screenshot:

Detection

Trickbot
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Delayed program exit found
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.Packed.140.4340.exe (PID: 6240 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exe' MD5: BE6695D1DB89EAD22AC6AAD12C97BC3E)
    • wermgr.exe (PID: 4852 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"gtag": "ono57", "C2 list": ["85.204.116.216:443", "85.204.116.100:443", "185.90.61.9:443", "7.108.216.47:443", "185.99.2.65:443", "185.99.2.66:443", "36.91.45.10:449", "5.1.81.68:443", "110.50.84.5:449", "45.6.16.68:449", "181.129.104.139:449", "134.119.191.21:443", "110.232.76.39:449", "110.93.15.98:449", "80.210.32.67:449", "36.66.218.117:449", "121.100.19.18:449", "103.111.83.246:449", "122.50.6.122:449", "181.112.157.42:449", "107.175.72.141:443", "131.161.253.190:449", "194.5.250.121:443", "181.129.134.18:449", "36.89.243.241:449", "200.107.35.154:449", "91.235.129.20:443", "190.136.178.52:449", "36.89.182.225:449", "103.12.161.194:449", "192.3.247.123:443", "182.253.113.67:449", "185.14.31.104:443", "36.92.19.205:449", "95.171.16.42:443", "134.119.191.11:443", "78.108.216.47:443", "51.81.112.144:443"], "modules": ["pwgrab", "mcconf"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.503054465.000001B131968000.00000004.00000020.sdmpJoeSecurity_Trickbot_1Yara detected TrickbotJoe Security
    Process Memory Space: wermgr.exe PID: 4852JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: wermgr.exe.4852.13.memstrMalware Configuration Extractor: Trickbot {"gtag": "ono57", "C2 list": ["85.204.116.216:443", "85.204.116.100:443", "185.90.61.9:443", "7.108.216.47:443", "185.99.2.65:443", "185.99.2.66:443", "36.91.45.10:449", "5.1.81.68:443", "110.50.84.5:449", "45.6.16.68:449", "181.129.104.139:449", "134.119.191.21:443", "110.232.76.39:449", "110.93.15.98:449", "80.210.32.67:449", "36.66.218.117:449", "121.100.19.18:449", "103.111.83.246:449", "122.50.6.122:449", "181.112.157.42:449", "107.175.72.141:443", "131.161.253.190:449", "194.5.250.121:443", "181.129.134.18:449", "36.89.243.241:449", "200.107.35.154:449", "91.235.129.20:443", "190.136.178.52:449", "36.89.182.225:449", "103.12.161.194:449", "192.3.247.123:443", "182.253.113.67:449", "185.14.31.104:443", "36.92.19.205:449", "95.171.16.42:443", "134.119.191.11:443", "78.108.216.47:443", "51.81.112.144:443"], "modules": ["pwgrab", "mcconf"]}
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 0000000D.00000002.503054465.000001B131968000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 4852, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exeJoe Sandbox ML: detected
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D5EC0 FindFirstFileW,13_2_000001B1317D5EC0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317E1240 FindFirstFileW,FindNextFileW,13_2_000001B1317E1240
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp13_2_000001B1317CFD10
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebx13_2_000001B1317CF100
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx13_2_000001B1317DE0E0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax13_2_000001B1317C78A0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx13_2_000001B1317DE175
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax13_2_000001B1317CB570
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx13_2_000001B1317DE154
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax13_2_000001B1317DB010
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx13_2_000001B1317C8400
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax13_2_000001B1317C4BD0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax13_2_000001B1317DC074
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax13_2_000001B1317C4700
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx13_2_000001B1317C56D0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp13_2_000001B1317D4F88
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax13_2_000001B1317C3B80
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax13_2_000001B1317C3B80
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax13_2_000001B1317D6F50
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax13_2_000001B1317DEB20
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx13_2_000001B1317DE209
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [ecx]13_2_000001B1317CC200
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx13_2_000001B1317DE1E7
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx13_2_000001B1317DE1C9
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx13_2_000001B1317DE19A
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax13_2_000001B1317CDA90
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp13_2_000001B1317D7280
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then call 000001B1317C6E40h13_2_000001B1317C4A80

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 85.204.116.216: -> 192.168.2.7:
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.216
      Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.216
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.216
      Source: unknownTCP traffic detected without corresponding DNS query: 185.14.31.104
      Source: unknownTCP traffic detected without corresponding DNS query: 185.14.31.104
      Source: unknownTCP traffic detected without corresponding DNS query: 185.14.31.104
      Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
      Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
      Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
      Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
      Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
      Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
      Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
      Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
      Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
      Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
      Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
      Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
      Source: unknownTCP traffic detected without corresponding DNS query: 185.90.61.9
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://185.14.31.104/
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://185.90.61.9/
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://185.90.61.9/0/
      Source: wermgr.exe, 0000000D.00000002.503295401.000001B1319B7000.00000004.00000020.sdmpString found in binary or memory: https://185.90.61.9/ono57/536720_W10017134.F033BE2C21D03734501737BB53FD5733/5/spk/
      Source: wermgr.exe, 0000000D.00000002.503295401.000001B1319B7000.00000004.00000020.sdmpString found in binary or memory: https://185.90.61.9/ono57/536720_W10017134.F033BE2C21D03734501737BB53FD5733/5/spk/k/
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://185.90.61.9:443/ono57/536720_W10017134.F033BE2C21D03734501737BB53FD5733/5/spk/
      Source: wermgr.exe, 0000000D.00000002.503054465.000001B131968000.00000004.00000020.sdmpString found in binary or memory: https://185.99.2.65/ic
      Source: wermgr.exe, 0000000D.00000002.503054465.000001B131968000.00000004.00000020.sdmpString found in binary or memory: https://185.99.2.65/ono57/536720_W10017134.F033BE2C21D03734501737BB53FD5733/5/spk/
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://85.204.116.100/
      Source: wermgr.exe, 0000000D.00000002.503295401.000001B1319B7000.00000004.00000020.sdmpString found in binary or memory: https://85.204.116.100/ono57/536720_W10017134.F033BE2C21D03734501737BB53FD5733/5/spk/
      Source: wermgr.exe, 0000000D.00000002.503295401.000001B1319B7000.00000004.00000020.sdmpString found in binary or memory: https://85.204.116.100/ono57/536720_W10017134.F033BE2C21D03734501737BB53FD5733/5/spk/O
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://85.204.116.100:443/ono57/536720_W10017134.F033BE2C21D03734501737BB53FD5733/5/spk/
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://85.204.116.216/
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://85.204.116.216/W
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://85.204.116.216/ono57/536720_W10017134.F033BE2C21D03734501737BB53FD5733/5/spk/8Co
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://85.204.116.216:443/ono57/536720_W10017134.F033BE2C21D03734501737BB53FD5733/5/spk/yU
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://95.171.16.42/
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://95.171.16.42//3
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://95.171.16.42/S
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://95.171.16.42/dows
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://95.171.16.42/o
      Source: wermgr.exe, 0000000D.00000002.503295401.000001B1319B7000.00000004.00000020.sdmpString found in binary or memory: https://95.171.16.42/ono57/536720_W10017134.F033BE2C21D03734501737BB53FD5733/5/spk/
      Source: wermgr.exe, 0000000D.00000002.503295401.000001B1319B7000.00000004.00000020.sdmpString found in binary or memory: https://95.171.16.42/ono57/536720_W10017134.F033BE2C21D03734501737BB53FD5733/5/spk/y
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exe, 00000000.00000002.328761736.000000000075A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 0000000D.00000002.503054465.000001B131968000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 4852, type: MEMORY
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeCode function: 0_2_02220010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_02220010
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C3DA0 NtQuerySystemInformation,SleepEx,DuplicateHandle,lstrcmpiW,FindCloseChangeNotification,FindCloseChangeNotification,13_2_000001B1317C3DA0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317DDD5013_2_000001B1317DDD50
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317CA7E013_2_000001B1317CA7E0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D5EC013_2_000001B1317D5EC0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317DAB2013_2_000001B1317DAB20
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C3DA013_2_000001B1317C3DA0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D0D0013_2_000001B1317D0D00
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D30C013_2_000001B1317D30C0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C78A013_2_000001B1317C78A0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C3D9013_2_000001B1317C3D90
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D997013_2_000001B1317D9970
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C100213_2_000001B1317C1002
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C180013_2_000001B1317C1800
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C840013_2_000001B1317C8400
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317DC3C013_2_000001B1317DC3C0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D9FC013_2_000001B1317D9FC0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317CDBA013_2_000001B1317CDBA0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C7C9013_2_000001B1317C7C90
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D3C8013_2_000001B1317D3C80
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317DCC6013_2_000001B1317DCC60
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C702313_2_000001B1317C7023
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D142313_2_000001B1317D1423
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317DD30013_2_000001B1317DD300
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317CF2F013_2_000001B1317CF2F0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317CCED013_2_000001B1317CCED0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D62B013_2_000001B1317D62B0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C5B8013_2_000001B1317C5B80
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C973013_2_000001B1317C9730
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D7E0213_2_000001B1317D7E02
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317DEE0013_2_000001B1317DEE00
