Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Packed.140.15556.9362

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Packed.140.15556.9362 (renamed file extension from 9362 to exe)
Analysis ID:255727
MD5:3da1b6c6970840dc448846ae45d1fea2
SHA1:b046e2d07161f9fdcd0083cdaf999094f8e9c865
SHA256:83a398dec9085224850a075237a1c6466cbf277898f7031f44d82cc6bd498b68

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Allocates memory in foreign processes
Delayed program exit found
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.Packed.140.15556.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exe' MD5: 3DA1B6C6970840DC448846AE45D1FEA2)
    • wermgr.exe (PID: 6688 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: SecuriteInfo.com.Trojan.Packed.140.15556.exeJoe Sandbox ML: detected
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B85EC0 FindFirstFileW,10_2_0000017D43B85EC0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B91240 FindFirstFileW,FindNextFileW,10_2_0000017D43B91240
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_0000017D43B8E19A
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_0000017D43B8E175
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_0000017D43B7B570
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_0000017D43B8E1C9
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp10_2_0000017D43B7FD10
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebx10_2_0000017D43B7F100
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_0000017D43B8E0E0
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_0000017D43B8E154
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_0000017D43B8C074
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_0000017D43B778A0
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_0000017D43B8B010
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_0000017D43B78400
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp10_2_0000017D43B84F88
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_0000017D43B73B80
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_0000017D43B73B80
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_0000017D43B74BD0
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_0000017D43B74700
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_0000017D43B86F50
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_0000017D43B8EB20
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax10_2_0000017D43B7DA90
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then call 0000017D43B76E40h10_2_0000017D43B74A80
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp10_2_0000017D43B87280
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx10_2_0000017D43B756D0
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [ecx]10_2_0000017D43B7C200
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_0000017D43B8E209
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx10_2_0000017D43B8E1E7

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.6:49757 -> 121.100.19.18:449
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: wtfismyip.com
Source: unknownDNS query: name: wtfismyip.com
Source: global trafficTCP traffic: 192.168.2.6:49757 -> 121.100.19.18:449
Source: unknownTCP traffic detected without corresponding DNS query: 78.108.216.47
Source: unknownTCP traffic detected without corresponding DNS query: 78.108.216.47
Source: unknownTCP traffic detected without corresponding DNS query: 78.108.216.47
Source: unknownTCP traffic detected without corresponding DNS query: 51.81.112.144
Source: unknownTCP traffic detected without corresponding DNS query: 51.81.112.144
Source: unknownTCP traffic detected without corresponding DNS query: 51.81.112.144
Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: unknownTCP traffic detected without corresponding DNS query: 121.100.19.18
Source: global trafficHTTP traffic detected: GET /text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.69.1Host: wtfismyip.com
Source: unknownDNS traffic detected: queries for: wtfismyip.com
Source: wermgr.exe, 0000000A.00000002.547522157.0000017D45802000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wermgr.exe, 0000000A.00000002.546309487.0000017D43D69000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wermgr.exe, 0000000A.00000002.547522157.0000017D45802000.00000004.00000001.sdmp, wermgr.exe, 0000000A.00000002.547457012.0000017D457E9000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.10.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wermgr.exe, 0000000A.00000002.547522157.0000017D45802000.00000004.00000001.sdmpString found in binary or memory: http://wtfismyip.com/
Source: wermgr.exe, 0000000A.00000002.547522157.0000017D45802000.00000004.00000001.sdmpString found in binary or memory: http://wtfismyip.com/ext
Source: wermgr.exe, 0000000A.00000002.547522157.0000017D45802000.00000004.00000001.sdmpString found in binary or memory: http://wtfismyip.com/extr
Source: wermgr.exe, 0000000A.00000002.547796751.0000017D4584C000.00000004.00000001.sdmp, wermgr.exe, 0000000A.00000002.547457012.0000017D457E9000.00000004.00000001.sdmp, wermgr.exe, 0000000A.00000002.547732563.0000017D4583E000.00000004.00000001.sdmpString found in binary or memory: https://121.100.19.18:449/
Source: wermgr.exe, 0000000A.00000002.547732563.0000017D4583E000.00000004.00000001.sdmpString found in binary or memory: https://121.100.19.18:449/0D(
Source: wermgr.exe, 0000000A.00000002.547732563.0000017D4583E000.00000004.00000001.sdmpString found in binary or memory: https://121.100.19.18:449/hD
Source: wermgr.exe, 0000000A.00000002.546309487.0000017D43D69000.00000004.00000020.sdmpString found in binary or memory: https://121.100.19.18:449/ono57/468325_W10017134.33B552D51284FBBFB31467BB981D7553/0/Windows%2010%20x
Source: wermgr.exe, 0000000A.00000002.546309487.0000017D43D69000.00000004.00000020.sdmp, wermgr.exe, 0000000A.00000002.547828559.0000017D4585A000.00000004.00000001.sdmpString found in binary or memory: https://121.100.19.18:449/ono57/468325_W10017134.33B552D51284FBBFB31467BB981D7553/14/DNSBL/listed/0/
