Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Packed.140.29648.416

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Packed.140.29648.416 (renamed file extension from 416 to exe)
Analysis ID:255728
MD5:63ee9ea99cf131f94f5c49548947a96c
SHA1:df217c3f85de18dfe516b9f83a5d573bc4c10042
SHA256:87659fbe8b360341b11577db8bac5dec590072995ff3d018103942d0b1f3e817

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Allocates memory in foreign processes
Delayed program exit found
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.Packed.140.29648.exe (PID: 6692 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exe' MD5: 63EE9EA99CF131F94F5C49548947A96C)
    • wermgr.exe (PID: 7052 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exeJoe Sandbox ML: detected
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2591240 FindFirstFileW,FindNextFileW,3_2_00000296C2591240
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2585EC0 FindFirstFileW,3_2_00000296C2585EC0
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx3_2_00000296C258E1E7
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx3_2_00000296C258E209
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [ecx]3_2_00000296C257C200
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx3_2_00000296C25756D0
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax3_2_00000296C257DA90
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp3_2_00000296C2587280
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then call 00000296C2576E40h3_2_00000296C2574A80
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax3_2_00000296C258EB20
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax3_2_00000296C2586F50
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax3_2_00000296C2574700
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax3_2_00000296C2574BD0
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp3_2_00000296C2584F88
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax3_2_00000296C2573B80
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax3_2_00000296C2573B80
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax3_2_00000296C258B010
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx3_2_00000296C2578400
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax3_2_00000296C25778A0
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax3_2_00000296C258C074
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx3_2_00000296C258E154
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx3_2_00000296C258E0E0
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp3_2_00000296C257FD10
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebx3_2_00000296C257F100
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx3_2_00000296C258E19A
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx3_2_00000296C258E1C9
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax3_2_00000296C257B570
Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx3_2_00000296C258E175