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D49E013_2_000001B1317D49E0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317C31D013_2_000001B1317C31D0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D1DA013_2_000001B1317D1DA0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317DA62013_2_000001B1317DA620
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exe, 00000000.00000002.329483815.00000000021C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.Packed.140.4340.exe
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exeBinary or memory string: OriginalFilenameVistor3.exect vs SecuriteInfo.com.Trojan.Packed.140.4340.exe
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbpL3@%
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exe, 00000000.00000002.326903365.000000000043D000.00000004.00020000.sdmpBinary or memory string: b@*\AD:\An_amazing\Vistor3.vbp
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbp
      Source: classification engineClassification label: mal84.troj.evad.winEXE@3/1@0/6
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317CE3E0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,13_2_000001B1317CE3E0
      Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{FDBE941E-D62C-9ABF-1CD2-CE93EB13FBC8}
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeFile created: C:\Users\user~1\AppData\Local\Temp\logE4EF.tmpJump to behavior
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformationJump to behavior
      Source: C:\Windows\System32\wermgr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exe'
      Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32Jump to behavior
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exeStatic PE information: real checksum: 0x44ba1 should be: 0x844fb
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeCode function: 0_2_0040C85F push edx; retf 0_2_0040C874
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeCode function: 0_2_0040C87F push edx; retf 0_2_0040C874
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeCode function: 0_2_00403483 push ds; retn 0000h0_2_00403487
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeCode function: 0_2_0040D947 push ds; retf 0_2_0040D949
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeCode function: 0_2_0040754C push es; ret 0_2_00407566
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeCode function: 0_2_0040D93A push ds; retf 0_2_0040D946
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeCode function: 0_2_0040C188 push FFFFFFF9h; iretd 0_2_0040C18F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeCode function: 0_2_0238073B push dword ptr [edx+14h]; ret 0_2_0238079D
      Source: initial sampleStatic PE information: section name: .text entropy: 6.81163592969
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Delayed program exit foundShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeCode function: 0_2_02368B1E Sleep,ExitProcess,0_2_02368B1E
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 000001B1317CFD00 second address: 000001B1317CFD00 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec eax 0x0000000b mov esi, eax 0x0000000d call dword ptr [0001C6F2h] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e inc eax 0x0000002f movzx ebx, dh 0x00000032 call 00007EFEB508A511h 0x00000037 rdtsc
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317CFD00 rdtsc 13_2_000001B1317CFD00
      Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,13_2_000001B1317DB840
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeWindow / User API: threadDelayed 2712Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeWindow / User API: threadDelayed 7251Jump to behavior
      Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317D5EC0 FindFirstFileW,13_2_000001B1317D5EC0
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317E1240 FindFirstFileW,FindNextFileW,13_2_000001B1317E1240
      Source: wermgr.exe, 0000000D.00000002.503844478.000001B131AF1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317CFD00 rdtsc 13_2_000001B1317CFD00
      Source: C:\Windows\System32\wermgr.exeCode function: 13_2_000001B1317CFDB0 LdrLoadDll,13_2_000001B1317CFDB0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeCode function: 0_2_02220010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_02220010
      Source: C:\Windows\System32\wermgr.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 1B1317C0000 protect: page execute and read and writeJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeMemory written: C:\Windows\System32\wermgr.exe base: 1B1317C0000Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeMemory written: C:\Windows\System32\wermgr.exe base: 7FF64AB52860Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.4340.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
      Source: SecuriteInfo.com.Trojan.Packed.140.4340.exeBinary or memory string: Shell_TrayWnd
      Source: wermgr.exe, 0000000D.00000002.504091194.000001B131F80000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: wermgr.exe, 0000000D.00000002.504091194.000001B131F80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: wermgr.exe, 0000000D.00000002.504091194.000001B131F80000.00000002.00000001.sdmpBinary or memory string: jProgram Manager
      Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 0000000D.00000002.503054465.000001B131968000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 4852, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 0000000D.00000002.503054465.000001B131968000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 4852, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Access Token Manipulation1Input Capture1Security Software Discovery121Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection212Process Injection212LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerApplication Window Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSSystem Network Configuration Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.