Source: wermgr.exe, 0000000A.00000002.547522157.0000017D45802000.00000004.00000001.sdmp, wermgr.exe, 0000000A.00000002.547828559.0000017D4585A000.00000004.00000001.sdmpString found in binary or memory: https://121.100.19.18:449/ono57/468325_W10017134.33B552D51284FBBFB31467BB981D7553/14/path/C:%5CProgr
Source: wermgr.exe, 0000000A.00000002.546309487.0000017D43D69000.00000004.00000020.sdmpString found in binary or memory: https://121.100.19.18:449/ono57/468325_W10017134.33B552D51284FBBFB31467BB981D7553/14/user/user/0
Source: wermgr.exe, 0000000A.00000002.547710370.0000017D4583B000.00000004.00000001.sdmp, wermgr.exe, 0000000A.00000002.546603895.0000017D43E2F000.00000004.00000001.sdmpString found in binary or memory: https://121.100.19.18:449/ono57/468325_W10017134.33B552D51284FBBFB31467BB981D7553/23/1000512/
Source: wermgr.exe, 0000000A.00000002.547710370.0000017D4583B000.00000004.00000001.sdmpString found in binary or memory: https://121.100.19.18:449/ono57/468325_W10017134.33B552D51284FBBFB31467BB981D7553/23/1000512/.(
Source: wermgr.exe, 0000000A.00000002.546462133.0000017D43DB5000.00000004.00000020.sdmp, wermgr.exe, 0000000A.00000002.546446946.0000017D43DAC000.00000004.00000020.sdmpString found in binary or memory: https://121.100.19.18:449/ono57/468325_W10017134.33B552D51284FBBFB31467BB981D7553/5/spk/
Source: wermgr.exe, 0000000A.00000002.547457012.0000017D457E9000.00000004.00000001.sdmpString found in binary or memory: https://51.81.112.144/ono57/468325_W10017134.33B552D51284FBBFB31467BB981
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_022A0010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_022A0010
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B73DA0 NtQuerySystemInformation,SleepEx,DuplicateHandle,lstrcmpiW,FindCloseChangeNotification,FindCloseChangeNotification,10_2_0000017D43B73DA0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B73DA010_2_0000017D43B73DA0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B8DD5010_2_0000017D43B8DD50
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7180010_2_0000017D43B71800
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7A7E010_2_0000017D43B7A7E0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B8AB2010_2_0000017D43B8AB20
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B85EC010_2_0000017D43B85EC0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B73D9010_2_0000017D43B73D90
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B8997010_2_0000017D43B89970
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B731D010_2_0000017D43B731D0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B81DA010_2_0000017D43B81DA0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B80D0010_2_0000017D43B80D00
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B77C9010_2_0000017D43B77C90
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B83C8010_2_0000017D43B83C80
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B8CC6010_2_0000017D43B8CC60
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B830C010_2_0000017D43B830C0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B778A010_2_0000017D43B778A0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7100210_2_0000017D43B71002
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7840010_2_0000017D43B78400
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7702310_2_0000017D43B77023
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B8142310_2_0000017D43B81423
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B75B8010_2_0000017D43B75B80
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B8C3C010_2_0000017D43B8C3C0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B89FC010_2_0000017D43B89FC0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7DBA010_2_0000017D43B7DBA0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B8D30010_2_0000017D43B8D300
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7F2F010_2_0000017D43B7F2F0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7973010_2_0000017D43B79730
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7CED010_2_0000017D43B7CED0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B862B010_2_0000017D43B862B0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B8EE0010_2_0000017D43B8EE00
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B87E0210_2_0000017D43B87E02
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B849E010_2_0000017D43B849E0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B8A62010_2_0000017D43B8A620
Source: SecuriteInfo.com.Trojan.Packed.140.15556.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.Packed.140.15556.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.Packed.140.15556.exe, 00000000.00000002.361566946.0000000002250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.Packed.140.15556.exe
Source: SecuriteInfo.com.Trojan.Packed.140.15556.exeBinary or memory string: OriginalFilenameVistor3.exect vs SecuriteInfo.com.Trojan.Packed.140.15556.exe
Source: SecuriteInfo.com.Trojan.Packed.140.15556.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbpL3@%
Source: SecuriteInfo.com.Trojan.Packed.140.15556.exe, 00000000.00000002.360717506.000000000043D000.00000004.00020000.sdmpBinary or memory string: b@*\AD:\An_amazing\Vistor3.vbp
Source: SecuriteInfo.com.Trojan.Packed.140.15556.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbp
Source: classification engineClassification label: mal72.troj.evad.winEXE@3/3@3/5
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7E3E0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,10_2_0000017D43B7E3E0
Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{DE63BA9F-64DC-BE14-0E3B-A9E4FB275189}
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeFile created: C:\Users\user\AppData\Local\Temp\logBEA7.tmpJump to behavior