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.3:49734 -> 190.136.178.52:449
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: icanhazip.com
Source: unknownDNS query: name: icanhazip.com
Source: global trafficTCP traffic: 192.168.2.3:49734 -> 190.136.178.52:449
Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
Source: unknownTCP traffic detected without corresponding DNS query: 192.3.247.123
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: unknownTCP traffic detected without corresponding DNS query: 190.136.178.52
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.69.1Host: icanhazip.com
Source: unknownDNS traffic detected: queries for: icanhazip.com
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wermgr.exe, 00000003.00000002.510049053.00000296C2690000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wermgr.exe, 00000003.00000003.318547657.00000296C292D000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?69ef9839ed787
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabH
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmp, wermgr.exe, 00000003.00000002.510988275.00000296C2907000.00000004.00000001.sdmpString found in binary or memory: http://icanhazip.com/
Source: wermgr.exe, 00000003.00000002.510988275.00000296C2907000.00000004.00000001.sdmpString found in binary or memory: https://190.136.178.52:449/
Source: wermgr.exe, 00000003.00000002.510988275.00000296C2907000.00000004.00000001.sdmpString found in binary or memory: https://190.136.178.52:449/B.5
Source: wermgr.exe, 00000003.00000002.510988275.00000296C2907000.00000004.00000001.sdmpString found in binary or memory: https://190.136.178.52:449/V.
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmpString found in binary or memory: https://190.136.178.52:449/ono57/841618_W10017134.F956F3BBE7E15789644F3719406BB1DB/0/Windows%2010%20
Source: wermgr.exe, 00000003.00000002.510988275.00000296C2907000.00000004.00000001.sdmpString found in binary or memory: https://190.136.178.52:449/ono57/841618_W10017134.F956F3BBE7E15789644F3719406BB1DB/14/DNSBL/listed/0
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmpString found in binary or memory: https://190.136.178.52:449/ono57/841618_W10017134.F956F3BBE7E15789644F3719406BB1DB/14/path/C:%5CProg
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmpString found in binary or memory: https://190.136.178.52:449/ono57/841618_W10017134.F956F3BBE7E15789644F3719406BB1DB/14/user/user/0/
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmpString found in binary or memory: https://190.136.178.52:449/ono57/841618_W10017134.F956F3BBE7E15789644F3719406BB1DB/14/user/user/0/-
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmpString found in binary or memory: https://190.136.178.52:449/ono57/841618_W10017134.F956F3BBE7E15789644F3719406BB1DB/14/user/user/0/n
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmp, wermgr.exe, 00000003.00000002.510988275.00000296C2907000.00000004.00000001.sdmpString found in binary or memory: https://190.136.178.52:449/ono57/841618_W10017134.F956F3BBE7E15789644F3719406BB1DB/23/1000512/
Source: wermgr.exe, 00000003.00000002.510137246.00000296C26AF000.00000004.00000020.sdmpString found in binary or memory: https://190.136.178.52:449/ono57/841618_W10017134.F956F3BBE7E15789644F3719406BB1DB/5/spk/
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exe, 00000000.00000002.280327391.000000000084A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeCode function: 0_2_02280010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_02280010
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2573DA0 NtQuerySystemInformation,SleepEx,DuplicateHandle,lstrcmpiW,FindCloseChangeNotification,FindCloseChangeNotification,3_2_00000296C2573DA0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2585EC03_2_00000296C2585EC0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C258AB203_2_00000296C258AB20
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C257A7E03_2_00000296C257A7E0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25718003_2_00000296C2571800
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C258DD503_2_00000296C258DD50
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2573DA03_2_00000296C2573DA0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C258A6203_2_00000296C258A620
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25849E03_2_00000296C25849E0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C258EE003_2_00000296C258EE00
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2587E023_2_00000296C2587E02
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25862B03_2_00000296C25862B0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C257CED03_2_00000296C257CED0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25797303_2_00000296C2579730
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C257F2F03_2_00000296C257F2F0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C258D3003_2_00000296C258D300
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C257DBA03_2_00000296C257DBA0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2589FC03_2_00000296C2589FC0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C258C3C03_2_00000296C258C3C0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2575B803_2_00000296C2575B80
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25814233_2_00000296C2581423
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25770233_2_00000296C2577023
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25710053_2_00000296C2571005
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25784003_2_00000296C2578400
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25778A03_2_00000296C25778A0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25830C03_2_00000296C25830C0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C258CC603_2_00000296C258CC60
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2577C903_2_00000296C2577C90
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2583C803_2_00000296C2583C80
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2580D003_2_00000296C2580D00
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2581DA03_2_00000296C2581DA0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25731D03_2_00000296C25731D0
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C25899703_2_00000296C2589970
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2573D903_2_00000296C2573D90
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exe, 00000000.00000002.280224013.0000000000650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.Packed.140.29648.exe
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exeBinary or memory string: OriginalFilenameVistor3.exect vs SecuriteInfo.com.Trojan.Packed.140.29648.exe
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbpL3@%
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exe, 00000000.00000002.278119924.000000000043D000.00000004.00020000.sdmpBinary or memory string: b@*\AD:\An_amazing\Vistor3.vbp
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbp
Source: classification engineClassification label: mal72.troj.evad.winEXE@3/3@3/3
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C257E3E0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,3_2_00000296C257E3E0
Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{202E6229-3C4E-29CD-2471-615B8C9A4DCF}
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeFile created: C:\Users\user\AppData\Local\Temp\log7576.tmpJump to behavior
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformationJump to behavior
Source: C:\Windows\System32\wermgr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exe'
Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32Jump to behavior
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exeStatic PE information: real checksum: 0x44ba1 should be: 0x7e329
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeCode function: 0_2_0040C85F push edx; retf 0_2_0040C874
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeCode function: 0_2_0040C87F push edx; retf 0_2_0040C874
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeCode function: 0_2_00403483 push ds; retn 0000h0_2_00403487
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeCode function: 0_2_0040D947 push ds; retf 0_2_0040D949
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeCode function: 0_2_0040754C push es; ret 0_2_00407566
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeCode function: 0_2_0040D93A push ds; retf 0_2_0040D946
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeCode function: 0_2_0040C188 push FFFFFFF9h; iretd 0_2_0040C18F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeCode function: 0_2_022C073B push dword ptr [edx+14h]; ret 0_2_022C079D
Source: initial sampleStatic PE information: section name: .text entropy: 6.81163592969
Source: C:\Windows\System32\wermgr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Delayed program exit foundShow sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeCode function: 0_2_022A8B1E Sleep,ExitProcess,0_2_022A8B1E
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 00000296C257FD00 second address: 00000296C257FD00 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec eax 0x0000000b mov esi, eax 0x0000000d call dword ptr [0001C6F2h] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e inc eax 0x0000002f movzx ebx, dh 0x00000032 call 00007F21CCA46371h 0x00000037 rdtsc
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C257FD00 rdtsc 3_2_00000296C257FD00
Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,3_2_00000296C258B840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeWindow / User API: threadDelayed 2386Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeWindow / User API: threadDelayed 7098Jump to behavior
Source: C:\Windows\System32\wermgr.exeWindow / User API: threadDelayed 640Jump to behavior
Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2591240 FindFirstFileW,FindNextFileW,3_2_00000296C2591240
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C2585EC0 FindFirstFileW,3_2_00000296C2585EC0
Source: wermgr.exe, 00000003.00000002.509966839.00000296C2668000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW`Z
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: wermgr.exe, 00000003.00000002.510909481.00000296C28BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWb
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C257FD00 rdtsc 3_2_00000296C257FD00
Source: C:\Windows\System32\wermgr.exeCode function: 3_2_00000296C257FDB0 LdrLoadDll,3_2_00000296C257FDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeCode function: 0_2_02280010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_02280010
Source: C:\Windows\System32\wermgr.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 296C2570000 protect: page execute and read and writeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeMemory written: C:\Windows\System32\wermgr.exe base: 296C2570000Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeMemory written: C:\Windows\System32\wermgr.exe base: 7FF733132860Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.29648.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
Source: wermgr.exe, 00000003.00000002.511082256.00000296C2CE0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: SecuriteInfo.com.Trojan.Packed.140.29648.exeBinary or memory string: Shell_TrayWnd
Source: wermgr.exe, 00000003.00000002.511082256.00000296C2CE0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: wermgr.exe, 00000003.00000002.511082256.00000296C2CE0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Access Token Manipulation1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection212Process Injection212LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery112Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.