Source: SecuriteInfo.com.Trojan.Packed.140.15556.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformationJump to behavior
Source: C:\Windows\System32\wermgr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exe'
Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32Jump to behavior
Source: SecuriteInfo.com.Trojan.Packed.140.15556.exeStatic PE information: real checksum: 0x44ba1 should be: 0x843fd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_0040C85F push edx; retf 0_2_0040C874
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_0040C87F push edx; retf 0_2_0040C874
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_00403483 push ds; retn 0000h0_2_00403487
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_0040D947 push ds; retf 0_2_0040D949
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_0040754C push es; ret 0_2_00407566
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_0040D93A push ds; retf 0_2_0040D946
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_0040C188 push FFFFFFF9h; iretd 0_2_0040C18F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_0244073B push dword ptr [edx+14h]; ret 0_2_0244079D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F08D8 push edx; ret 0_2_021F0901
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F0218 push edx; ret 0_2_021F0241
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F6214 push edx; ret 0_2_021F6241
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F4A13 push edx; ret 0_2_021F4A41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F3213 push edx; ret 0_2_021F3241
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F1A13 push edx; ret 0_2_021F1A41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F4205 push edx; ret 0_2_021F4231
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F2A05 push edx; ret 0_2_021F2A31
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F1205 push edx; ret 0_2_021F1231
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F5A03 push edx; ret 0_2_021F5A31
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F4233 push edx; ret 0_2_021F4261
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F2A33 push edx; ret 0_2_021F2A61
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F1233 push edx; ret 0_2_021F1261
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F5A33 push edx; ret 0_2_021F5A61
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F5225 push edx; ret 0_2_021F5251
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F3A24 push edx; ret 0_2_021F3A51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F2224 push edx; ret 0_2_021F2251
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F0A24 push edx; ret 0_2_021F0A51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F6A24 push edx; ret 0_2_021F6A51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F9A23 push edx; ret 0_2_021F9A51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F0A58 push edx; ret 0_2_021F0A81
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F3A54 push edx; ret 0_2_021F3A81
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_021F2254 push edx; ret 0_2_021F2281
Source: initial sampleStatic PE information: section name: .text entropy: 6.81163592969
Source: C:\Windows\System32\wermgr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Delayed program exit foundShow sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_02428B1E Sleep,ExitProcess,0_2_02428B1E
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 0000017D43B7FD00 second address: 0000017D43B7FD00 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec eax 0x0000000b mov esi, eax 0x0000000d call dword ptr [0001C6F2h] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e inc eax 0x0000002f movzx ebx, dh 0x00000032 call 00007F2BC0C14B41h 0x00000037 rdtsc
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7FD00 rdtsc 10_2_0000017D43B7FD00
Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,10_2_0000017D43B8B840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeWindow / User API: threadDelayed 2727Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeWindow / User API: threadDelayed 7235Jump to behavior
Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B85EC0 FindFirstFileW,10_2_0000017D43B85EC0
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B91240 FindFirstFileW,FindNextFileW,10_2_0000017D43B91240
Source: wermgr.exe, 0000000A.00000002.546309487.0000017D43D69000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7FD00 rdtsc 10_2_0000017D43B7FD00
Source: C:\Windows\System32\wermgr.exeCode function: 10_2_0000017D43B7FDB0 LdrLoadDll,10_2_0000017D43B7FDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeCode function: 0_2_022A0010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_022A0010
Source: C:\Windows\System32\wermgr.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 17D43B70000 protect: page execute and read and writeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeMemory written: C:\Windows\System32\wermgr.exe base: 17D43B70000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeMemory written: C:\Windows\System32\wermgr.exe base: 7FF6C4292860Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15556.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
Source: SecuriteInfo.com.Trojan.Packed.140.15556.exeBinary or memory string: Shell_TrayWnd
Source: wermgr.exe, 0000000A.00000002.546787933.0000017D44360000.00000002.00000001.sdmpBinary or memory string: Progman
Source: wermgr.exe, 0000000A.00000002.546787933.0000017D44360000.00000002.00000001.sdmpBinary or memory string: Program ManagerNd[\
Source: wermgr.exe, 0000000A.00000002.546787933.0000017D44360000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Access Token Manipulation1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection212Process Injection212LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery112Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.